You are helping your team to consolidate security findings through AWS Security Hub. The security team asks you to automate the remediation of security findings reported from AWS Security Hub. Which of the following methods is the most appropriate?

Answer options:

A.Create a remediation rule in CloudWatch Event for the “Security Hub Insight Results” events.
B.Create a rule in EventBridge or CloudWatch Event for the “Security Hub Findings - Imported” events. Register a Lambda function as the target of the rule that defines remediation actions.
C.Create an AWS Config rule that launches a remediation Lambda function for the “Security Hub Findings” events sent from Security Hub.
D.In the CloudTrail S3 bucket, configure the S3 event notification with a Lambda function to handle the “Security Hub Finding” events.

Correct Answer: B
Option A is incorrect because “Security Hub Insight Results” events are not equal to the security finding events.
Option B is CORRECT because Security Hub integrates with EventBridge or CloudWatch Event by forwarding its security findings. Users can configure a rule as below:
For different types of Security Hub integration with EventBridge, please check https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cwe-integration-types.html
Option C is incorrect because Security Hub does not forward its security finding events to AWS Config.
Option D is incorrect because the Lambda function needs to have the logic to understand the CloudTrail logs and filter the Security Hub events. However, users can directly get the Security Hub events through EventBridge or CloudWatch Events. Option B is more straightforward and should be chosen.
Reference:
https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cwe-all-findings.html