Appearance
Security Hub — Org-wide compliance posture
Status: Active since 2026-04-18, delegated admin: log-archive. Purpose: SOC 2 CC7.1, HIPAA §164.308(a)(1)(ii)(A), CMS EDE Phase 3 evidence of continuous control monitoring.
Summary
Security Hub aggregates findings from GuardDuty, Config, IAM Access Analyzer, Inspector (future), and its own managed standards into a single compliance dashboard. It evaluates our resources against industry benchmarks and scores our security posture continuously.
Resources
| Resource | Value |
|---|---|
| Delegated administrator | 754660694122 (log-archive) |
| Finding aggregator ARN | arn:aws:securityhub:us-east-1:754660694122:finding-aggregator/06cecfad-472c-80ae-e30b-b0bd4eb40824 |
| Finding aggregator region | us-east-1 (all regions → us-east-1) |
| Auto-enable new members | Yes, with default standards |
| Member accounts enrolled | 778477254880 (mgmt), 039624954211 (prod), 549136075525 (staging) — all Enabled |
Standards subscribed
| Standard | mgmt | prod | staging | log-archive |
|---|---|---|---|---|
| AWS Foundational Security Best Practices v1.0.0 | ✓ | ✓ | ✓ | ✓ |
| CIS AWS Foundations Benchmark v1.2.0 (legacy default, to be disabled) | ✓ | ✓ | ✓ | ✓ |
| CIS AWS Foundations Benchmark v3.0.0 | — | ✓ | ✓ | — |
| NIST 800-53 Rev 5 (HIPAA-aligned technical control set) | — | ✓ | — | — |
Prod carries the most stringent set — NIST 800-53 Rev 5 maps to HIPAA technical safeguards at §164.312, which is what EDE Phase 3 auditors look for. Staging runs CIS to catch misconfiguration without the finding volume of NIST on a pre-prod environment.
No native "HIPAA" standard
Security Hub doesn't have a standalone HIPAA standard. HIPAA compliance in AWS is evidenced via NIST 800-53 (for controls) + the signed AWS BAA (for data handling). Audit teams accept this mapping.
Controls status
Controls are in PENDING state immediately after subscription and transition to PASSED / FAILED / NOT_AVAILABLE over ~30-60 minutes as Security Hub evaluates resources. Expect a baseline score within a few hours.
Expected failures at launch (to be triaged once stack is built):
- Controls that require ALB / CloudFront / WAF / Config / GuardDuty will initially fail on accounts where those resources don't exist yet (staging/prod get them in Phases 4-8).
- Mgmt account controls like "MFA on root" should pass since we just set up root MFA on all member accounts.
Where findings go
- Security Hub console in log-archive = primary dashboard.
- EventBridge (future, Phase 11): rule to ship critical findings to an alerting destination.
- S3 (future, Phase 11): cross-account export of findings to log-archive S3 for long-term retention and Drata ingestion.
SCP protection
ScpBaseline denies:
securityhub:DisableSecurityHubsecurityhub:DeleteMemberssecurityhub:DisassociateFromMasterAccountsecurityhub:DisassociateMembers
Costs
Security Hub charges per finding ingested + per standard check per month. Pre-launch estimate: $5–15/mo scaling with finding volume.
Runbook
aws securityhub get-findings --filters '{"WorkflowStatus":[{"Value":"NEW","Comparison":"EQUALS"}]}' --max-items 20— see current open findings.aws securityhub get-enabled-standards— confirm standards per account.aws securityhub describe-organization-configuration— confirm auto-enroll is on.- Recommended weekly: Security Hub console → Summary page in log-archive; triage any
CRITICALorHIGHfindings.
