MEDIUM Security Hub · CIS 4.16

Security Hub enabled

Check ID: aws-sh-001

AWS-SH-001 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if AWS Security Hub is enabled. Security Hub provides a comprehensive view of security findings from multiple AWS services and third-party tools.

Why it matters

AWS Security Hub aggregates security findings from GuardDuty, Inspector, Macie, IAM Access Analyzer, Firewall Manager, and third-party tools into a single pane of glass with automated compliance checks. Without Security Hub, security findings are scattered across individual service consoles, making it impossible to prioritize and track remediation across the entire account. Security Hub's automated security checks continuously evaluate your account against CIS AWS Foundations, AWS Foundational Security Best Practices, and PCI-DSS standards, catching configuration drift that manual audits miss. Organizations running compliance programs (SOC 2, ISO 27001, PCI-DSS) benefit from Security Hub's continuous compliance scoring and evidence collection. The service costs approximately $0.0010 per finding per month, making it one of the most cost-effective security investments in AWS.

Common causes

Security Hub must be explicitly enabled per-region and is not part of the default AWS account setup. Organizations that enabled GuardDuty or Inspector individually may not realize that Security Hub provides the aggregation layer needed to operationalize those findings. Cost-conscious teams may skip Security Hub in non-production accounts without realizing that security misconfigurations in dev/staging environments can be exploited as pivot points to production.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws securityhub enable-security-hub --enable-default-standards --region REGION

Remediation: Terraform

resource "aws_securityhub_account" "main" {}

resource "aws_securityhub_standards_subscription" "cis" {
  standards_arn = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/3.0.0"
}

Compliance mapping

This check maps to CIS 4.16 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.

This check is part of cloud-audit - install with pip install cloud-audit

Related article

CIS AWS v3.0 in 60 Seconds: Automate Compliance with Terraform →
← All checks