--- title: How to Set Up AWS Security Hub for Compliance Monitoring description: AWS Security Hub aggregates security findings from 200+ sources (GuardDuty, Config, IAM Access Analyzer, Inspector). This guide covers setup, compliance standards (PCI-DSS, CIS, NIST), automated remediation, and building a compliance dashboard without hiring a SOC team. url: https://www.factualminds.com/blog/how-to-set-up-aws-security-hub-compliance-monitoring/ datePublished: 2026-04-03T00:00:00.000Z dateModified: 2026-04-16T00:00:00.000Z author: Palaniappan P category: Security & Compliance tags: how-to-guide, security-hub, compliance, aws, security --- # How to Set Up AWS Security Hub for Compliance Monitoring > AWS Security Hub aggregates security findings from 200+ sources (GuardDuty, Config, IAM Access Analyzer, Inspector). This guide covers setup, compliance standards (PCI-DSS, CIS, NIST), automated remediation, and building a compliance dashboard without hiring a SOC team. AWS Security Hub aggregates security findings from 200+ sources and tracks compliance against standards like PCI-DSS, CIS, NIST, HIPAA, and SOC 2. Instead of checking 10 different AWS services for security issues, Security Hub gives you a single compliance dashboard. This guide covers setting up Security Hub, enabling compliance standards, automating remediation, and monitoring compliance metrics without hiring a SOC team. > **Building Compliance Infrastructure on AWS?** FactualMinds helps organizations implement Security Hub, compliance automation, and continuous monitoring. [See our compliance services](/services/cloud-compliance-services/) or [talk to our team](/contact-us/). ## Step 1: Enable Security Hub 1. Go to **AWS Security Hub** → **Get started** (if first time) or **Dashboard** (if returning) 2. Click **Enable Security Hub** 3. **Region selection**: Security Hub is region-specific; enable in all regions you use 4. **Default standards**: AWS enables CIS AWS Foundations Benchmark by default 5. Click **Enable Security Hub** Security Hub will take 5-10 minutes to initialize and scan your account. ## Step 2: Enable Compliance Standards Security Hub can monitor against 5 compliance frameworks. Enable all that apply to your business: ### Step 2a: PCI-DSS v3.2.1 (Payment Card Security) 1. Go to **Security Standards** → **PCI-DSS v3.2.1** 2. Click **Enable standard** 3. PCI-DSS will check: - All S3 buckets encrypted (TLS for data in transit) - CloudTrail logging enabled - VPC Flow Logs enabled - IAM access not using root account - Password policies enforced (14+ characters, complexity) ### Step 2b: NIST Cybersecurity Framework (800-53) 1. Go to **Security Standards** → **NIST Cybersecurity Framework** 2. Click **Enable standard** 3. NIST checks AWS implementation of NIST 800-53 controls: - Identify (asset inventory, risk assessment) - Protect (access control, encryption) - Detect (logging, monitoring) - Respond (incident response) - Recover (backup, disaster recovery) ### Step 2c: HIPAA (Healthcare) 1. Go to **Security Standards** → **HIPAA** 2. Click **Enable standard** 3. HIPAA checks: - Encryption at rest (S3, RDS, DynamoDB) - VPC Flow Logs enabled (for audit trail) - API logging (CloudTrail) - Account isolation (separate AWS accounts per environment) Enable all applicable standards. Cost is $3/month per standard, so 5 standards = $15/month. ## Step 3: Aggregate Findings from Multiple Sources Security Hub imports findings from these services: **Automatic sources** (no setup required): - **GuardDuty**: Detects malware, crypto mining, unauthorized AWS API access - **Config**: Flags non-compliant resource configurations - **IAM Access Analyzer**: Finds overly permissive IAM policies - **Inspector**: Detects OS-level vulnerabilities (unpatched EC2 instances) - **Macie**: Discovers sensitive data in S3 (PII, credit cards) **Optional sources** (requires setup): - **Firewall Manager**: DDoS protection findings - **Health Dashboard**: AWS service disruptions - **Third-party integrations**: Slack, Splunk, Sumo Logic Enable all in **Security Hub Settings** → **Integrations**: ```bash # Enable GuardDuty (required for Security Hub) aws guardduty create-detector --finding-publishing-frequency FIFTEEN_MINUTES --region us-east-1 # Verify Security Hub imported findings from GuardDuty aws securityhub describe-findings --filters '{"Type": [{"Value": "GuardDuty", "Comparison": "PREFIX"}]}' --region us-east-1 ``` ## Step 4: Create Custom Insights (Compliance Dashboard) Security Hub comes with default insights (findings by severity, by resource type). Create custom insights to track compliance: ### Insight 1: High-Severity Findings 1. Go to **Insights** → **Create insight** 2. **Name**: `high-severity-findings` 3. **Filters**: - Severity: `HIGH` or `CRITICAL` - Record State: `ACTIVE` 4. **Result grouping**: `Resource Type` 5. Click **Create insight** This shows which resource types have the most critical security issues. ### Insight 2: Non-Compliant Resources (PCI-DSS) 1. Create insight: 2. **Name**: `pci-dss-non-compliant` 3. **Filters**: - Compliance State: `FAILED` - Standard: `PCI-DSS` 4. **Result grouping**: `Compliance Standard` 5. Click **Create insight** ### Insight 3: Unresolved Findings (30+ days old) 1. **Name**: `stale-findings` 2. **Filters**: - Record State: `ACTIVE` - Workflow Status: `NEW` - First Observed: More than 30 days ago 3. Click **Create insight** This identifies findings you've been ignoring. ## Step 5: Suppress Known False Positives Security Hub will flag things that are intentional (e.g., S3 bucket allows public read for a static website). Suppress these to reduce noise: 1. Go to **Findings** 2. Find the false positive finding 3. Click finding to open details 4. Click **Suppress finding** 5. **Reason**: "Not Applicable" 6. Click **Suppress** The finding will no longer appear in dashboards. ## Step 6: Automate Remediation with EventBridge Create an EventBridge rule to auto-remediate specific findings: ### Pattern 1: Auto-Disable Unused EC2 Instances When Security Hub finds an EC2 instance with low CPU usage for 30+ days, disable it: ```bash # Create EventBridge rule aws events put-rule \ --name security-hub-disable-unused-ec2 \ --event-pattern '{ "source": ["aws.securityhub"], "detail-type": ["Security Hub Findings - Imported"], "detail": { "findings": { "Type": ["Software and Configuration Checks/AWS Security Best Practices"], "Title": ["Unused EC2 instances should be removed"] } } }' \ --state ENABLED # Target Lambda function for remediation aws events put-targets \ --rule security-hub-disable-unused-ec2 \ --targets "Id"="1","Arn"="arn:aws:lambda:us-east-1:123456789012:function:disable-unused-ec2" ``` Lambda function to handle remediation: ```python # disable-unused-ec2.py import boto3 import json securityhub = boto3.client('securityhub') ec2 = boto3.client('ec2') def lambda_handler(event, context): # Parse finding from EventBridge finding = event['detail']['findings'][0] resource_id = finding['Resources'][0]['Id'].split('/')[-1] # Stop the instance print(f"Stopping instance {resource_id}...") ec2.stop_instances(InstanceIds=[resource_id]) # Update finding in Security Hub securityhub.update_findings( FindingIdentifiers=[{'Id': finding['Id'], 'ProductArn': finding['ProductArn']}], Note={'Text': 'Instance stopped automatically', 'UpdatedBy': 'Lambda remediation'}, Workflow={'Status': 'RESOLVED'} ) return {'statusCode': 200, 'message': f'Stopped {resource_id}'} ``` ### Pattern 2: Auto-Revoke Overly Permissive IAM Policies When IAM Access Analyzer finds a policy that allows public access, revoke it: ```python # remediate-iam-policy.py import boto3 securityhub = boto3.client('securityhub') iam = boto3.client('iam') def lambda_handler(event, context): finding = event['detail']['findings'][0] role_name = finding['Resources'][0]['Id'].split('/')[-1] # Get all policies attached to role policies = iam.list_attached_role_policies(RoleName=role_name) for policy in policies['AttachedPolicies']: # Detach overly permissive policy print(f"Detaching {policy['PolicyName']} from {role_name}...") iam.detach_role_policy( RoleName=role_name, PolicyArn=f"arn:aws:iam::123456789012:policy/{policy['PolicyName']}" ) # Update finding securityhub.update_findings( FindingIdentifiers=[{'Id': finding['Id'], 'ProductArn': finding['ProductArn']}], Workflow={'Status': 'RESOLVED'} ) # Send SNS alert sns = boto3.client('sns') sns.publish( TopicArn='arn:aws:sns:us-east-1:123456789012:security-alerts', Subject=f'IAM Policy Revoked: {role_name}', Message=f'Detached overly permissive policies from {role_name}' ) return {'statusCode': 200} ``` ## Step 7: Set Up Compliance Dashboards Use CloudWatch to build a compliance dashboard: ```python import boto3 cloudwatch = boto3.client('cloudwatch') cloudwatch.put_metric_alarm( AlarmName='SecurityHub-Critical-Findings', MetricName='CriticalFindings', Namespace='AWS/SecurityHub', Statistic='Sum', Period=3600, Threshold=1, ComparisonOperator='GreaterThanOrEqualToThreshold', AlarmActions=['arn:aws:sns:us-east-1:123456789012:security-alerts'], EvaluationPeriods=1 ) cloudwatch.put_metric_alarm( AlarmName='SecurityHub-Compliance-Score-Low', MetricName='ComplianceScore', Namespace='AWS/SecurityHub', Statistic='Average', Period=3600, Threshold=80, ComparisonOperator='LessThanThreshold', AlarmActions=['arn:aws:sns:us-east-1:123456789012:ops-alerts'] ) ``` ## Step 8: Create Multi-Account Compliance View For organizations with multiple AWS accounts, use Security Hub delegated admin: 1. In **Management account**, go to **Security Hub** → **Organization** 2. Click **Register delegated administrator** 3. Select an account to be the delegated admin 4. In delegated admin account, go to **Security Hub** → **Add member accounts** 5. Select accounts to monitor 6. Delegated admin now sees findings from all member accounts in one dashboard This allows central compliance monitoring without duplicating findings. ## Step 9: Suppress Findings by Severity or Type To reduce alert fatigue, suppress informational findings: ```bash # Suppress all INFORMATIONAL findings aws securityhub update-findings \ --finding-identifiers '[{"Id": "finding-id", "ProductArn": "arn:aws:securityhub:region:account:product/..."}]' \ --note '{"Text": "Informational only", "UpdatedBy": "Automated"}' \ --workflow '{"Status": "SUPPRESSED"}' ``` ## Step 10: Production Checklist - [ ] Security Hub enabled in all regions - [ ] CIS, PCI-DSS, NIST standards enabled - [ ] GuardDuty, Config, IAM Access Analyzer integrated - [ ] Custom insights created (high-severity, non-compliant, stale) - [ ] False positives suppressed - [ ] EventBridge rules configured for auto-remediation - [ ] Lambda remediation functions deployed - [ ] CloudWatch alarms set for Critical findings - [ ] Multi-account view configured (if applicable) - [ ] Compliance dashboard created (CloudWatch or custom) - [ ] Team trained on incident response ## Common Mistakes 1. **Not suppressing false positives** - Finding appears every day, team ignores it - Suppressed findings still count toward compliance score - Better: Fix the underlying issue (e.g., enable S3 logging) or suppress with reason 2. **Enabling all standards immediately** - 5 standards = 500+ controls to pass - Initial compliance score likely 10-20% - Better: Start with CIS + PCI-DSS (most common), add others later 3. **Not configuring AWS Config properly** - Security Hub depends on Config for compliance checks - Config disabled = Security Hub can't see configuration violations - Always enable Config in all regions before Security Hub 4. **Automating remediation without approval workflow** - EventBridge rule deletes IAM role → production breaks - Better: EventBridge → SNS → manual approval → Lambda remediation - Or restrict automation to non-production accounts only 5. **Ignoring findings for months** - Security Hub tracks finding age; old findings = lower compliance score - Better: Set SLA (30 days to resolve critical, 90 days for medium) ## Cost Estimation For typical organization with 50 EC2 instances, 20 RDS databases, 100 IAM roles: | Component | Cost | | -------------------------------- | ------------------------------------------ | | Security Hub base | $0.10 per finding ingested | | PCI-DSS, CIS, NIST (3 standards) | $3/month each = $9 | | GuardDuty | $0.30 per 1M API calls | | Config | $2/month + $0.003 per config item recorded | | **Total monthly** | ~$200–$500 depending on finding volume | ## Next Steps 1. Enable Security Hub in primary region (15 mins) 2. Enable 2-3 compliance standards (5 mins) 3. Integrate GuardDuty and Config (10 mins) 4. Create 3 custom insights (15 mins) 5. Suppress 5-10 false positives (20 mins) 6. Create 1 EventBridge auto-remediation rule (30 mins) 7. Set up CloudWatch compliance alarms (15 mins) 8. Build compliance dashboard (45 mins) 9. [Talk to FactualMinds](/contact-us/) if you need help with compliance automation or multi-account governance ## FAQ ### What is the difference between Security Hub and Config? AWS Config tracks resource configuration changes (when someone modified an EC2 security group, when an S3 bucket policy changed). Security Hub aggregates security findings (EC2 has unpatched software, IAM role has overly permissive policy). Config is a compliance baseline (what should be true). Security Hub is threat detection (what went wrong). Use both: Config enforces desired state, Security Hub detects violations. ### How much does Security Hub cost? Pricing: $0.10 per finding ingested (from Config, GuardDuty, etc.), plus $3/month per enabled compliance standard (PCI-DSS, CIS, etc.). For 10,000 findings/month + 5 standards = ($0.10 × 10K) + ($3 × 5) = $1,000 + $15 = ~$1,015/month. For most enterprises: $500-$2,000/month depending on finding volume and standards enabled. ### Can Security Hub block bad resources automatically? Partially. Security Hub detects findings; you automate responses with EventBridge → Lambda → remediation (stop instances, revoke IAM policies, delete resources). For critical findings, AWS recommends manual approval-first workflows: EventBridge → SNS → engineer approval → Lambda remediation. For non-production, can fully automate. Compliance standards (PCI-DSS) may require audit trail, so automation + logging is key. ### What compliance standards does Security Hub cover? Built-in standards: PCI-DSS v3.2.1 (payment card security), CIS AWS Foundations Benchmark (AWS best practices), NIST Cybersecurity Framework (NIST 800-53), HIPAA (healthcare), SOC 2 (custom rules). Security Hub runs automated controls against these standards and scores your compliance. Example: PCI-DSS requires encryption in transit; Security Hub checks all TLS configurations and flags non-HTTPS APIs. ### What if Security Hub is generating too many false positives? Common causes: (1) Development environment rules applied to production thresholds, (2) Temporary exceptions not archived, (3) Overly aggressive control settings. Solutions: (1) Create separate Security Hub accounts for dev/prod, (2) Suppress findings that are known false positives (mark as "Not Applicable"), (3) Adjust control parameters (e.g., S3 logging false positive if you've configured S3 access logs but SDK reports lag), (4) Filter findings by severity (only alert on High/Critical). --- *Source: https://www.factualminds.com/blog/how-to-set-up-aws-security-hub-compliance-monitoring/*