Blog AWS Continuous Compliance

Simplify and Save Time with and AWS Security Hub

Joseph Spurrier

8 min read

Last updated on February 2nd, 2023 at 3:22pm

I'm very excited to partner with AWS for our integration with AWS Security Hub, now available as of our 2.24 release. In Q2 of this year, we released our continuous compliance capabilities that featured an integration with Cloud Custodian, the multi-cloud, open source rules engine that provides an easy language to build out compliance checks and automated remediations. Our use of Cloud Custodian facilitates our integration with AWS Security Hub and, since many of our customers are already using AWS Security Hub, it made sense to bring our tools together to leverage the best of both worlds.

Let's take a deeper dive into AWS Security Hub and the four different ways you can leverage this new integration.

What is AWS Security Hub?

AWS Security Hub is a service you can enable in your AWS account on a per-region basis that will list security findings for your account. Currently, there are a few security standards that you can enable to perform automated checks against modern benchmarks to see how aligned you are with various compliance standards:

  • AWS Foundational Security Best Practices v1.0.0
  • CIS AWS Foundations Benchmark v1.2.0
  • PCI DSS v3.2.1

AWS Security Hub is also an aggregator for many of the AWS services. It serves as a dashboard so you can view all the findings in one place.

How does help?

The raw power of is in its ability to easily write checks with remediations and then push them out to all your accounts across multiple partitions, payer accounts, and AWS Organizations. AWS provides wonderful building blocks for engineers but, in our time-constrained days, we need to maximize the time we spend to achieve the best results possible. For the security teams that need to protect their organizations by building out hundreds of checks and automated remediations, using solely AWS without other tools takes a bit of effort. AWS has an article on how to get started with custom rules for AWS Config and then how to import AWS Config rule evaluations into AWS Security Hub as findings. The TL;DR of it is you must:

  • Enable AWS Config and AWS Security Hub in your account.
  • Write a Lambda using the AWS SDK to query for a resource with a vulnerable configuration.
  • Create a CloudFormation template that deploys another AWS Lambda function to send the AWS Config evaluations to AWS Security Hub.

The initial implementation to get this integration to work is straightforward, but you can see how this can quickly eat up your time. You’ll need to:

  • Pick a language to write your Lambdas.
  • Learn how to use the SDK to interact with AWS.
  • Write logic for each check in a separate Lambda function.
  • Store the Lambda functions in a repository.
  • Create a CI/CD pipeline that has access to all your AWS accounts or leverage StackSets from the master payer to push out the changes.
  • Add a workflow to run an update operation when you add new accounts to the existing StackSets when you onboard more projects.
  • Add a workflow to run an update operation when you add a new check.

Once you have this all working, you still have to create new Lambda functions with code for each check. handles all of these tasks for you and provides a simple language for you to write your checks. Here's the simpler alternative to the workflow above:

  • Review the Cloud Custodian language (filters and actions for security groups).
  • Create a compliance check with the Cloud Custodian language (code below).
  • Assign the compliance check to a compliance standard in
  • Assign the compliance standard to a cloud rule in
  • Assign the cloud rule to an OU in

This is the code that finds all security groups that are open to the world and then adds the finding to both and to AWS Security Hub. and AWS code snippet that helps manage the orchestration of the checks across accounts

With, you can use a language that cuts down on the amount of code you have to write and helps manage the orchestration of the checks across your account. As an added bonus, the two lines of code at the bottom will remove the invalid rule for you.

From a maintenance standpoint, it’s much easier for your teams to manage each check and remediation from a single place with limited code versus having to follow a long workflow that is error-prone.

How many ways can integrate with AWS Security Hub?

As we mentioned earlier, there are four different ways can integrate with AWS Security Hub:

  • Post and update findings on any resource type to AWS Security Hub (action: post-finding). This will send a new finding to both and AWS Security Hub when it's detected, so if you're using AWS Security Hub, you won't have to do double work by adding detection both there and in
  • Query with filtering of resources based on findings. This policy will query findings from AWS Security Hub instead of the resources themselves and then perform an action (filter: finding). This is useful if you are sending findings into AWS Security Hub from multiple tools and want to set up easy, automated remediations using on select items.
  • Create a lambda (lambda execution mode) that triggers on ingestion of AWS Security Hub findings (mode: hub-finding). This sets up a listener so you can trigger remediations as soon as a finding is added to AWS Security Hub from any ingestion source including This is the quickest way to remediate findings.
  • Create a lambda (lambda execution mode) that can be triggered manually in the AWS Security Hub UI. These custom actions, which you define, work with both findings and insights (mode: hub-action). This lets you build a customized action you would like to take whenever a user triggers it on a finding or insight within AWS Security Hub.

Head over to our knowledge base to access our code samples and to see how each of these integration options works in more depth. Check out the full press release below for a summary of this new integration and reaction from AWS. Announces Integration with AWS Security Hub

Integration Allows Users to Quickly Detect, Investigate, & Respond to Cloud Threats in One Place

Fulton, MD, December 8, 2020 –, an innovative software company providing a leading multi-cloud governance solution, today announced a significant integration with AWS Security Hub (“Security Hub”). Security Hub provides a comprehensive view of compliance checks for Amazon Web Services (AWS) customers and, with this new integration, users can quickly detect, investigate, and respond to possible threats in the cloud, all in one place.

The new native integration within allows customers to automatically send and receive findings and trigger remediation actions via Security Hub. already allows customers to create compliance checks for all their cloud accounts using native Cloud Custodian policies. Now, this integration simplifies the threat-monitoring process by allowing to interact with Security Hub and provide a “single-pane-of-glass” view of up-to-the-minute compliance without duplicating efforts. Prior to this integration, customers using Security Hub in addition to were required to check for compliance in two different places.

“To be most effective, security teams need to be able to respond quickly and easily to threats,” said Joseph Spurrier, CTO and co-founder of “Our mission is to make our customers’ lives easier in the cloud, and our new integration with AWS Security Hub is an example of how we deliver on this mission. Our customers will now be able to make fast and informed decisions to enhance security and ensure desired business outcomes from the cloud.”

The integration with AWS Security Hub lets customers:
  • Query Security Hub to add findings to without creating duplicative rules, giving a comprehensive view of compliance in one central location.
  • Easily trigger an action when an event-based finding is displayed in Security Hub by building automatic remediation actions within
  • Automate creation of custom actions in Security Hub through

Additionally, allows customers to use the Cloud Custodian YAML domain-specific language to detect and remediate noncompliance in Security Hub—enhancing the customer experience by making these activities faster and simpler. Historically, customers spent time writing and maintaining complex Lambda functions. Now, with this integration, it only takes 2 lines of code to shut down an Amazon Elastic Compute Cloud (Amazon EC2) instance. provides the added functionality to easily trigger hundreds of additional resource-specific actions as soon as a non-compliant resource is detected—significantly reducing the time-to-value when writing and monitoring checks across many AWS environments.

“Security teams expend a lot of energy working to prevent, detect, and respond to threats,” said Vice President of External Security Services at Amazon Web Services, Inc., Dan Plastina. “’s integration with AWS Security Hub provides visibility in one central place, allowing customers to both streamline detection and simplify taking action on findings to improve their security posture.” is an AWS Advanced Technology Partner.

About the Author

Joseph Spurrier

Joe was previously the CTO at Kion.

Start your cloud operations journey.

Request a demo today,