implementing-aws-security-hub-compliance▌
mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026
MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.
Implementing AWS Security Hub to aggregate security findings across AWS accounts, enable compliance standards like CIS AWS Foundations and PCI DSS, configure automated remediation with EventBridge and Lambda, and create custom security insights for organizational risk management.
| name | implementing-aws-security-hub-compliance |
| description | 'Implementing AWS Security Hub to aggregate security findings across AWS accounts, enable compliance standards like CIS AWS Foundations and PCI DSS, configure automated remediation with EventBridge and Lambda, and create custom security insights for organizational risk management. ' |
| domain | cybersecurity |
| subdomain | cloud-security |
| tags | - cloud-security - aws - security-hub - compliance - cspm - cis-benchmark |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.IR-01 - ID.AM-08 - GV.SC-06 - DE.CM-01 |
Implementing AWS Security Hub Compliance
When to Use
- When establishing centralized security posture management across multiple AWS accounts
- When compliance requirements demand continuous monitoring against CIS, PCI DSS, or NIST 800-53 standards
- When aggregating findings from GuardDuty, Inspector, Macie, Firewall Manager, and third-party tools
- When building automated remediation workflows triggered by security findings
- When executive stakeholders require a security compliance dashboard across the organization
Do not use for real-time threat detection (use GuardDuty), for vulnerability scanning (use Inspector), or for data classification (use Macie). Security Hub aggregates findings from these services but does not replace them.
Prerequisites
- AWS Organizations with delegated administrator for Security Hub
- IAM permissions for
securityhub:*,config:*,events:*, andlambda:* - AWS Config enabled in all target accounts and regions (required by Security Hub)
- CloudFormation StackSets or Terraform for multi-account deployment
- SNS topics configured for alert routing to security team
Workflow
Step 1: Enable Security Hub with Compliance Standards
Enable Security Hub in the management account and select compliance standards to evaluate.
# Enable Security Hub in the current account/region
aws securityhub enable-security-hub \
--enable-default-standards \
--control-finding-generator SECURITY_CONTROL
# Enable specific compliance standards
aws securityhub batch-enable-standards --standards-subscription-requests \
'[
{"StandardsArn": "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"},
{"StandardsArn": "arn:aws:securityhub:us-east-1::standards/cis-aws-foundations-benchmark/v/1.4.0"},
{"StandardsArn": "arn:aws:securityhub:us-east-1::standards/pci-dss/v/3.2.1"},
{"StandardsArn": "arn:aws:securityhub:us-east-1::standards/nist-800-53/v/5.0.0"}
]'
# Verify enabled standards
aws securityhub get-enabled-standards \
--query 'StandardsSubscriptions[*].[StandardsArn,StandardsStatus]' --output table
Step 2: Configure Multi-Account Aggregation
Set up a delegated administrator and aggregate findings from all organization accounts.
# Designate a delegated admin (run from management account)
aws securityhub enable-organization-admin-account \
--admin-account-id 111122223333
# From the delegated admin account, enable auto-enrollment
aws securityhub update-organization-configuration \
--auto-enable \
--auto-enable-standards DEFAULT
# Create a finding aggregator for cross-region aggregation
aws securityhub create-finding-aggregator \
--region-linking-mode ALL_REGIONS
# List member accounts
aws securityhub list-members \
--query 'Members[*].[AccountId,MemberStatus]' --output table
Step 3: Review Compliance Scores and Failed Controls
Query Security Hub for compliance posture across enabled standards and identify failing controls.
# Get overall compliance score for CIS benchmark
aws securityhub get-standards-control-associations \
--security-control-id "IAM.1" \
--query 'StandardsControlAssociationSummaries[*].[StandardsArn,AssociationStatus]' \
--output table
# List all failed controls
aws securityhub get-findings \
--filters '{
"ComplianceStatus": [{"Value": "FAILED", "Comparison": "EQUALS"}],
"RecordState": [{"Value": "ACTIVE", "Comparison": "EQUALS"}],
"WorkflowStatus": [{"Value": "NEW", "Comparison": "EQUALS"}]
}' \
--sort-criteria '{"Field": "SeverityNormalized", "SortOrder": "desc"}' \
--max-items 50 \
--query 'Findings[*].[Title,Severity.Label,Compliance.Status,Resources[0].Id]' \
--output table
# Get finding counts by severity
aws securityhub get-insight-results \
--insight-arn "arn:aws:securityhub:us-east-1:111122223333:insight/111122223333/default/2"
Step 4: Create Custom Security Insights
Build custom insights to track organization-specific security priorities.
# Create insight for publicly accessible resources
aws securityhub create-insight \
--name "Publicly Accessible Resources" \
--filters '{
"ResourceType": [
{"Value": "AwsS3Bucket", "Comparison": "EQUALS"},
{"Value": "AwsEc2SecurityGroup", "Comparison": "EQUALS"},
{"Value": "AwsRdsDbInstance", "Comparison": "EQUALS"}
],
"ComplianceStatus": [{"Value": "FAILED", "Comparison": "EQUALS"}],
"SeverityLabel": [{"Value": "CRITICAL", "Comparison": "EQUALS"}, {"Value": "HIGH", "Comparison": "EQUALS"}]
}' \
--group-by-attribute "ResourceType"
# Create insight for unencrypted resources
aws securityhub create-insight \
--name "Unencrypted Resources Across Accounts" \
--filters '{
"Title": [{"Value": "encryption", "Comparison": "CONTAINS"}],
"ComplianceStatus": [{"Value": "FAILED", "Comparison": "EQUALS"}]
}' \
--group-by-attribute "AwsAccountId"
Step 5: Configure Automated Remediation with EventBridge
Set up EventBridge rules to trigger Lambda-based auto-remediation for specific finding types.
# Create EventBridge rule for Security Hub findings
aws events put-rule \
--name "security-hub-critical-findings" \
--event-pattern '{
"source": ["aws.securityhub"],
"detail-type": ["Security Hub Findings - Imported"],
"detail": {
"findings": {
"Severity": {"Label": ["CRITICAL"]},
"Compliance": {"Status": ["FAILED"]},
"Workflow": {"Status": ["NEW"]}
}
}
}'
# Example Lambda auto-remediation for S3 public access (Python)
cat > /tmp/remediate_s3.py << 'PYEOF'
import boto3
import json
def lambda_handler(event, context):
s3 = boto3.client('s3')
securityhub = boto3.client('securityhub')
for finding in event['detail']['findings']:
if 'S3' in finding.get('Title', '') and 'public' in finding.get('Title', '').lower():
bucket_arn = finding['Resources'][0]['Id']
bucket_name = bucket_arn.split(':::')[-1]
s3.put_public_access_block(
Bucket=bucket_name,
PublicAccessBlockConfiguration={
'BlockPublicAcls': True,
'IgnorePublicAcls': True,
'BlockPublicPolicy': True,
'RestrictPublicBuckets': True
}
)
securityhub.batch_update_findings(
FindingIdentifiers=[{
'Id': finding['Id'],
'ProductArn': finding['ProductArn']
}],
Workflow={'Status': 'RESOLVED'},
Note={
'Text': 'Auto-remediated: Block Public Access enabled',
'UpdatedBy': 'security-hub-auto-remediation'
}
)
return {'statusCode': 200}
PYEOF
Step 6: Export Findings and Generate Compliance Reports
Export Security Hub findings for reporting and integration with external SIEM or GRC platforms.
# Export all findings to S3 via a custom script
aws securityhub get-findings \
--filters '{
"RecordState": [{"Value": "ACTIVE", "Comparison": "EQUALS"}]
}' \
--max-items 1000 \
--output json > security-hub-findings-export.json
# Send critical findings to SNS
aws sns publish \
--topic-arn arn:aws:sns:us-east-1:111122223333:security-alerts \
--subject "Security Hub Daily Summary" \
--message file://daily-summary.json
# Integrate with third-party SIEM via EventBridge
aws events put-targets \
--rule security-hub-critical-findings \
--targets '[{
"Id": "splunk-hec",
"Arn": "arn:aws:events:us-east-1:111122223333:api-destination/splunk-hec",
"HttpParameters": {
"HeaderParameters": {"Authorization": "Splunk HEC_TOKEN"}
}
}]'
Key Concepts
| Term | Definition |
|---|---|
| Security Hub | AWS service that aggregates security findings from AWS services and third-party tools, evaluates compliance against standards, and provides a unified security dashboard |
| Security Standard | A predefined set of security controls (CIS, PCI DSS, NIST 800-53) that Security Hub evaluates against your AWS configuration |
| Security Control | An individual check within a standard that evaluates a specific AWS resource configuration, such as whether S3 buckets block public access |
| Finding | A security issue detected by Security Hub or an integrated service, formatted in AWS Security Finding Format (ASFF) |
| Insight | A custom or managed grouping of findings by a specific attribute, providing aggregated views for security analysis |
| ASFF | AWS Security Finding Format, the standardized JSON schema used by all Security Hub integrations for consistent finding representation |
Tools & Systems
- AWS Security Hub: Central aggregation and compliance evaluation platform for security findings across AWS accounts
- AWS Config: Configuration recording service required by Security Hub for evaluating resource compliance
- Amazon EventBridge: Event bus for routing Security Hub findings to Lambda, SNS, or external remediation systems
- AWS Lambda: Serverless compute for automated remediation functions triggered by Security Hub findings
- Prowler: Open-source tool that can send findings to Security Hub via ASFF integration
Common Scenarios
Scenario: Rolling Out Security Hub Across a 50-Account Organization
Context: A security team needs to enable Security Hub with CIS and FSBP standards across all accounts in an AWS Organization, with centralized finding aggregation and automated alerting.
Approach:
- Enable Security Hub in the management account and designate a security account as delegated admin
- Configure auto-enable for all existing and new member accounts via
update-organization-configuration - Create a cross-region finding aggregator to consolidate findings from all regions into the admin account
- Enable CIS AWS Foundations 1.4 and AWS FSBP standards across all accounts
- Create EventBridge rules to route CRITICAL findings to PagerDuty and all findings to Splunk
- Build custom insights for the top organizational risks: public resources, missing encryption, unused credentials
- Schedule weekly compliance reports to stakeholders using Lambda and SES
Pitfalls: Security Hub requires AWS Config to be enabled in every account and region. Failing to enable Config will result in controls showing as "No data" rather than PASSED or FAILED. Member accounts with Config disabled will silently produce incomplete compliance scores.
Output Format
AWS Security Hub Compliance Report
=====================================
Organization: acme-corp (50 accounts)
Region: us-east-1 (aggregated from all regions)
Report Date: 2026-02-23
Standards Enabled: CIS 1.4, FSBP v1.0, PCI DSS 3.2.1
COMPLIANCE SCORES:
CIS AWS Foundations 1.4: 78% (142/182 controls passing)
AWS FSBP v1.0.0: 85% (198/233 controls passing)
PCI DSS 3.2.1: 72% (89/124 controls passing)
CRITICAL FINDINGS: 23
HIGH FINDINGS: 87
MEDIUM FINDINGS: 245
LOW FINDINGS: 412
TOP FAILING CONTROLS:
[IAM.6] MFA not enabled for root account 12 accounts
[S3.2] S3 Block Public Access not enabled 8 accounts
[EC2.19] Security groups allow unrestricted access 15 accounts
[RDS.3] RDS encryption at rest not enabled 6 accounts
AUTO-REMEDIATION ACTIONS (Last 30 Days):
S3 Block Public Access enabled: 14
Security Group rules restricted: 8
CloudTrail logging re-enabled: 3
Total auto-remediated findings: 25
How to use implementing-aws-security-hub-compliance on Cursor
AI-first code editor with Composer
Prerequisites
Before installing skills in Cursor, ensure your development environment meets these requirements:
- ›Cursor installed and configured on your development machine
- ›Node.js version 16.0+ with npm package manager (verify with
node --version) - ›Active project directory or workspace where you want to add implementing-aws-security-hub-compliance
Execute installation command
Execute the skills CLI command in your project's root directory to begin installation:
The skills CLI fetches implementing-aws-security-hub-compliance from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
Select Cursor when prompted
The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:
Verify installation
Confirm successful installation by checking the skill directory location:
Reload or restart Cursor to activate implementing-aws-security-hub-compliance. Access the skill through slash commands (e.g., /implementing-aws-security-hub-compliance) or your agent's skill management interface.
Security & Verification Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.
List & Monetize Your Skill
Submit your Claude Code skill and start earning
Use Cases▌
Task Automation & Efficiency
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Knowledge Enhancement
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Quality Improvement
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
Implementation Guide▌
Prerequisites
- ›Claude Desktop or compatible AI client with skill support
- ›Clear understanding of task or problem to solve
- ›Willingness to iterate and refine outputs
Time Estimate
15-45 minutes depending on use case complexity
Installation Steps
- 1.Install skill using provided installation command
- 2.Test with simple use case relevant to your work
- 3.Evaluate output quality and relevance
- 4.Iterate on prompts to improve results
- 5.Integrate into regular workflow if valuable
Common Pitfalls
- ⚠Expecting perfect results without iteration
- ⚠Not providing enough context in prompts
- ⚠Using skill for tasks outside its intended scope
- ⚠Accepting outputs without review and validation
Best Practices▌
✓ Do
- +Start with clear, specific prompts
- +Provide relevant context and constraints
- +Review and refine all outputs before using
- +Iterate to improve output quality
- +Document successful prompt patterns
✗ Don't
- −Don't use without understanding skill limitations
- −Don't skip validation of outputs
- −Don't share sensitive information in prompts
- −Don't expect skill to replace human judgment
💡 Pro Tips
- ★Be specific about desired format and style
- ★Ask for multiple options to choose from
- ★Request explanations to understand reasoning
- ★Combine AI efficiency with human expertise
When to Use This▌
✓ Use When
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid When
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
Learning Path▌
- 1Familiarize yourself with skill capabilities and limitations
- 2Start with low-risk, non-critical tasks
- 3Progress to more complex and valuable use cases
- 4Build expertise through regular use and experimentation
Discussion
Product Hunt–style comments (not star reviews)- No comments yet — start the thread.
Ratings
4.5★★★★★45 reviews- ★★★★★Zara Desai· Dec 28, 2024
implementing-aws-security-hub-compliance is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
- ★★★★★Pratham Ware· Dec 24, 2024
implementing-aws-security-hub-compliance reduced setup friction for our internal harness; good balance of opinion and flexibility.
- ★★★★★Anaya Desai· Dec 20, 2024
implementing-aws-security-hub-compliance fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
- ★★★★★Emma White· Dec 20, 2024
implementing-aws-security-hub-compliance has been reliable in day-to-day use. Documentation quality is above average for community skills.
- ★★★★★Aanya Shah· Dec 12, 2024
Keeps context tight: implementing-aws-security-hub-compliance is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ★★★★★Hiroshi Tandon· Nov 19, 2024
Solid pick for teams standardizing on skills: implementing-aws-security-hub-compliance is focused, and the summary matches what you get after install.
- ★★★★★Yash Thakker· Nov 15, 2024
I recommend implementing-aws-security-hub-compliance for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
- ★★★★★Mateo Li· Nov 11, 2024
Keeps context tight: implementing-aws-security-hub-compliance is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ★★★★★Advait Agarwal· Nov 3, 2024
implementing-aws-security-hub-compliance has been reliable in day-to-day use. Documentation quality is above average for community skills.
- ★★★★★Chen Martin· Oct 22, 2024
Solid pick for teams standardizing on skills: implementing-aws-security-hub-compliance is focused, and the summary matches what you get after install.
showing 1-10 of 45