Implementing AWS Security Hub to aggregate security findings across AWS accounts, enable compliance standards like CIS AWS Foundations and PCI DSS, configure automated remediation with EventBridge and Lambda, and create custom security insights for organizational risk management.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionimplementing-aws-security-hub-complianceExecute the skills CLI command in your project's root directory to begin installation:
Fetches implementing-aws-security-hub-compliance from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate implementing-aws-security-hub-compliance. Access via /implementing-aws-security-hub-compliance in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | implementing-aws-security-hub-compliance |
| description | 'Implementing AWS Security Hub to aggregate security findings across AWS accounts, enable compliance standards like CIS AWS Foundations and PCI DSS, configure automated remediation with EventBridge and Lambda, and create custom security insights for organizational risk management. ' |
| domain | cybersecurity |
| subdomain | cloud-security |
| tags | - cloud-security - aws - security-hub - compliance - cspm - cis-benchmark |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.IR-01 - ID.AM-08 - GV.SC-06 - DE.CM-01 |
Do not use for real-time threat detection (use GuardDuty), for vulnerability scanning (use Inspector), or for data classification (use Macie). Security Hub aggregates findings from these services but does not replace them.
securityhub:*, config:*, events:*, and lambda:*Enable Security Hub in the management account and select compliance standards to evaluate.
# Enable Security Hub in the current account/region
aws securityhub enable-security-hub \
--enable-default-standards \
--control-finding-generator SECURITY_CONTROL
# Enable specific compliance standards
aws securityhub batch-enable-standards --standards-subscription-requests \
'[
{"StandardsArn": "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"},
{"StandardsArn": "arn:aws:securityhub:us-east-1::standards/cis-aws-foundations-benchmark/v/1.4.0"},
{"StandardsArn": "arn:aws:securityhub:us-east-1::standards/pci-dss/v/3.2.1"},
{"StandardsArn": "arn:aws:securityhub:us-east-1::standards/nist-800-53/v/5.0.0"}
]'
# Verify enabled standards
aws securityhub get-enabled-standards \
--query 'StandardsSubscriptions[*].[StandardsArn,StandardsStatus]' --output table
Set up a delegated administrator and aggregate findings from all organization accounts.
# Designate a delegated admin (run from management account)
aws securityhub enable-organization-admin-account \
--admin-account-id 111122223333
# From the delegated admin account, enable auto-enrollment
aws securityhub update-organization-configuration \
--auto-enable \
--auto-enable-standards DEFAULT
# Create a finding aggregator for cross-region aggregation
aws securityhub create-finding-aggregator \
--region-linking-mode ALL_REGIONS
# List member accounts
aws securityhub list-members \
--query 'Members[*].[AccountId,MemberStatus]' --output table
Query Security Hub for compliance posture across enabled standards and identify failing controls.
# Get overall compliance score for CIS benchmark
aws securityhub get-standards-control-associations \
--security-control-id "IAM.1" \
--query 'StandardsControlAssociationSummaries[*].[StandardsArn,AssociationStatus]' \
--output table
# List all failed controls
aws securityhub get-findings \
--filters '{
"ComplianceStatus": [{"Value": "FAILED", "Comparison": "EQUALS"}],
"RecordState": [{"Value": "ACTIVE", "Comparison": "EQUALS"}],
"WorkflowStatus": [{"Value": "NEW", "Comparison": "EQUALS"}]
}' \
--sort-criteria '{"Field": "SeverityNormalized", "SortOrder": "desc"}' \
--max-items 50 \
--query 'Findings[*].[Title,Severity.Label,Compliance.Status,Resources[0].Id]' \
--output table
# Get finding counts by severity
aws securityhub get-insight-results \
--insight-arn "arn:aws:securityhub:us-east-1:111122223333:insight/111122223333/default/2"
Build custom insights to track organization-specific security priorities.
# Create insight for publicly accessible resources
aws securityhub create-insight \
--name "Publicly Accessible Resources" \
--filters '{
"ResourceType": [
{"Value": "AwsS3Bucket", "Comparison": "EQUALS"},
{"Value": "AwsEc2SecurityGroup", "Comparison": "EQUALS"},
{"Value": "AwsRdsDbInstance", "Comparison": "EQUALS"}
],
"ComplianceStatus": [{"Value": "FAILED", "Comparison": "EQUALS"}],
"SeverityLabel": [{"Value": "CRITICAL", "Comparison": "EQUALS"}, {"Value": "HIGH", "Comparison": "EQUALS"}]
}' \
--group-by-attribute "ResourceType"
# Create insight for unencrypted resources
aws securityhub create-insight \
--name "Unencrypted Resources Across Accounts" \
--filters '{
"Title": [{"Value": "encryption", "Comparison": "CONTAINS"}],
"ComplianceStatus": [{"Value": "FAILED", "Comparison": "EQUALS"}]
}' \
--group-by-attribute "AwsAccountId"
Set up EventBridge rules to trigger Lambda-based auto-remediation for specific finding types.
# Create EventBridge rule for Security Hub findings
aws events put-rule \
--name "security-hub-critical-findings" \
--event-pattern '{
"source": ["aws.securityhub"],
"detail-type": ["Security Hub Findings - Imported"],
"detail": {
"findings": {
"Severity": {"Label": ["CRITICAL"]},
"Compliance": {"Status": ["FAILED"]},
"Workflow": {"Status": ["NEW"]}
}
}
}'
# Example Lambda auto-remediation for S3 public access (Python)
cat > /tmp/remediate_s3.py << 'PYEOF'
import boto3
import json
def lambda_handler(event, context):
s3 = boto3.client('s3')
securityhub = boto3.client('securityhub')
for finding in event['detail']['findings']:
if 'S3' in finding.get('Title', '') and 'public' in finding.get('Title', '').lower():
bucket_arn = finding['Resources'][0]['Id']
bucket_name = bucket_arn.split(':::')[-1]
s3.put_public_access_block(
Bucket=bucket_name,
PublicAccessBlockConfiguration={
'BlockPublicAcls': True,
'IgnorePublicAcls': True,
'BlockPublicPolicy': True,
'RestrictPublicBuckets': True
}
)
securityhub.batch_update_findings(
FindingIdentifiers=[{
'Id': finding['Id'],
'ProductArn': finding['ProductArn']
}],
Workflow={'Status': 'RESOLVED'},
Note={
'Text': 'Auto-remediated: Block Public Access enabled',
'UpdatedBy': 'security-hub-auto-remediation'
}
)
return {'statusCode': 200}
PYEOF
Export Security Hub findings for reporting and integration with external SIEM or GRC platforms.
# Export all findings to S3 via a custom script
aws securityhub get-findings \
--filters '{
"RecordState": [{"Value": "ACTIVE", "Comparison": "EQUALS"}]
}' \
--max-items 1000 \
--output json > security-hub-findings-export.json
# Send critical findings to SNS
aws sns publish \
--topic-arn arn:aws:sns:us-east-1:111122223333:security-alerts \
--subject "Security Hub Daily Summary" \
--message file://daily-summary.json
# Integrate with third-party SIEM via EventBridge
aws events put-targets \
--rule security-hub-critical-findings \
--targets '[{
"Id": "splunk-hec",
"Arn": "arn:aws:events:us-east-1:111122223333:api-destination/splunk-hec",
"HttpParameters": {
"HeaderParameters": {"Authorization": "Splunk HEC_TOKEN"}
}
}]'
| Term | Definition |
|---|---|
| Security Hub | AWS service that aggregates security findings from AWS services and third-party tools, evaluates compliance against standards, and provides a unified security dashboard |
| Security Standard | A predefined set of security controls (CIS, PCI DSS, NIST 800-53) that Security Hub evaluates against your AWS configuration |
| Security Control | An individual check within a standard that evaluates a specific AWS resource configuration, such as whether S3 buckets block public access |
| Finding | A security issue detected by Security Hub or an integrated service, formatted in AWS Security Finding Format (ASFF) |
| Insight | A custom or managed grouping of findings by a specific attribute, providing aggregated views for security analysis |
| ASFF | AWS Security Finding Format, the standardized JSON schema used by all Security Hub integrations for consistent finding representation |
Context: A security team needs to enable Security Hub with CIS and FSBP standards across all accounts in an AWS Organization, with centralized finding aggregation and automated alerting.
Approach:
update-organization-configurationPitfalls: Security Hub requires AWS Config to be enabled in every account and region. Failing to enable Config will result in controls showing as "No data" rather than PASSED or FAILED. Member accounts with Config disabled will silently produce incomplete compliance scores.
AWS Security Hub Compliance Report
=====================================
Organization: acme-corp (50 accounts)
Region: us-east-1 (aggregated from all regions)
Report Date: 2026-02-23
Standards Enabled: CIS 1.4, FSBP v1.0, PCI DSS 3.2.1
COMPLIANCE SCORES:
CIS AWS Foundations 1.4: 78% (142/182 controls passing)
AWS FSBP v1.0.0: 85% (198/233 controls passing)
PCI DSS 3.2.1: 72% (89/124 controls passing)
CRITICAL FINDINGS: 23
HIGH FINDINGS: 87
MEDIUM FINDINGS: 245
LOW FINDINGS: 412
TOP FAILING CONTROLS:
[IAM.6] MFA not enabled for root account 12 accounts
[S3.2] S3 Block Public Access not enabled 8 accounts
[EC2.19] Security groups allow unrestricted access 15 accounts
[RDS.3] RDS encryption at rest not enabled 6 accounts
AUTO-REMEDIATION ACTIONS (Last 30 Days):
S3 Block Public Access enabled: 14
Security Group rules restricted: 8
CloudTrail logging re-enabled: 3
Total auto-remediated findings: 25
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
implementing-aws-security-hub-compliance is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
implementing-aws-security-hub-compliance reduced setup friction for our internal harness; good balance of opinion and flexibility.
implementing-aws-security-hub-compliance fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
implementing-aws-security-hub-compliance has been reliable in day-to-day use. Documentation quality is above average for community skills.
Keeps context tight: implementing-aws-security-hub-compliance is the kind of skill you can hand to a new teammate without a long onboarding doc.
Solid pick for teams standardizing on skills: implementing-aws-security-hub-compliance is focused, and the summary matches what you get after install.
I recommend implementing-aws-security-hub-compliance for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Keeps context tight: implementing-aws-security-hub-compliance is the kind of skill you can hand to a new teammate without a long onboarding doc.
implementing-aws-security-hub-compliance has been reliable in day-to-day use. Documentation quality is above average for community skills.
Solid pick for teams standardizing on skills: implementing-aws-security-hub-compliance is focused, and the summary matches what you get after install.
showing 1-10 of 45