After turning on all detection services (Macie·GuardDuty·Inspector), a new problem emerges. "Thousands of Findings pour in per day—who looks at them and how?" And one step further — "When a security incident happens, how do we track what happened?", "If an auditor demands PCI DSS evidence, how do we collect it?" These three operational questions are answered by Security Hub (unified posture assessment), Detective (incident investigation), and Audit Manager (audit evidence).
These three have similar names but clearly divided roles. Security Hub sees the current state (how is our security posture now, are we meeting standards)