Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Start using central configuration
The Amazon Security Hub delegated administrator account can use central configuration to configure Security Hub, standards, and controls
for multiple accounts and organizational units (OUs) across Amazon Web Services Regions.
This section explains prerequisites for central configuration and how to begin using it.
Prerequisites for central configuration
Before you can start using central configuration, you must integrate Security Hub with Amazon Organizations and designate a home Region. If you use the Security Hub console, these
prerequisites are included in the opt-in workflow for central configuration.
Integrate with Organizations
You must integrate Security Hub and Organizations to use central configuration.
To integrate these services, you begin by creating an organization in Organizations. From the Organizations management account, you
then designate a Security Hub delegated administrator account. For instructions, see Integrating Security Hub with Amazon Organizations.
Ensure that you designate your delegated administrator in your intended home Region. When you start using central configuration, the same delegated
administrator is automatically set in all linked Regions as well. The Organizations management account
cannot be set as the delegated administrator account.
When you use central configuration, you can't use the Security Hub console or Security Hub APIs
to change or remove the delegated administrator account. If the Organizations management account uses Amazon Organizations APIs to change or remove
the Security Hub delegated administrator, Security Hub automatically stops central configuration. Your configuration policies are also
disassociated and deleted. Member accounts retain the configuration that they had before the delegated administrator was changed or removed.
Designate a home Region
You must designate a home Region to use central configuration. The home Region is the Region from which the
delegated administrator configures the organization.
To use central configuration, you must specify at least one linked Region that is configurable from the home
Region.
The home Region cannot be a Region that Amazon has designated as an opt-in Region. An opt-in Region is disabled by
default. For a list of opt-in Regions, see Considerations before enabling and disabling Regions in the
Amazon Account Management Reference Guide.
The delegated administrator can create and manage configuration policies only from the home
Region. Configuration policies take effect in the home Region and all linked Regions. You can't create a
configuration policy that applies only to a subset of these Regions, and not others. The exception to this is
controls that involve global resources. If you use central configuration, Security Hub automatically disables
controls that involve global resources in all Regions except the home Region.
For more information, see Controls that use global resources.
The home Region is also your Security Hub aggregation Region that receives findings, insights, and other data from linked Regions.
If you have already set an aggregation Region for cross-Region aggregation, then that's your default home Region for
central configuration. You can change the home Region before you start to use central configuration by deleting your current finding aggregator and creating a
new one in your desired home Region. A finding aggregator is a Security Hub resource that specifies the home Region and linked Regions.
To designate a home Region, follow the steps for setting an aggregation Region.
If you already have a home Region, you can invoke the GetFindingAggregator API to see details about it, including which Regions currently are linked to it.
Start central configuration
Choose your preferred method, and follow the steps to start using central configuration for your organization.
- Security Hub console
-
To centrally configure your organization
Open the Amazon Security Hub console at https://console.amazonaws.cn/securityhub/.
-
On the navigation pane, choose Settings and Configuration.
Then, choose Start central configuration.
If you're onboarding to Security Hub, choose Go to Security Hub.
-
On the
Designate delegated administrator page, select your delegated administrator account or enter its account ID. If applicable, we
recommend choosing the same delegated administrator that you have set for other Amazon
security and compliance services. Choose Set delegated administrator.
-
On the Centralize organization page, in the Regions section, select your
home Region. You must be signed in to the home Region
to proceed. If you've already set an aggregation Region for cross-Region aggregation, it's displayed as the home Region. To change the
home Region, choose Edit Region settings. You can then select your preferred home Region and return to this workflow.
-
Select at least one Region to link to the home Region. Optionally, choose whether you want to
automatically link future supported Regions to the home Region. The Regions you select here will be configurable from the home
Region by the delegated administrator. Configuration policies take effect in your home Region and all linked Regions.
-
Choose Confirm and continue.
-
You can now use central configuration. Continue following the console prompts to create your first configuration policy. If you're not ready to create a configuration policy yet,
choose I'm not ready to configure yet. You can create a policy later by choosing Settings
and Configuration in the navigation pane. For instructions on
creating a configuration policy, see Creating and associating Security Hub configuration policies.
- Security Hub API
-
To centrally configure Security Hub
-
Using the credentials of the delegated administrator account, invoke the UpdateOrganizationConfiguration
API from the home Region.
-
Set the AutoEnable
field to false
.
-
Set the
ConfigurationType
field in the OrganizationConfiguration
object to
CENTRAL
. This action has the following
impact:
-
Designates the calling account as the Security Hub delegated administrator in all linked Regions.
-
Enables Security Hub in the delegated administrator account in all linked Regions.
-
Designates the calling account as the Security Hub delegated administrator for new and existing
accounts that use Security Hub and belong to the
organization. This occurs in the home Region and all linked Regions.
The calling account is set as the delegated administrator for new organization accounts only if they
are associated with a configuration policy that has Security Hub enabled. The calling account is set as the delegated administrator for existing organization accounts only if they already have Security Hub enabled.
-
Sets AutoEnable to
false
in all linked Regions, and sets AutoEnableStandards to
NONE
in the home Region and all linked Regions. These parameters aren't relevant in the home and linked Regions when you use central configuration, but you can
automatically enable Security Hub and default security standards in
organization accounts through the use of
configuration policies.
You can now use central configuration. The delegated administrator can create configuration policies to configure Security Hub in your organization. For
instructions on creating a configuration policy, see Creating and associating Security Hub configuration policies.
Example API request:
{
"AutoEnable": false,
"OrganizationConfiguration": {
"ConfigurationType": "CENTRAL"
}
}
- Amazon CLI
-
To centrally configure Security Hub
-
Using the credentials of the delegated administrator account, run the update-organization-configuration command from the
home Region.
-
Include the no-auto-enable
parameter.
-
Set the
ConfigurationType
field in the organization-configuration
object to
CENTRAL
. This action has the following impact:
-
Designates the calling account as the Security Hub delegated administrator in all linked Regions.
-
Enables Security Hub in the delegated administrator account in all linked Regions.
-
Designates the calling account as the Security Hub delegated administrator for new and existing
accounts that use Security Hub and belong to the
organization. This occurs in the home Region and all linked Regions. The calling account is set as the delegated administrator for new organization accounts only if they are associated with a configuration policy that has Security Hub enabled.
The calling account is set as the delegated administrator for existing organization accounts only if they already have Security Hub enabled.
-
Sets the auto-enablement option to no-auto-enable in all linked Regions, and sets
auto-enable-standards to NONE
in the home Region and all linked Regions.
These parameters aren't relevant in the home and linked Regions when you use central configuration, but you can
automatically enable Security Hub and default security standards in organization accounts through the use of
configuration policies.
You can now use central configuration. The delegated administrator can create configuration policies to configure Security Hub in your organization. For
instructions on creating a configuration policy, see Creating and associating Security Hub configuration policies.
Example command:
aws securityhub --region us-east-1 update-organization-configuration \
--no-auto-enable \
--organization-configuration '{"ConfigurationType": "CENTRAL
"}'