Cyber Intelligence
Threat Detection and Incident Response · 14% of exam

L16. Automated Remediation: Security Hub, EventBridge & Lambda

Video generating

Check back soon for the video lesson on Automated Remediation: Security Hub, EventBridge & Lambda

How Security Hub normalizes findings from GuardDuty, Inspector, Macie, and Config into ASFF, scores continuous compliance, and feeds an EventBridge-to-Lambda auto-remediation pipeline.

One Format for Every Finding

AWS Security Hub aggregates findings from GuardDuty, Amazon Inspector, Amazon Macie, IAM Access Analyzer, AWS Config, and supported third-party security tools, and normalizes all of them into a single schema called the AWS Security Finding Format (ASFF). Instead of a SOC analyst switching between five different consoles with five different finding shapes, every finding lands in Security Hub with the same structure: severity, resource, remediation guidance, and workflow status, regardless of which service originally generated it. This is what makes Security Hub the aggregation layer the exam expects you to reach for whenever a scenario mentions multiple security services and a need for a single pane of glass.

Continuous Compliance, Not Periodic Audits

Beyond aggregation, Security Hub runs automated compliance checks against recognized standards, including the CIS AWS Foundations Benchmark, PCI DSS, the AWS Foundational Security Best Practices standard, and NIST 800-53. Each standard produces a compliance score that updates as resources change, replacing a periodic manual audit cycle with an always-current view of posture.

Centrally Managed, Same Pattern as GuardDuty

Security Hub follows the same organization-wide management pattern as GuardDuty: a delegated administrator account can enable and configure Security Hub across every member account in an AWS Organization, rather than requiring per-account setup. Any exam scenario about consistent security tooling across many accounts should make you think of this delegated administrator pattern for both services.

The Automated Remediation Pattern

The standard architecture for auto-remediating a Security Hub or GuardDuty finding follows a consistent pipeline:

  1. A finding is published as an event to Amazon EventBridge.
  2. An EventBridge rule matches on finding type, severity, or another attribute.
  3. The rule invokes a Lambda function (or a Step Functions workflow, or an SSM Automation document) that performs the actual remediation.

Typical remediations triggered this way include revoking a leaked IAM access key, isolating a compromised instance's security group, or closing an overly permissive security group rule that opened a port to 0.0.0.0/0. This is the same finding-to-EventBridge-to-Lambda shape used for GuardDuty findings, which is why the two services are usually taught together.

StageComponent
Finding generatedGuardDuty, Inspector, Macie, Config, third-party tools
Finding normalizedSecurity Hub (ASFF)
Finding routedEventBridge rule matching type/severity
Remediation executedLambda, Step Functions, or SSM Automation

Custom Actions for Human-in-the-Loop Response

Not every remediation should be fully automatic. Security Hub supports custom actions, which let an analyst select a specific finding in the console and manually trigger a pre-built remediation workflow for it, rather than waiting for or relying on full automation. This is the answer whenever a scenario describes an analyst wanting to kick off a specific response for one finding on demand, as opposed to a pipeline that runs unattended for every matching finding. Exam tip: If a question mentions findings from more than one security service and asks about a single aggregated view with compliance scoring, that is Security Hub. If it then asks how a finding gets automatically fixed, the answer is the EventBridge-to-Lambda pattern, not Security Hub acting on the resource directly.

Exam Focus Points
  • Security Hub normalizes findings from GuardDuty, Inspector, Macie, IAM Access Analyzer, Config, and third-party tools into the AWS Security Finding Format (ASFF)
  • Security Hub continuously checks resources against standards like CIS AWS Foundations, PCI DSS, AWS Foundational Security Best Practices, and NIST 800-53
  • Security Hub can be centrally managed org-wide through a delegated administrator account, the same pattern used by GuardDuty
  • The standard automated remediation pattern is: finding published to EventBridge, an EventBridge rule matches it, and a Lambda function (or Step Functions/SSM Automation) performs the actual fix
  • Security Hub custom actions let an analyst manually trigger a specific remediation workflow for a finding directly from the console
Knowledge Check

1. A company uses GuardDuty, Inspector, and Macie and wants a single normalized view of all findings plus continuous compliance scoring against PCI DSS. Which service should they use?

2. What is the standard architecture pattern for automatically remediating a GuardDuty finding without human intervention?

3. An analyst reviewing a Security Hub finding wants to manually kick off a specific, pre-built remediation workflow for that one finding from the console, rather than waiting for full automation. What feature supports this?

Recommended: Pluralsight

This free course covers the theory. Pluralsight adds structured SCS-C02 learning paths, hands-on AWS security labs, and timed practice exams to make it stick before exam day.

Start Security Specialty prep free10-day free trial available