Enabling and configuring Amazon Config for Security Hub CSPM - Amazon Security Hub
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Enabling and configuring Amazon Config for Security Hub CSPM

Amazon Security Hub Cloud Security Posture Management (CSPM) uses Amazon Config rules to run security checks and generate findings for most controls. Amazon Config provides a detailed view of the configuration of Amazon resources in your Amazon Web Services account. It uses rules to establish a baseline configuration for your resources and a configuration recorder to detect whether a particular resource violates the conditions of a rule. Some rules, called Amazon Config managed rules, are predefined and developed by Amazon Config. Other rules are Amazon Config custom rules that Security Hub CSPM develops.

Amazon Config rules that Security Hub CSPM uses for controls are referred to as service-linked rules. Service-linked rules allow Amazon Web Services services such as Security Hub CSPM to create Amazon Config rules in your account.

To receive control findings in Security Hub CSPM, you must enable Amazon Config in your account and turn on recording for resources that your enabled controls evaluate. This page explains how to enable Amazon Config for Security Hub CSPM and turn on resource recording.

Considerations before enabling and configuring Amazon Config

To receive control findings in Security Hub CSPM, your account must have Amazon Config enabled in each Amazon Web Services Region where Security Hub CSPM is enabled. If you use Security Hub CSPM for a multi-account environment, Amazon Config must be enabled in each Region for the administrator account and all member accounts.

We strongly recommend that you turn on resource recording in Amazon Config before you enable any Security Hub CSPM standards and controls. This helps you ensure that your control findings are accurate.

To turn on resource recording in Amazon Config, you must have sufficient permissions to record resources in the Amazon Identity and Access Management (IAM) role that is attached to the configuration recorder. In addition, make sure there is no IAM policy or policy managed in Amazon Organizations that prevents Amazon Config from having permission to record your resources. Security Hub CSPM control checks evaluate the configuration of a resource directly and don’t take Amazon Organizations policies into account. For more information about Amazon Config recording, see Working with the configuration recorder in the Amazon Config Developer Guide.

If you enable a standard in Security Hub CSPM but haven't enabled Amazon Config, Security Hub CSPM tries to create Amazon Config rules according to the following schedule:

  • On the day that you enable the standard.

  • The day after you enable the standard.

  • 3 days after you enable the standard.

  • 7 days after you enable the standard, and continuously every 7 days thereafter.

If you use central configuration, Security Hub CSPM also tries to create service-linked Amazon Config rules each time you associate a configuration policy that enables one or more standards with accounts, organizational units (OUs), or the root.

Recording resources in Amazon Config

When you enable Amazon Config, you must specify which Amazon resources you want the Amazon Config configuration recorder to record. Through the service-linked rules, the configuration recorder allows Security Hub CSPM to detect changes to your resource configurations.

For Security Hub CSPM to generate accurate control findings, you must turn on recording in Amazon Config for the resources that correspond to your enabled controls. It's primarily enabled controls with a change triggered schedule type that require resource recording. Some controls with a periodic schedule type also require resource recording. For a list of these controls and their corresponding resources, see Required Amazon Config resources for control findings.

Warning

If you don't configure Amazon Config recording correctly for Security Hub CSPM controls, it can result in inaccurate control findings, particularly in the following instances:

  • You never recorded the resource for a given control, or you disabled recording of a resource before creating that type of resource. In these cases, you receive a WARNING finding for the control at issue, even though you might have created resources in scope of the control after you disabled recording. This WARNING finding is a default finding that doesn't actually evaluate the configuration state of the resource.

  • You disable recording for a resource that's evaluated by a particular control. In this case, Security Hub CSPM retains the control findings that were generated before you disabled recording, even though the control isn't evaluating new or updated resources. Security Hub CSPM also changes the compliance status of the findings to WARNING. These retained findings might not accurately reflect a resource's current configuration state.

By default, Amazon Config records all supported Regional resources that it discovers in the Amazon Web Services Region in which it is running. To receive all Security Hub CSPM control findings, you must also configure Amazon Config to record global resources. To conserve costs, we recommend recording global resources in a single Region only. If you use central configuration or cross-Region aggregation, this Region should be your home Region.

In Amazon Config, you can choose between continuous recording and daily recording of changes in resource state. If you choose daily recording, Amazon Config delivers resource configuration data at the end of each 24–hour period if there are changes in resource state. If there are no changes, no data is delivered. This can delay the generation of Security Hub CSPM findings for change-triggered controls until a 24–hour period is complete.

For more information about Amazon Config recording, see Recording Amazon resources in the Amazon Config Developer Guide.

Ways to enable and configure Amazon Config

You can enable Amazon Config and turn on resource recording in any of the following ways:

  • Amazon Config console – You can enable Amazon Config for an account by using the Amazon Config console. For instructions, see Setting up Amazon Config with the console in the Amazon Config Developer Guide.

  • Amazon CLI or SDKs – You can enable Amazon Config for an account by using the Amazon Command Line Interface (Amazon CLI). For instructions, see Setting up Amazon Config with the Amazon CLI in the Amazon Config Developer Guide. Amazon software development kits (SDKs) are also available for many programming languages.

  • CloudFormation template – To enable Amazon Config for many accounts, we recommend using the Amazon CloudFormation template named Enable Amazon Config. To access this template, see Amazon CloudFormation StackSet sample templates in the Amazon CloudFormation User Guide.

    By default, this template excludes recording for IAM global resources. Ensure that you turn on recording for IAM global resources in only one Amazon Web Services Region to conserve recording costs. If you have cross-Region aggregation enabled, this should be your Security Hub CSPM home Region. Otherwise, it can be any Region that Security Hub CSPM is available in that supports recording of IAM global resources. We recommend running one StackSet to record all resources, including IAM global resources, in the home Region or other selected Region. Then, run a second StackSet to record all resources except IAM global resources in other Regions.

  • GitHub script – Security Hub CSPM offers a GitHub script that enables Security Hub CSPM and Amazon Config for multiple accounts across Regions. This script is useful if you haven't integrated with Amazon Organizations, or you have some member accounts that aren't part of an organization.

For more information, see the following blog post on the Amazon Security blog: Optimize Amazon Config for Amazon Security Hub Cloud Security Posture Management (CSPM) to effectively manage your cloud security posture.

Config.1 control

In Security Hub CSPM, the Config.1 control generates FAILED findings in your account if Amazon Config is disabled. It also generates FAILED findings in your account if Amazon Config is enabled but resource recording isn't turned on.

If Amazon Config is enabled and resource recording is turned on, but resource recording isn't turned on for a type of resource that an enabled control checks, Security Hub CSPM generates a FAILED finding for the Config.1 control. In addition to this FAILED finding, Security Hub CSPM generates WARNING findings for the enabled control and the types of resources that the control checks. For example, if you enable the KMS.5 control and resource recording isn't turned on for Amazon KMS keys, Security Hub CSPM generates a FAILED finding for the Config.1 control. Security Hub CSPM also generates WARNING findings for the KMS.5 control and your KMS keys.

To receive a PASSED finding for the Config.1 control, turn on resource recording for all the resource types that correspond to enabled controls. Also disable controls that aren't required for your organization. This helps ensure that you don't have configuration gaps in your security control checks. It also helps ensure that you receive accurate findings about misconfigured resources.

If you're the delegated Security Hub CSPM administrator for an organization, Amazon Config recording must be configured correctly for your account and your member accounts. If you use cross-Region aggregation, Amazon Config recording must be configured correctly in the home Region and all linked Regions. Global resources do not need to be recorded in linked Regions.

Generating the service-linked rules

For every control that uses a service-linked Amazon Config rule, Security Hub CSPM creates instances of the required rule in your Amazon environment.

These service-linked rules are specific to Security Hub CSPM. Security Hub CSPM creates these service-linked rules even if other instances of the same rules already exist. The service-linked rule adds securityhub before the original rule name and a unique identifier after the rule name. For example, for the Amazon Config managed rule vpc-flow-logs-enabled, the service-linked rule name might be securityhub-vpc-flow-logs-enabled-12345.

There are quotas for the number of Amazon Config managed rules that can be used to evaluate controls. Amazon Config rules that Security Hub CSPM creates don't count towards those quotas. You can enable a security standard even if you've already reached the Amazon Config quota for managed rules in your account. To learn more about quotas for Amazon Config rules, see Service limits for Amazon Config in the Amazon Config Developer Guide.

Cost considerations

Security Hub CSPM can impact your Amazon Config configuration recorder costs by updating the AWS::Config::ResourceCompliance configuration item. Updates can occur each time a Security Hub CSPM control associated with an Amazon Config rule changes compliance state, is enabled or disabled, or has parameter updates. If you use the Amazon Config configuration recorder only for Security Hub CSPM, and don't use this configuration item for other purposes, we recommend turning off recording for it in Amazon Config. This can reduce your Amazon Config costs. You don't need to record AWS::Config::ResourceCompliance for security checks to work in Security Hub CSPM.

For information about the costs associated with resource recording, see Amazon Security Hub Cloud Security Posture Management (CSPM) pricing and Amazon Config pricing.