Enabling and configuring Amazon Config for Security Hub - Amazon Security Hub
Considerations before enabling and configuring Amazon ConfigRecording resources in Amazon ConfigWays to enable and configure Amazon ConfigConfig.1 controlGenerating the service-linked rulesCost considerations
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Enabling and configuring Amazon Config for Security Hub

Amazon Security Hub uses Amazon Config rules to run security checks and generate findings for most controls. Amazon Config provides a detailed view of the configuration of Amazon resources in your Amazon Web Services account. It uses rules to establish a baseline configuration for your resources and a configuration recorder to detect whether a particular resource violates the conditions of a rule. Some rules, called Amazon Config managed rules, are predefined and developed by Amazon Config. Other rules are Amazon Config custom rules that Security Hub develops.

Amazon Config rules that Security Hub uses for controls are referred to as service-linked rules. Service-linked rules allow Amazon Web Services services such as Security Hub to create Amazon Config rules in your account.

To receive control findings in Security Hub, you must enable Amazon Config in your account and turn on recording for resources that your enabled controls evaluate. This page explains how to enable Amazon Config for Security Hub and turn on resource recording.

Considerations before enabling and configuring Amazon Config

To receive control findings in Security Hub, your account must have Amazon Config enabled in each Amazon Web Services Region where Security Hub is enabled. If you use Security Hub for a multi-account environment, Amazon Config must be enabled in each Region for the administrator account and all member accounts.

We strongly recommend that you turn on resource recording in Amazon Config before you enable any Security Hub standards and controls. This helps you ensure that your control findings are accurate.

To turn on resource recording in Amazon Config, you must have sufficient permissions to record resources in the Amazon Identity and Access Management (IAM) role that is attached to the configuration recorder. In addition, make sure there is no IAM policy or policy managed in Amazon Organizations that prevents Amazon Config from having permission to record your resources. Security Hub control checks evaluate the configuration of a resource directly and don’t take Amazon Organizations policies into account. For more information about Amazon Config recording, see Working with the configuration recorder in the Amazon Config Developer Guide.

If you enable a standard in Security Hub but haven't enabled Amazon Config, Security Hub tries to create Amazon Config rules according to the following schedule:

  • On the day that you enable the standard.

  • The day after you enable the standard.

  • 3 days after you enable the standard.

  • 7 days after you enable the standard, and continuously every 7 days thereafter.

If you use central configuration, Security Hub also tries to create service-linked Amazon Config rules each time you associate a configuration policy that enables one or more standards with accounts, organizational units (OUs), or the root.

Recording resources in Amazon Config

When you enable Amazon Config, you must specify which Amazon resources you want the Amazon Config configuration recorder to record. Through the service-linked rules, the configuration recorder allows Security Hub to detect changes to your resource configurations.

For Security Hub to generate accurate control findings, you must turn on recording in Amazon Config for the resources that correspond to your enabled controls. It's primarily enabled controls with a change triggered schedule type that require resource recording. Some controls with a periodic schedule type also require resource recording. For a list of these controls and their corresponding resources, see Required Amazon Config resources for Security Hub control findings.

Warning

If you don't configure Amazon Config recording correctly for Security Hub controls, it can result in inaccurate control findings, particularly in the following instances:

  • You never recorded the resource for a given control, or you disabled recording of a resource before creating that type of resource. In these cases, you receive a WARNING finding for the control at issue, even though you might have created resources in scope of the control after you disabled recording. This WARNING finding is a default finding that doesn't actually evaluate the configuration state of the resource.

  • You disable recording for a resource that's evaluated by a particular control. In this case, Security Hub retains the control findings that were generated before you disabled recording, even though the control isn't evaluating new or updated resources. Security Hub also changes the compliance status of the findings to WARNING. These retained findings might not accurately reflect a resource's current configuration state.

By default, Amazon Config records all supported Regional resources that it discovers in the Amazon Web Services Region in which it is running. To receive all Security Hub control findings, you must also configure Amazon Config to record global resources. To conserve costs, we recommend recording global resources in a single Region only. If you use central configuration or cross-Region aggregation, this Region should be your home Region.

In Amazon Config, you can choose between continuous recording and daily recording of changes in resource state. If you choose daily recording, Amazon Config delivers resource configuration data at the end of each 24–hour period if there are changes in resource state. If there are no changes, no data is delivered. This can delay the generation of Security Hub findings for change-triggered controls until a 24–hour period is complete.

For more information about Amazon Config recording, see Recording Amazon resources in the Amazon Config Developer Guide.

Ways to enable and configure Amazon Config

You can enable Amazon Config and turn on resource recording in any of the following ways:

  • Amazon Config console – You can enable Amazon Config for an account by using the Amazon Config console. For instructions, see Setting up Amazon Config with the console in the Amazon Config Developer Guide.

  • Amazon CLI or SDKs – You can enable Amazon Config for an account by using the Amazon Command Line Interface (Amazon CLI). For instructions, see Setting up Amazon Config with the Amazon CLI in the Amazon Config Developer Guide. Amazon software development kits (SDKs) are also available for many programming languages.

  • CloudFormation template – To enable Amazon Config for many accounts, we recommend using the Amazon CloudFormation template named Enable Amazon Config. To access this template, see Amazon CloudFormation StackSet sample templates in the Amazon CloudFormation User Guide.

    By default, this template excludes recording for IAM global resources. Ensure that you turn on recording for IAM global resources in only one Amazon Web Services Region to conserve recording costs. If you have cross-Region aggregation enabled, this should be your Security Hub home Region. Otherwise, it can be any Region that Security Hub is available in that supports recording of IAM global resources. We recommend running one StackSet to record all resources, including IAM global resources, in the home Region or other selected Region. Then, run a second StackSet to record all resources except IAM global resources in other Regions.

  • GitHub script – Security Hub offers a GitHub script that enables Security Hub and Amazon Config for multiple accounts across Regions. This script is useful if you haven't integrated with Amazon Organizations, or you have some member accounts that aren't part of an organization.

For more information, see the following blog post on the Amazon Security blog: Optimize Amazon Config for Amazon Security Hub to effectively manage your cloud security posture.

Config.1 control

In Security Hub, the Config.1 control generates FAILED findings in your account if Amazon Config is disabled. It also generates FAILED findings in your account if Amazon Config is enabled but resource recording isn't turned on.

If Amazon Config is enabled and resource recording is turned on, but resource recording isn't turned on for a type of resource that an enabled control checks, Security Hub generates a FAILED finding for the Config.1 control. In addition to this FAILED finding, Security Hub generates WARNING findings for the enabled control and the types of resources that the control checks. For example, if you enable the KMS.5 control and resource recording isn't turned on for Amazon KMS keys, Security Hub generates a FAILED finding for the Config.1 control. Security Hub also generates WARNING findings for the KMS.5 control and your KMS keys.

To receive a PASSED finding for the Config.1 control, turn on resource recording for all the resource types that correspond to enabled controls. Also disable controls that aren't required for your organization. This helps ensure that you don't have configuration gaps in your security control checks. It also helps ensure that you receive accurate findings about misconfigured resources.

If you're the delegated Security Hub administrator for an organization, Amazon Config recording must be configured correctly for your account and your member accounts. If you use cross-Region aggregation, Amazon Config recording must be configured correctly in the home Region and all linked Regions. Global resources do not need to be recorded in linked Regions.

Generating the service-linked rules

For every control that uses a service-linked Amazon Config rule, Security Hub creates instances of the required rule in your Amazon environment.

These service-linked rules are specific to Security Hub. Security Hub creates these service-linked rules even if other instances of the same rules already exist. The service-linked rule adds securityhub before the original rule name and a unique identifier after the rule name. For example, for the Amazon Config managed rule vpc-flow-logs-enabled, the service-linked rule name might be securityhub-vpc-flow-logs-enabled-12345.

There are quotas for the number of Amazon Config managed rules that can be used to evaluate controls. Amazon Config rules that Security Hub creates don't count towards those quotas. You can enable a security standard even if you've already reached the Amazon Config quota for managed rules in your account. To learn more about quotas for Amazon Config rules, see Service limits for Amazon Config in the Amazon Config Developer Guide.

Cost considerations

Security Hub can impact your Amazon Config configuration recorder costs by updating the AWS::Config::ResourceCompliance configuration item. Updates can occur each time a Security Hub control associated with an Amazon Config rule changes compliance state, is enabled or disabled, or has parameter updates. If you use the Amazon Config configuration recorder only for Security Hub, and don't use this configuration item for other purposes, we recommend turning off recording for it in Amazon Config. This can reduce your Amazon Config costs. You don't need to record AWS::Config::ResourceCompliance for security checks to work in Security Hub.

For information about the costs associated with resource recording, see Amazon Security Hub pricing and Amazon Config pricing.