L16. Automated Remediation: Security Hub, EventBridge & Lambda
Video generating
Check back soon for the video lesson on Automated Remediation: Security Hub, EventBridge & Lambda
How Security Hub normalizes findings from GuardDuty, Inspector, Macie, and Config into ASFF, scores continuous compliance, and feeds an EventBridge-to-Lambda auto-remediation pipeline.
One Format for Every Finding
AWS Security Hub aggregates findings from GuardDuty, Amazon Inspector, Amazon Macie, IAM Access Analyzer, AWS Config, and supported third-party security tools, and normalizes all of them into a single schema called the AWS Security Finding Format (ASFF). Instead of a SOC analyst switching between five different consoles with five different finding shapes, every finding lands in Security Hub with the same structure: severity, resource, remediation guidance, and workflow status, regardless of which service originally generated it. This is what makes Security Hub the aggregation layer the exam expects you to reach for whenever a scenario mentions multiple security services and a need for a single pane of glass.
Continuous Compliance, Not Periodic Audits
Beyond aggregation, Security Hub runs automated compliance checks against recognized standards, including the CIS AWS Foundations Benchmark, PCI DSS, the AWS Foundational Security Best Practices standard, and NIST 800-53. Each standard produces a compliance score that updates as resources change, replacing a periodic manual audit cycle with an always-current view of posture.
Centrally Managed, Same Pattern as GuardDuty
Security Hub follows the same organization-wide management pattern as GuardDuty: a delegated administrator account can enable and configure Security Hub across every member account in an AWS Organization, rather than requiring per-account setup. Any exam scenario about consistent security tooling across many accounts should make you think of this delegated administrator pattern for both services.
The Automated Remediation Pattern
The standard architecture for auto-remediating a Security Hub or GuardDuty finding follows a consistent pipeline:
- A finding is published as an event to Amazon EventBridge.
- An EventBridge rule matches on finding type, severity, or another attribute.
- The rule invokes a Lambda function (or a Step Functions workflow, or an SSM Automation document) that performs the actual remediation.
Typical remediations triggered this way include revoking a leaked IAM access key, isolating a compromised instance's security group, or closing an overly permissive security group rule that opened a port to 0.0.0.0/0. This is the same finding-to-EventBridge-to-Lambda shape used for GuardDuty findings, which is why the two services are usually taught together.
| Stage | Component |
|---|---|
| Finding generated | GuardDuty, Inspector, Macie, Config, third-party tools |
| Finding normalized | Security Hub (ASFF) |
| Finding routed | EventBridge rule matching type/severity |
| Remediation executed | Lambda, Step Functions, or SSM Automation |
Custom Actions for Human-in-the-Loop Response
Not every remediation should be fully automatic. Security Hub supports custom actions, which let an analyst select a specific finding in the console and manually trigger a pre-built remediation workflow for it, rather than waiting for or relying on full automation. This is the answer whenever a scenario describes an analyst wanting to kick off a specific response for one finding on demand, as opposed to a pipeline that runs unattended for every matching finding. Exam tip: If a question mentions findings from more than one security service and asks about a single aggregated view with compliance scoring, that is Security Hub. If it then asks how a finding gets automatically fixed, the answer is the EventBridge-to-Lambda pattern, not Security Hub acting on the resource directly.
- ✓Security Hub normalizes findings from GuardDuty, Inspector, Macie, IAM Access Analyzer, Config, and third-party tools into the AWS Security Finding Format (ASFF)
- ✓Security Hub continuously checks resources against standards like CIS AWS Foundations, PCI DSS, AWS Foundational Security Best Practices, and NIST 800-53
- ✓Security Hub can be centrally managed org-wide through a delegated administrator account, the same pattern used by GuardDuty
- ✓The standard automated remediation pattern is: finding published to EventBridge, an EventBridge rule matches it, and a Lambda function (or Step Functions/SSM Automation) performs the actual fix
- ✓Security Hub custom actions let an analyst manually trigger a specific remediation workflow for a finding directly from the console
1. A company uses GuardDuty, Inspector, and Macie and wants a single normalized view of all findings plus continuous compliance scoring against PCI DSS. Which service should they use?
2. What is the standard architecture pattern for automatically remediating a GuardDuty finding without human intervention?
3. An analyst reviewing a Security Hub finding wants to manually kick off a specific, pre-built remediation workflow for that one finding from the console, rather than waiting for full automation. What feature supports this?
Recommended: Pluralsight
This free course covers the theory. Pluralsight adds structured SCS-C02 learning paths, hands-on AWS security labs, and timed practice exams to make it stick before exam day.