Enabling and configuring Security Hub - AWS Security Hub

Enabling and configuring Security Hub

There are two ways to enable AWS Security Hub, by integrating with AWS Organizations or manually.

We strongly recommend integrating with Organizations for multi-account and multi-Region environments. If you have a standalone account, it's necessary to set up Security Hub manually.

Verifying necessary permissions

After you sign up for Amazon Web Services (AWS), you must enable Security Hub to use its capabilities and features. To enable Security Hub, you first have to set up permissions that allow you to access the Security Hub console and API operations. You or your AWS administrator can do this by using AWS Identity and Access Management (IAM) to attach the AWS managed policy called AWSSecurityHubFullAccess to your IAM identity.

To enable and manage Security Hub through the Organizations integration, you also should attach the AWS managed policy called AWSSecurityHubOrganizationsAccess.

For more information, see AWS managed policies for AWS Security Hub.

Enabling Security Hub with Organizations integration

To start using Security Hub with AWS Organizations, the AWS Organizations management account for the organization designates an account as the delegated Security Hub administrator account for the organization. Security Hub is automatically enabled in the delegated administrator account in the current Region.

Choose your preferred method, and follow the steps to designate the delegated administrator.

Security Hub console
To designate the delegated Security Hub administrator when onboarding
  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. Choose Go to Security Hub. You're prompted to sign in to the Organizations management account.

  3. On the Designate delegated administrator page, in the Delegated administrator account section, specify the delegated administrator account. We recommend choosing the same delegated administrator that you have set for other AWS security and compliance services.

  4. Choose Set delegated administrator.

Security Hub API

Invoke the EnableOrganizationAdminAccount API from the Organizations management account. Provide the AWS account ID of the Security Hub delegated administrator account.

AWS CLI

Run the enable-organization-admin-account command from the Organizations management account. Provide the AWS account ID of the Security Hub delegated administrator account.

Example command:

aws securityhub enable-organization-admin-account --admin-account-id 777788889999

For more information about the integration with Organizations, see Integrating Security Hub with AWS Organizations.

After designating the delegated administrator, we recommend that you continue setting up Security Hub with central configuration. The console prompts you to do so. By using central configuration, you can simplify the process of enabling and configuring Security Hub for your organization and ensure that your organization has adequate security coverage.

Central configuration lets the delegated administrator customize Security Hub across multiple organization accounts and Regions rather than configuring Region-by-Region. You can create a configuration policy for your entire organization, or create different configuration policies for different accounts and OUs. The policies specify whether Security Hub is enabled or disabled in associated accounts and which security standards and controls are enabled.

The delegated administrator can designate accounts as centrally managed or self-managed. Centrally managed accounts are configurable only by the delegated administrator. Self-managed accounts can specify their own settings.

If you don't use central configuration, the delegated administrator has a more limited ability to configure Security Hub. For more information, see Managing Security Hub administrator and member accounts with Organizations.

Enabling Security Hub manually

You must enable Security Hub manually if you have a standalone account, or if you don't integrate with AWS Organizations. Standalone accounts can't integrate with AWS Organizations and must use manual enablement.

When you enable Security Hub manually, you designate a Security Hub administrator account and invite other accounts to become member accounts. The administrator-member relationship is established when a prospective member account accepts the invitation.

Choose your preferred method, and follow the steps to enable Security Hub. When you enable Security Hub from the console, you also have the option to enable the supported security standards.

Security Hub console
  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. When you open the Security Hub console for the first time, choose Go to Security Hub.

  3. On the welcome page, the Security standards section lists the security standards that Security Hub supports.

    Select the check box for a standard to enable it, and clear the check box to disable it.

    You can enable or disable a standard or its individual controls at any time. For information about managing security standards, see Understanding security standards in Security Hub.

  4. Choose Enable Security Hub.

Security Hub API

Invoke the EnableSecurityHub API. When you enable Security Hub from the API, it automatically enables the following default security standards:

  • AWS Foundational Security Best Practices

  • Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0

If you do not want to enable these standards, then set EnableDefaultStandards to false.

You can also use the Tags parameter to assign tag values to the hub resource.

AWS CLI

Run the enable-security-hub command. To enable the default standards, include --enable-default-standards. To not enable the default standards, include --no-enable-default-standards. The default security standards are as follows:

  • AWS Foundational Security Best Practices

  • Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0

aws securityhub enable-security-hub [--tags <tag values>] [--enable-default-standards | --no-enable-default-standards]

Example

aws securityhub enable-security-hub --enable-default-standards --tags '{"Department": "Security"}'

Multi-account enablement script

Note

Instead of this script, we recommend using central configuration to enable and configure Security Hub across multiple accounts and Regions.

The Security Hub multi-account enablement script in GitHub allows you to enable Security Hub across accounts and Regions. The script also automates the process of sending invitations to member accounts and enabling AWS Config.

The script automatically enables resource recording for all resources, including global resources, in all Regions. It does not limit recording of global resources to a single Region.

There is a corresponding script to disable Security Hub across accounts and Regions.

Next steps after enabling Security Hub

After you enable Security Hub, we recommend enabling the security standards and security controls that are important for your security needs. After you enable controls, Security Hub begins running security checks and generating control findings. You can also leverage integrations between Security Hub and other AWS services and third-party solutions to see their findings in Security Hub.