implementing-aws-security-hub

# Implementing AWS Security Hub ## When to Use - When establishing a centralized security findings dashboard across multiple AWS accounts - When enabling automated compliance checks against CIS, PCI-DSS, NIST, or AWS Foundational Security Best Practices - When integrating findings from GuardDuty, Inspector, Macie, and third-party security tools - When building automated remediation workflows for recurring security misconfigurations - When preparing compliance evidence for auditors requiring continuous posture monitoring **Do not use** for real-time threat detection (see detecting-cloud-threats-with-guardduty), for Azure compliance monitoring (see securing-azure-with-microsoft-defender), or for deep vulnerability scanning of container images (see securing-container-registry). ## Prerequisites - AWS Organization with a designated security administrator account - AWS Config enabled in all target accounts and regions - GuardDuty, Inspector, and Macie activated for finding integration - IAM permissions for securityhub:* and config:* in the administrator account ## Workflow ### Step 1: Enable Security Hub with Standards Activate Security Hub in the delegated administrator account and enable security standards. AWS Security Hub CSPM supports CIS AWS Foundations Benchmark v5.0, AWS Foundational Security Best Practices, PCI DSS v3.2.1, and NIST SP 800-53. ```bash # Enable Security Hub with standards aws securityhub enable-security-hub \ --enable-default-standards \ --tags...