Best practices for configuring Security Hub
The following best practices can help you get the most out of using AWS Security Hub.
Integrating Security Hub and AWS Organizations
AWS Organizations is a global account management service that enables AWS administrators to consolidate and centrally manage multiple AWS accounts and organizational units (OUs). It provides account management and consolidated billing features that are designed to support budgetary, security, and compliance needs. It's offered at no additional charge and integrates with multiple AWS services, including Security Hub, Amazon GuardDuty, and Amazon Macie.
To help automate and streamline the management of accounts, we strongly recommend integrating Security Hub and AWS Organizations. You can integrate with Organizations if you have more than one AWS account that uses Security Hub.
For instructions on activating the integration, see Integrating Security Hub with AWS Organizations.
Using central configuration
When you integrate Security Hub and Organizations, you have the option to use a feature called central configuration to set up and manage Security Hub for your organization. We strongly recommend using central configuration because it lets the administrator customize security coverage for the organization. Where appropriate, the delegated administrator can allow a member account to configure its own security coverage settings.
Central configuration lets the delegated administrator configure Security Hub across accounts, OUs, and AWS Regions. The delegated administrator configures Security Hub by creating configuration policies. Within a configuration policy, you can specify the following settings:
Whether Security Hub is enabled or disabled
Which security standards are enabled and disabled
Which security controls are enabled and disabled
Whether to customize parameters for select controls
As the delegated administrator, you can create a single configuration policy for your entire organization or different configuration policies for your various accounts and OUs. For example, test accounts and production accounts can use different configuration policies.
Member accounts and OUs that use a configuration policy are centrally managed and can be configured only by the delegated administrator. The delegated administrator can designate specific member accounts and OUs as self-managed to give the member the ability to configure its own settings on a Region-by-Region basis.
If you don't use central configuration, you must largely configure Security Hub separately in each account and Region. This is called local configuration. Under local configuration, the delegated administrator can automatically enable Security Hub and a limited set of security standards in new organization accounts in the current Region. Local configuration doesn't apply to existing organization accounts or to Regions other than the current Region. Local configuration also doesn't support the use of configuration policies.
To learn more about central configuration, see Understanding central configuration in Security Hub.
Configuring AWS Config for Security Hub
AWS Security Hub uses service-linked AWS Config rules to run security checks and produce findings for most controls. As a result, to receive control findings, AWS Config must be enabled in your account in each AWS Region where Security Hub is enabled. If your account is part of an organization, AWS Config must be enabled in each Region in the administrator account and all member accounts. In addition, when you enable a security standard, AWS Config must be configured to record the required resources for enabled controls that are part of the standard.
We strongly recommend that you turn on resource recording in AWS Config before you enable Security Hub standards. If Security Hub tries to run security checks when resource recording is turned off, the checks return errors until you enable AWS Config and turn on resource recording.
Security Hub does not manage AWS Config for you. If you already have AWS Config enabled, you can configure its settings through the AWS Config console or APIs.
If you enable a standard but haven't enabled AWS Config, Security Hub tries to create the AWS Config rules according to the following schedule:
-
On the day you enable the standard
-
The day after you enable the standard
-
3 days after you enable the standard
-
7 days after you enable the standard (and continuously every 7 days thereafter)
If you use central configuration, Security Hub also tries to create the AWS Config rules each time that you apply a configuration policy that enables one or more standards with accounts, organizational units (OUs), or the root.
Enabling AWS Config
If you have not enabled AWS Config already, you can enable it in one of the following ways:
-
Console or AWS CLI – You can manually enable AWS Config using the AWS Config console or AWS CLI. See Getting started with AWS Config in the AWS Config Developer Guide.
-
AWS CloudFormation template – If you want to enable AWS Config on a large number of accounts, you can enable AWS Config with the CloudFormation template Enable AWS Config. To access this template, see AWS CloudFormation StackSets sample templates in the AWS CloudFormation User Guide.
-
Github script – Security Hub offers a GitHub script
that enables Security Hub for multiple accounts across Regions. This script is useful if you haven't integrated with Organizations or if you have accounts that are not part of your organization. When you use this script to enable Security Hub, it also automatically enables AWS Config for these accounts.
For more information about enabling AWS Config to help you run Security Hub security checks, see
Optimize AWS Config for AWS Security Hub to
effectively manage your cloud security posture
Turning on resource recording in AWS Config
When you turn on resource recording with default settings, AWS Config records all supported types of Regional resources that it discovers in the AWS Region in which it is running. You can also configure AWS Config to record supported types of global resources. You only need to record global resources in a single Region (we recommend that this be your home Region if you use central configuration).
If you are using CloudFormation StackSets to enable AWS Config, we recommend that you run two different StackSets. Run one StackSet to record all resources, including global resources, in a single Region. Run a second StackSet to record all resources except global resources in other Regions.
You can also use Quick Setup, a capability of AWS Systems Manager, to quickly configure resource recording in AWS Config across your accounts and Regions. During the Quick Setup process, you can choose which Region you would like to record global resources in. For more information, see AWS Config configuration recorder in the AWS Systems Manager User Guide.
The security control Config.1 generates failed findings for Regions other than linked Regions in an aggregator (the home Region and Regions not in a finding aggregator altogether) if that Region doesn’t record AWS Identity and Access Management (IAM) global resources and has enabled controls that require IAM global resources to be recorded. In linked Regions, Config.1 doesn’t check if IAM global resources are recorded. For a list of resources that each control requires, see Required AWS Config resources for Security Hub control findings.
If you use the multi-account script to enable Security Hub, it automatically enables resource recording for all resources, including global resources, in all Regions. You can then update the configuration to record global resources in a single Region only. For information, see Selecting which resources AWS Config records in the AWS Config Developer Guide.
In order for Security Hub to accurately report findings for controls that rely on AWS Config rules, you must enable recording for the relevant resources. For a list of controls and their related AWS Config resources, see Required AWS Config resources for Security Hub control findings.AWS Config lets you choose between continuous recording and daily recording of changes in resource state. If you choose daily recording, AWS Config delivers resource configuration data at the end of each 24 hour period if there are changes in resource state. If there are no changes, no data is delivered. This may delay the generation of Security Hub findings for change-triggered controls until a 24-hour period is complete.
Note
To generate new findings after security checks and avoid stale findings, you must have sufficient permissions for the IAM role that is attached to the configuration recorder to evaluate the underlying resources.
Cost considerations
For information about the costs associated with resource recording, see AWS Security Hub pricing
Security Hub may impact your AWS Config configuration recorder costs by updating the
AWS::Config::ResourceCompliance
configuration item. Updates may
occur each time a Security Hub control associated with an AWS Config rule changes compliance
state, is enabled or disabled, or has parameter updates. If you use the AWS Config configuration recorder only for
Security Hub, and don't use this configuration item for other purposes, we recommend
turning off recording for it in the AWS Config console or AWS CLI. This can reduce your AWS Config
costs. You
don't need to record AWS::Config::ResourceCompliance
for security
checks to work in Security Hub.
Javascript is disabled or is unavailable in your browser.
To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.