Central configuration in Security Hub

When you use central configuration, Security Hub guides you through the process of configuring security best practices for your organization. It also deploys the resulting configuration policies to specified accounts and OUs automatically. If you have existing Security Hub settings, such as automatically enabling new security controls, you can use those as a starting point for your configuration policies. In addition, the Configuration page on the Security Hub console displays a real-time summary of your configuration policies and which accounts and OUs use each policy.

You can use central configuration to configure Security Hub across multiple accounts and Regions. This helps ensure that each part of your organization maintains a consistent configuration and adequate security coverage.

With central configuration, you can choose to configure your organization's accounts and OUs in different ways. For example, your test accounts and production accounts might require different configurations. You can also create a configuration policy that covers new accounts when they join the organization.

Configuration drift occurs when a user makes a change to a service or feature that conflicts with the delegated administrator's selections. Central configuration prevents this drift. When you designate an account or OU as centrally managed, it's configurable only by the delegated administrator for the organization. If you prefer a specific account or OU to configure its own settings, you can designate it as self-managed.

A Security Hub feature that helps the delegated Security Hub administrator account for an organization configure the Security Hub service, security standards, and security controls across multiple accounts and Regions. To configure these settings, the delegated administrator creates and manages Security Hub configuration policies for centrally managed accounts in their organization. Self-managed accounts can configure their own settings separately in each Region. To use central configuration, you must integrate Security Hub and Amazon Organizations.

The Amazon Web Services Region from which the delegated administrator centrally configures Security Hub, by creating and managing configuration policies. Configuration policies take effect in the home Region and all linked Regions.

The home Region also serves as the Security Hub aggregation Region, receiving findings, insights, and other data from linked Regions.

Regions that Amazon introduced on or after March 20, 2019 are known as opt-in Regions. An opt-in Region can't be the home Region, but it can be a linked Region. For a list of opt-in Regions, see Considerations before enabling and disabling Regions in the Amazon Account Management Reference Guide.

An Amazon Web Services Region that is configurable from the home Region. Configuration policies are created by the delegated administrator in the home Region. The policies take effect in the home Region and all linked Regions. You must specify at least one linked Region to use central configuration.

A linked Region also sends findings, insights, and other data to the home Region.

Regions that Amazon introduced on or after March 20, 2019 are known as opt-in Regions. You must enable such a Region for an account before a configuration policy can be applied to it. The Organizations management account can enable opt-in Regions for a member account. For more information, see Specify which Amazon Web Services Regions your account can use in the Amazon Account Management Reference Guide.

A collection of Security Hub settings that the delegated administrator can configure for centrally managed accounts. This includes:

A configuration policy takes effect in the home Region and all linked Regions after it's associated with at least one account, organizational unit (OU), or the root.

On the Security Hub console, the delegated administrator can choose the Security Hub recommended configuration policy or create custom configuration policies. With the Security Hub API and Amazon CLI, the delegated administrator can only create custom configuration policies. The delegated administrator can create a maximum of 20 custom configuration policies.

In the recommended configuration policy, Security Hub, the Amazon Foundational Security Best Practices (FSBP) standard, and all existing and new FSBP controls are enabled. Controls that accept parameters use the default values. The recommended configuration policy applies to the entire organization.

To apply different settings to the organization, or apply different configuration policies to different accounts and OUs, create a custom configuration policy.

The default configuration type for an organization, after integrating Security Hub and Amazon Organizations. With local configuration, the delegated administrator can choose to automatically enable Security Hub and default security standards in new organization accounts in the current Region. If the delegated administrator automatically enables default standards, all controls that are part of these standards are also automatically enabled with default parameters for new organization accounts. These settings don't apply to existing accounts, so configuration drift is possible after an account joins the organization. Disabling specific controls that are part of the default standards, and configuring additional standards and controls, must be done separately in each account and Region.

Local configuration doesn't support the use of configuration policies. To use configuration policies, you must switch to central configuration.

If you don't integrate Security Hub with Amazon Organizations or you have a standalone account, you must specify settings for each account separately in each Region. Manual account management doesn't support the use of configuration policies.

Security Hub operations that only the Security Hub delegated Security Hub administrator can use in the home Region to manage configuration policies for centrally managed accounts. The operations include:

Security Hub operations that can be used to enable or disable Security Hub, standards, and controls on an account-by-account basis. These operations are used in each individual Region.

Self-managed accounts can use account-specific operations to configure their own settings. Centrally managed accounts can't use the following account-specific operations in the home Region and linked Regions. In those Regions, only the delegated administrator can configure centrally managed accounts through central configuration operations and configuration policies.

To check account status, the owner of a centrally managed account can use any Get or Describe operations of the Security Hub API.

If you use local configuration or manual account management, instead of central configuration, these account-specific operations can be used.

Self-managed accounts can also use *Invitations and *Members operations. However, we recommend that self-managed accounts don't use these operations. Policy associations can fail if a member account has its own members that are part of a different organization than the delegated administrator's.

In Amazon Organizations and Security Hub, a container for a group of Amazon Web Services accounts. An organizational unit (OU) also can contain other OUs, enabling you to create a hierarchy that resembles an upside-down tree, with a parent OU at the top and branches of OUs that reach down, ending in accounts that are the leaves of the tree. An OU can have exactly one parent, and each organization account can be a member of exactly one OU.

You can manage OUs in Amazon Organizations or Amazon Control Tower. For more information, see Managing organizational units in the Amazon Organizations User Guide or Govern organizations and accounts with Amazon Control Tower in the Amazon Control Tower User Guide.

The delegated administrator can associate configuration policies with specific accounts or OUs, or with the root to cover all accounts and OUs in an organization.

An account, OU, or root that only the delegated administrator can configure across Regions by using configuration policies.

The delegated administrator account specifies whether an account is centrally managed. The delegated administrator can also change an account's status from centrally managed to self-managed, or the other way around.

An account, OU, or root that manages its own Security Hub settings. A self-managed account uses account-specific operations to configure Security Hub for itself separately in each Region. This is in contrast to centrally managed accounts, which are configurable only by the delegated administrator across Regions through configuration policies.

The delegated administrator account specifies whether an account is self-managed. The delegated administrator account can also change an account's status from self-managed to centrally managed, or the other way around.

The delegated administrator can apply self-managed behavior to an account or OU. Alternatively, an account or OU can inherit self-managed behavior from a parent. The delegated administrator account can itself be a self-managed account.

A link between a configuration policy and an account, organizational unit (OU), or root. When a policy association exists, the account, OU, or root uses the settings defined by the configuration policy. An association exists in either of these cases:

An association exists until a different configuration is applied or inherited.

A type of configuration policy association in which the delegated administrator directly applies a configuration policy to target accounts, OUs, or the root. Targets are configured in the way that the configuration policy defines, and only the delegated administrator can change their configuration. If applied to root, the configuration policy affects all accounts and OUs in the organization that don't use a different configuration through application or inheritance from the closest parent.

The delegated administrator can also apply a self-managed configuration to specific accounts, OUs, or the root.

A type of configuration policy association in which an account or OU adopts the configuration of the closest parent OU or the root. If a configuration policy isn't directly applied to an account or OU, it inherits the configuration of the closest parent. All elements of a policy are inherited. In other words, an account or OU can't choose to selectively inherit only parts of a policy. If the closest parent is self-managed, the child account or OU inherits the self-managed behavior of the parent.

Inheritance can't override an applied configuration. That is, if a configuration policy or self-managed configuration is directly applied to an account or OU, it uses that configuration and doesn't inherit the configuration of the parent.

In Amazon Organizations and Security Hub, the top-level parent node in an organization. If the delegated administrator applies a configuration policy to root, the policy is associated with all accounts and OUs in the organization unless they use a different policy, through application or inheritance, or are designated as self-managed. If the administrator designates the root as self-managed, all accounts and OUs in the organization are self-managed unless they use a configuration policy through application or inheritance. If the root is self-managed and no configuration policies currently exist, all new accounts in the organization retain their current settings.

New accounts that join an organization fall under the root until they are assigned to a specific OU. If a new account isn't assigned to an OU, it inherits the root configuration unless the delegated administrator designates it as a self-managed account.