Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

How Security Hub uses Amazon Config rules to run security checks

To run security checks on your environment's resources, Amazon Security Hub either uses steps specified by the standard, or uses specific Amazon Config rules. Some rules are managed rules, which are managed by Amazon Config. Other rules are custom rules that Security Hub develops.

Amazon Config rules that Security Hub uses for controls are referred to as service-linked rules, because they are enabled and controlled by the Security Hub service.

To enable checks against these Amazon Config rules, you must first enable Amazon Config for your account and enable resource recording for required resources. For information about how to enable Amazon Config, see Configuring Amazon Config. For information about required resource recording, see Amazon Config resources required to generate control findings

How Security Hub generates the service-linked rules

For every control that uses an Amazon Config service-linked rule, Security Hub creates instances of the required rules in your Amazon environment.

These service-linked rules are specific to Security Hub. It creates these service-linked rules even if other instances of the same rules already exist. The service-linked rule adds securityhubbefore the original rule name, and a unique identifier after the rule name. For example, for the original Amazon Config managed rule vpc-flow-logs-enabled, the service-linked rule name would be something like securityhub-vpc-flow-logs-enabled-12345.

There are limits on the number of Amazon Config rules that can be used to evaluate controls. Custom Amazon Config rules that Security Hub creates don't count towards that limit. You can enable a security standard even if you've already reached the Amazon Config limit for managed rules in your account. To learn more about Amazon Config rule limits, see Service Limits in the Amazon Config Developer Guide.

Viewing details about the Amazon Config rules for controls

For controls that use Amazon Config managed rules, the control description includes a link to the Amazon Config rule details. Custom rules aren't linked from the control description. For control descriptions, see Security Hub controls reference. Select a control from the list to see its description.

For findings generated from those controls, the finding details include a link to the associated Amazon Config rule. Note that to navigate to the Amazon Config rule from finding details, you must also have an IAM permission in the selected account to navigate to Amazon Config.

The finding details on the Findings page, Insights page, and Integrations page include a Rules link to the Amazon Config rule details. See Reviewing finding details.

On the control details page, the Investigate column of the finding list contains a link to the Amazon Config rule details. See Viewing the Amazon Config rule for a finding resource.