Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Recommendations before enabling Security Hub

The following recommendations can help you get started with using Amazon Security Hub.

Integrating with Amazon Organizations

Amazon Organizations is a global account management service that enables Amazon administrators to consolidate and centrally manage multiple Amazon Web Services accounts and organizational units (OUs). It provides account management and consolidated billing features that are designed to support budgetary, security, and compliance needs. It's offered at no additional charge and integrates with multiple Amazon Web Services, including Security Hub, Amazon GuardDuty, and Amazon Macie.

To help automate and streamline the management of accounts, we strongly recommend integrating Security Hub and Amazon Organizations. You can integrate with Organizations if you have more than one Amazon Web Services account that uses Security Hub.

For instructions on activating the integration, see Integrating Security Hub with Amazon Organizations.

Using central configuration

When you integrate Security Hub and Organizations, you have the option to use a feature called central configuration to set up and manage Security Hub for your organization. We strongly recommend using central configuration because it lets the administrator customize security coverage for the organization. Where appropriate, the delegated administrator can allow a member account to configure its own security coverage settings.

Central configuration lets the delegated administrator configure Security Hub across accounts, OUs, and Amazon Web Services Regions. The delegated administrator configures Security Hub by creating configuration policies. Within a configuration policy, you can specify the following settings:

As the delegated administrator, you can create a single configuration policy for your entire organization or different configuration policies for your various accounts and OUs. For example, test accounts and production accounts can use different configuration policies.

Member accounts and OUs that use a configuration policy are centrally managed and can be configured only by the delegated administrator. The delegated administrator can designate specific member accounts and OUs as self-managed to give the member the ability to configure its own settings on a Region-by-Region basis.

To learn more about central configuration, see How central configuration works.

Configuring Amazon Config

Amazon Security Hub uses service-linked Amazon Config rules to perform security checks for most controls.

To support these controls, Amazon Config must be enabled on all accounts—both the administrator account and member accounts—in each Amazon Web Services Region where Security Hub is enabled. In addition, for each enabled standard Amazon Config must be configured to record resources that are required for enabled controls.

We recommend that you turn on resource recording in Amazon Config before you enable Security Hub standards. If Security Hub tries to run security checks when resource recording is turned off, the checks return errors.

Security Hub does not manage Amazon Config for you. If you already have Amazon Config enabled, you can configure its settings through the Amazon Config console or APIs.

If you enable a standard but haven't enabled Amazon Config, Security Hub tries to create the Amazon Config rules according to the following schedule:

If you use central configuration, Security Hub also tries to create the Amazon Config rules when you re-apply a configuration policy that enables one or more standards.

Enabling Amazon Config

If you have not enabled Amazon Config already, you can enable it in one of the following ways:

For more information about enabling Amazon Config to help you run Security Hub security checks, see Optimize Amazon Config for Amazon Security Hub to effectively manage your cloud security posture.

Turning on resource recording in Amazon Config

When you turn on resource recording in Amazon Config with default settings, it records all supported types of Regional resources that Amazon Config discovers in the Amazon Web Services Region in which it is running. You can also configure Amazon Config to record supported types of global resources. You only need to record global resources in a single Region (we recommend that this be your home Region if you're using central configuration).

If you are using CloudFormation StackSets to enable Amazon Config, we recommend that you run two different StackSets. Run one StackSet to record all resources, including global resources, in a single Region. Run a second StackSet to record all resources except global resources in other Regions.

You can also use Quick Setup, a capability of Amazon Systems Manager, to quickly configure resource recording in Amazon Config across your accounts and Regions. During the Quick Setup process, you can choose which Region you would like to record global resources in. For more information, see Amazon Config configuration recorder in the Amazon Systems Manager User Guide.

The security control Config.1 generates failed findings for Regions other than linked Regions in an aggregator (the home Region and Regions not in a finding aggregator altogether) if that Region doesn’t record Amazon Identity and Access Management (IAM) global resources and has enabled controls that require IAM global resources to be recorded. In linked Regions, Config.1 doesn’t check if IAM global resources are recorded. For a list of resources that each control requires, see Amazon Config resources required to generate control findings.

If you use the multi-account script to enable Security Hub, it automatically enables resource recording for all resources, including global resources, in all Regions. You can then update the configuration to record global resources in a single Region only. For information, see Selecting which resources Amazon Config records in the Amazon Config Developer Guide.

In order for Security Hub to accurately report findings for controls that rely on Amazon Config rules, you must enable recording for the relevant resources. For a list of controls and their related Amazon Config resources, see Amazon Config resources required to generate control findings.Amazon Config lets you choose between continuous recording and daily recording of changes in resource state. If you choose daily recording, Amazon Config delivers resource configuration data at the end of each 24 hour period if there are changes in resource state. If there are no changes, no data is delivered. This may delay the generation of Security Hub findings for change-triggered controls until a 24-hour period is complete.

Cost considerations

For details about the costs associated with resource recording, see Amazon Security Hub pricing and Amazon Config pricing.

Security Hub may impact your Amazon Config configuration recorder costs by updating the AWS::Config::ResourceCompliance configuration item. Updates may occur each time a Security Hub control associated with an Amazon Config rule changes compliance state, is enabled or disabled, or has parameter updates. If you use the Amazon Config configuration recorder only for Security Hub, and don't use this configuration item for other purposes, we recommend turning off recording for it in the Amazon Config console or Amazon CLI. This can reduce your Amazon Config costs. You don't need to record AWS::Config::ResourceCompliance for security checks to work in Security Hub.