Setting up AWS Security Hub

If you are integrated with AWS Organizations, accounts that belong to the organization do not need to enable Security Hub manually.

The organization management account designates the Security Hub administrator account. The Security Hub administrator account then has Security Hub enabled automatically. The organization management account does not need to enable Security Hub. See Designating a Security Hub administrator account.

The Security Hub administrator account acts as a Security Hub master account, and chooses the organization accounts to enable as member accounts. Those accounts also have Security Hub enabled automatically. See Managing member accounts that belong to an organization.

An account that is not part of an organization must enable Security Hub manually. The Security Hub master-member relationship is then established through manual invitations that the master account sends to the member accounts. See Managing member accounts that are not in an organization.

For both types of enablement, you need to enable AWS Config, which is needed for the security checks against security controls. See Enabling and configuring AWS Config.

Contents

• Enabling Security Hub manually
  • Attaching the required IAM policy to the IAM identity
  • Enabling Security Hub (console)
  • Enabling Security Hub (Security Hub API, AWS CLI)
  • Enabling Security Hub (Multi-account script)
• Service-linked role assigned to Security Hub