AWS Security Hub and CloudWatch Findings: One Security Operations Pipeline

Security Hub changed twice in quick succession. On February 26, 2026, AWS launched Security Hub Extended as a pay-as-you-go plan for partner solutions. On March 31, 2026, CloudWatch started ingesting Security Hub CSPM findings with organization-wide enablement. Put together, those launches turned Security Hub from a findings aggregator into something closer to a working security operations path.

That matters because most security teams do not have a detection problem. They have a workflow problem. Findings live in one tool, logs live in another, and the people who need to triage incidents are forced to swivel between systems to answer a simple question: what is actually urgent right now?

What Changed

Security Hub Extended adds a paid layer on top of Security Hub Essentials. AWS says it brings AWS detection services and curated partner solutions into one experience, with AWS as the seller of record. That reduces procurement friction and makes it easier to keep endpoint, identity, network, data, browser, and cloud findings in one operating model.

CloudWatch findings ingestion solves the second half of the problem. Security Hub CSPM findings can now flow into CloudWatch Logs in ASFF or OCSF format. From there you can query them with Logs Insights, build metric filters, and push the data into S3 Tables for longer-term analysis.

The important detail is that this is not just for a single account. AWS supports organization-wide enablement rules, so a central security team can standardize which accounts send findings to CloudWatch Logs.

Why It Matters

Security Hub has always been about standardization. The missing piece was operational reach. If a finding is important enough to page someone, it should not stay trapped in a console. It should land in the same data path you already use for alerts, dashboards, retention, and automation.

That is why this launch pairs well with AWS GuardDuty. GuardDuty catches suspicious behavior. Security Hub normalizes and aggregates the security posture. CloudWatch gives you a real analysis and alerting layer on top of both. The result is not just more visibility. It is less tool switching.

The other useful reference point is AWS CloudTrail deep dive. Once findings and audit events land in a common operational path, the security team can ask better questions about who changed what, when, and why.

What To Watch For

The first gotcha is pricing. Security Hub Extended is pay-as-you-go, and CloudWatch ingesting findings adds CloudWatch charges. The new pipeline is usually worth it, but it is not free. If you need to keep that spend visible, AWS Cost Explorer and Budgets is the companion read I would keep open on another tab.

The second gotcha is permissions. To subscribe to partner products in Extended, you need the right Security Hub permissions plus the AWS Marketplace permissions documented by AWS. If your security account and procurement account are separate, plan that relationship before rollout.

The third gotcha is scoping. Security Hub Essentials is the base. Extended is an add-on. CloudWatch ingestion is another layer. It is easy to describe the whole thing as “Security Hub” and forget that the actual bill and access model are split across three pieces.

The fourth gotcha is operational noise. Once findings start flowing into CloudWatch, you can build a lot of filters very quickly. That is useful. It is also how teams end up with twenty dashboards and nobody who can explain which one drives the on-call page.

Practical Use

If I were on the security desk and a page landed at 2 a.m., I would want the answer in one place. That is the real value here. GuardDuty, Inspector, Macie, and partner tools are useful, but they are better when the findings land in one stream instead of three different tabs.

Start with Essentials, keep the Security Hub basics in place, and add Extended only when it is doing something useful for you. If the partner feed or the CloudWatch path is not changing how you triage incidents, you are probably paying for the wrong layer too early.

The upgrade is simple: Security Hub collects the signal, CloudWatch gives you a place to search and alert, and Extended pulls more of the environment into the same workflow. If your team still has to open three consoles to decide whether one finding is real, this is the layer that makes that stop.