AWS Security Hub Integration
Native integration with AWS Security Hub using the ASFF (AWS Security Finding Format). Piscium imports findings from Security Hub aggregated sources — GuardDuty, Inspector, Macie, and third-party tools — validates exploitability across your AWS and hybrid infrastructure, and publishes validated exposure findings back to Security Hub for centralized visibility.
What You Get
Native integration with AWS Security Hub using the ASFF (AWS Security Finding Format). Piscium imports findings from Security Hub aggregated sources — GuardDuty, Inspector, Macie, and third-party tools — validates exploitability across your AWS and hybrid infrastructure, and publishes validated exposure findings back to Security Hub for centralized visibility.
Why AWS Security Hub?
AWS Security Hub aggregates findings from dozens of sources, but teams struggle to prioritize across thousands of alerts. Piscium validates which Security Hub findings represent real exploitable paths in your specific AWS environment — accounting for IAM policies, security groups, VPC configurations, and cross-account trust relationships that scanners cannot assess.
Example Scenario
Security Hub aggregates a GuardDuty finding for credential exfiltration on an EC2 instance and an Inspector finding for a critical CVE on the same instance. Piscium correlates these findings, validates that the compromised credentials grant AssumeRole access to a production account hosting an OT data lake, and confirms the CVE allows container escape on the EKS cluster running industrial telemetry processing. The validated multi-stage attack path is published back to Security Hub as a critical ASFF finding with full remediation steps.
Implementation Notes
Requires an IAM role with securityhub:GetFindings, securityhub:BatchImportFindings, and associated read permissions for EC2, IAM, and VPC resources. Piscium registers as a Security Hub partner integration. Supports single-account and AWS Organizations multi-account configurations via delegated administrator. Recommended: deploy Piscium's AWS connector as a CloudFormation StackSet for consistent multi-account setup.
Webhook Payload Example
{
"event": "exposure.validated",
"timestamp": "2026-03-07T22:10:00Z",
"exposure_id": "EXP-2026-00267",
"severity": "critical",
"cvss_score": 9.6,
"cve": "CVE-2025-1974",
"affected_asset": "arn:aws:ec2:us-east-1:123456789012:instance/i-0abcdef1234567890",
"aws_account_id": "123456789012",
"aws_region": "us-east-1",
"security_hub_finding_id": "arn:aws:securityhub:us-east-1:123456789012:product/piscium/finding-00267",
"attack_path_id": "AG-0734",
"blast_radius": 26,
"remediation_status": "pending"
}Ready to Connect AWS Security Hub?
See the integration running live in your environment.