AWS Security Specialty · Domain 1 · Detection
Amazon Security Hub
Study Guide
A complete SCS-C03 reference with GuardDuty-matched typography and a stronger revision workflow — architecture, ASFF, compliance standards, multi-account setup, automation, cross-Region aggregation, exam traps, and cram mode.
14 sections
10 exam traps
8 flip cards
14 checklist items
3 reading modes
Top 10 exam traps
TT
Top 10 Security Hub traps to memorize
| Trap | Correct memory |
|---|---|
| “Security Hub reads CloudTrail directly.” | No. GuardDuty and Config analyze telemetry, then send findings. |
| “Security Hub can remediate by itself.” | No. Use EventBridge plus Lambda, SSM, or Step Functions. |
| “Security Hub invokes Lambda directly.” | No. EventBridge is the intermediary. |
| “SUPPRESSED means fixed.” | No. It hides the finding from active scoring and workflow. |
| “Automation rules replicate across Regions.” | No. They do not replicate in cross-Region aggregation. |
| “Any account can set the delegated admin.” | No. The management account assigns it. |
| “Security score counts everything.” | No. NOT_AVAILABLE and SUPPRESSED do not count against the score. |
| “ASFF and OCSF are the same thing.” | No. ASFF is Security Hub format; OCSF is common schema for exports like Security Lake. |
| “Cross-Region aggregation costs extra.” | No. Replication itself does not add cost. |
| “AWS Config is optional for compliance scoring.” | No. Config is required for compliance checks and score generation. |
Foundation
01
Core Mission — The Big Picture
- Centralized Aggregator: Collects findings from AWS services like GuardDuty, Inspector, and Macie, plus supported third-party tools.
- Compliance Engine: Checks AWS resources against standards like FSBP, CIS, NIST, and PCI DSS.
- Normalization: Converts findings into one standard structure called ASFF.
- Prioritization: Uses severity, workflow, and compliance state so teams can triage faster.
💡Exam shortcut: “Single pane of glass for security findings and compliance posture” almost always means Security Hub.
02
Architecture & Multi-Account (AWS Organizations)
- Delegated Administrator: Must be assigned by the Organizations management account.
- Central Configuration: The delegated admin can push configuration policies across accounts and Regions.
- Auto-enable behavior: New accounts can be automatically brought under Security Hub governance.
- Member accounts: Cannot override centrally managed policies the way they can local settings.
| Account type | Main role |
|---|---|
| Management account | Designates or removes the delegated administrator. |
| Delegated administrator | Manages Security Hub centrally for member accounts and Regions. |
| Member account | Receives configuration and contributes findings and compliance data. |
ℹ️Pattern to remember: Management account assigns delegated admin → delegated admin applies policies → member accounts inherit the setup.
03
ASFF & Data Standards
- ASFF: AWS Security Finding Format. JSON-based, normalized, and central to Security Hub.
- Required field:
AwsAccountId. - Third-party integrations: Must map findings into the supported format model used by Security Hub.
- OCSF: Useful to remember for downstream export use cases such as Amazon Security Lake.
| Term | Remember it as |
|---|---|
| ASFF | Security Hub’s normalized finding format. |
| OCSF | Open schema commonly associated with external export and lake-style workflows. |
💡Exam shortcut: ASFF inside Security Hub. OCSF when the question shifts toward data lake and broader export ecosystem language.
Findings & Classification
04
Findings & Workflow Status
A finding is a security observation. Workflow status tracks the human response process, not the technical seriousness of the issue.
| Status | Meaning | Exam note |
|---|---|---|
| NEW | Freshly discovered and not yet actioned. | Default starting state. |
| NOTIFIED | Someone has been informed. | Useful for tracking ownership. |
| RESOLVED | The issue has been fixed. | Does not delete the finding record. |
| SUPPRESSED | Intentionally hidden from active handling. | Does not mean remediated. |
⚠️High exam value: Workflow status and severity are different concepts. A HIGH severity finding can still be NEW, NOTIFIED, RESOLVED, or SUPPRESSED.
05
Severity Levels
| Level | Priority | Typical response |
|---|---|---|
| CRITICAL | Highest urgency | Immediate triage and escalation. |
| HIGH | Serious compromise risk | Investigate and remediate fast. |
| MEDIUM | Suspicious, maybe compromise | Validate whether behavior is expected. |
| LOW | Minor issue or recon activity | Track and correlate. |
| INFORMATIONAL | Context only | No urgent action. |
Compliance & Scoring
06
Security Standards & the AWS Config Requirement
- FSBP AWS Foundational Security Best Practices — the most important standard for exam prep.
- CIS CIS AWS Foundations Benchmark — baseline hardening and best-practice checks.
- PCI DSS Payment card controls.
- NIST 800-53 / 800-171 Government and regulated control frameworks.
| Need to remember | Why it matters |
|---|---|
| AWS Config is required | Security Hub relies on Config-backed control evaluation for compliance checks and scoring. |
| FSBP is exam-heavy | If unsure which standard AWS prefers in a question, FSBP is often the safest memory anchor. |
❌Major trap: No AWS Config in the account and Region means no meaningful compliance evaluation and no proper security score.
07
Security Score Logic
- Formula:
Passed Controls ÷ Total Enabled Controls × 100 - NOT_AVAILABLE does not count against the score.
- SUPPRESSED findings do not count against the score either.
- Consolidated control findings reduce duplicate noise when one control maps to multiple standards.
| Status | Impact on score |
|---|---|
| PASSED | Improves score. |
| FAILED | Lowers score. |
| NOT_AVAILABLE | Excluded. |
| SUPPRESSED finding | Excluded from score calculations. |
💡One failed resource can affect multiple standards, but consolidated control findings help avoid drowning in duplicate alerts.
Operations & Automation
08
Cross-Region Aggregation
- Home Region: Central place to view aggregated data.
- Replicates: Findings, resources, and trends.
- Existing findings: Older findings in a newly linked Region appear after they are updated.
- Cost: Replication itself does not add cost.
❌Main trap: Automation rules are not copied across Regions by cross-Region aggregation. Plan regional rule strategy separately.
09
Automation Rules vs. Custom Actions
| Type | Trigger | What it does | Limit |
|---|---|---|---|
| Automation rules | Automatic on finding ingestion/update | Change severity, workflow, notes, suppression | 100 |
| Custom actions | Manual analyst action | Send chosen findings to EventBridge for response flows | — |
Security Hub→
EventBridge→
Lambda / SNS / SSM / Step Functions
❌Always remember: Security Hub does not directly invoke Lambda. EventBridge sits in the middle.
10
Insights
- Insight: A saved grouped view of related findings using filters and a grouping key.
- Managed insights: AWS-provided, ready to use.
- Custom insights: You define the filters based on what matters to your team.
| Good exam example | Why it matters |
|---|---|
| S3 buckets with the most critical findings | Shows how insights surface patterns, not just single findings. |
| Accounts with the most unresolved HIGH findings | Useful for prioritization across organizations. |
Integrations & Cost
11
Integrations & Syncing
- Native AWS sources: GuardDuty, Inspector, Macie, Firewall Manager, IAM Access Analyzer, and others depending on enablement.
- Third-party partners: Integrate through the supported findings format model.
- One-way sync example: GuardDuty sends findings into Security Hub, but changes made in GuardDuty do not automatically reverse-sync into Hub workflow behavior.
❌Trap: CloudTrail and VPC Flow Logs are not direct Security Hub finding providers. Other services analyze them first.
12
Pricing & Retention
| Item | Remember this |
|---|---|
| Finding retention | Archived after 90 days of no activity. |
| Security score trends | Retained for 1 year. |
| Cross-Region replication | No added cost for the replication action itself. |
| Pricing model idea | Think in terms of security checks and ingested findings, not cross-Region linkage fees. |
Advanced & Limits
13
Advanced Concepts (SCS-C03 Specific)
| Concept | What to remember |
|---|---|
BatchUpdateFindings | Used to bulk update many findings programmatically. |
ProductArn | Helpful for filtering by source product. |
| Compliance values | PASSED, FAILED, WARNING, NOT_AVAILABLE |
| Central configuration | Delegated admin can push policy at scale; members follow centrally managed controls. |
14
What Security Hub Does NOT Do
| Myth | Reality |
|---|---|
| It auto-remediates issues. | No. You need downstream workflow tooling. |
| It reads raw logs like a SIEM. | No. It consumes findings and compliance results, not raw telemetry analysis. |
| It replaces GuardDuty. | No. GuardDuty detects; Security Hub aggregates and prioritizes. |
| It blocks threats. | No. It is not an enforcement service. |
Flashcard Revision
Tap any card to flip it and reveal the answer.
Q — Single pane of glass
Which AWS service gives a centralized view of security findings across accounts and services?
Tap to flip →
Answer
AWS Security Hub. It aggregates findings and compliance posture in one place.
Q — Config dependency
What must be enabled for Security Hub compliance checks to produce a score?
Tap to flip →
Answer
AWS Config must be enabled in the same account and Region.
Q — Automation path
Can Security Hub trigger Lambda directly?
Tap to flip →
Answer
No. The path is Security Hub → EventBridge → Lambda or another target.
Q — One-way sync
If you archive a GuardDuty finding in GuardDuty, is it automatically archived in Security Hub?
Tap to flip →
Answer
No. Findings flow into Security Hub, but actions do not fully reverse-sync back the way people expect.
Q — Regional trap
Do automation rules replicate when cross-Region aggregation is enabled?
Tap to flip →
Answer
No. Cross-Region aggregation does not replicate automation rules.
Q — Score logic
How is Security Hub security score calculated?
Tap to flip →
Answer
Passed controls divided by total enabled controls. NOT_AVAILABLE and SUPPRESSED do not count against the score.
Q — Required field
What ASFF field is mandatory in every finding?
Tap to flip →
Answer
AwsAccountIdQ — Retention
How long are findings and score trends retained?
Tap to flip →
Answer
Findings are archived after 90 days of no activity. Score trends are retained for 1 year.
Exam Readiness Checklist
Progress
0 / 14
I know Security Hub is the centralized security findings and compliance dashboard.
I know AWS Config is required for compliance checks and security scores.
I can recall NEW, NOTIFIED, RESOLVED, and SUPPRESSED workflow statuses.
I know Security Hub routes automated response through EventBridge, not directly to Lambda.
I know GuardDuty and other services feed Security Hub; Security Hub does not read raw CloudTrail directly.
I know ASFF is the normalized finding format and AwsAccountId is required.
I know automation rules do not replicate across Regions in cross-Region aggregation.
I know the Organizations management account assigns the delegated administrator.
I know the security score is based on passed controls divided by enabled controls.
I know SUPPRESSED findings do not count against the score but are not fixed.
I know findings are archived after 90 days of inactivity and score trends are kept for 1 year.
I know FSBP is the most important standard to remember for Security Hub questions.
I know custom actions are for analyst-triggered EventBridge workflows.
I know Security Hub aggregates and prioritizes, but does not enforce or remediate by itself.
Official AWS Documentation
What is AWS Security Hub?
ASFF — Finding Format Reference
Security Standards Overview
AWS FSBP Standard
Automatically Enabled Standards
Automation Rules
Custom Actions and EventBridge
Finding Workflow Status
Cross-Region Aggregation
Delegated Administrator
Central Configuration
Security Hub Insights
Finding Providers
Required ASFF Attributes
Security Scores