Getting started with Security Hub policies
Before you configure Security Hub policies, ensure you understand the prerequisites and implementation requirements. This topic guides you through the process of setting up and managing these policies in your organization.
Before you begin
Review the following requirements before implementing Security Hub policies:
-
Your account must be part of an Amazon Organizations organization
-
You must be signed in as either:
-
The management account for the organization
-
A delegated administrator account with permissions to manage Security Hub policies
-
-
You must enable trusted access for Security Hub in your organization
-
You must enable the Security Hub policy type in the root of your organization
Additionally, verify that:
-
Security Hub is supported in the Regions where you want to apply policies
-
You have the
AWSServiceRoleForSecurityHubV2service-linked role configured in your management account. To verify this role exists, runaws iam get-role --role-name AWSServiceRoleForSecurityHubV2. If you need to create this role, you can either runaws securityhub enable-security-hub-v2in any Region from your management account, or create it directly by runningaws iam create-service-linked-role --aws-service-name securityhubv2.amazonaws.com.
Implementation steps
To implement Security Hub policies effectively, follow these steps in sequence. Each step ensures proper configuration and helps prevent common issues during setup. The management account or delegated administrator can perform these steps through the Amazon Organizations console, Amazon Command Line Interface (Amazon CLI), or Amazon SDKs.
For all of these steps, you sign in as an Amazon Identity and Access Management (IAM) user, assume an IAM role, or sign in as the root user (not recommended) in the organization's management account.