Prerequisites and recommendations - AWS Security Hub

Prerequisites and recommendations

The following prerequisites and recommendations can help you get started with using AWS Security Hub.

Integrating with AWS Organizations

AWS Organizations is a global account management service that enables AWS administrators to consolidate and centrally manage multiple AWS accounts and organizational units (OUs). It provides account management and consolidated billing features that are designed to support budgetary, security, and compliance needs. It's offered at no additional charge and integrates with multiple AWS services, including Security Hub, Amazon GuardDuty, and Amazon Macie.

To help automate and streamline the management of accounts, we strongly recommend integrating Security Hub and AWS Organizations. You can integrate with Organizations if you have more than one AWS account that uses Security Hub.

For instructions on activating the integration, see Integrating Security Hub with AWS Organizations.

Using central configuration

When you integrate Security Hub and Organizations, you have the option to use a feature called central configuration to set up and manage Security Hub for your organization. We strongly recommend using central configuration because it lets the administrator customize security coverage for the organization. Where appropriate, the delegated administrator can allow a member account to configure its own security coverage settings.

Central configuration lets the delegated administrator configure Security Hub across accounts, OUs, and Regions. The delegated administrator configures Security Hub by creating configuration policies. Within a configuration policy, you can specify the following settings:

  • Whether Security Hub is enabled or disabled

  • Which security standards are enabled and disabled

  • Which security controls are enabled and disabled

  • Whether to customize parameters for select controls

As the delegated administrator, you can create a single configuration policy for your entire organization or different configuration policies for your various accounts and OUs. For example, test accounts and production accounts can use different configuration policies.

Member accounts and OUs that use a configuration policy are centrally managed and can be configured only by the delegated administrator. The delegated administrator can designate specific member accounts and OUs as self-managed to give the member the ability to configure its own settings on a Region-by-Region basis.

To learn more about central configuration, see Central configuration in Security Hub.

Configuring AWS Config

AWS Security Hub uses service-linked AWS Config rules to perform security checks for most controls.

To support these controls, AWS Config must be enabled on all accounts—both the administrator account and member accounts—in each AWS Region where Security Hub is enabled. In addition, for each enabled standard AWS Config must be configured to record resources that are required for enabled controls.

We recommend that you turn on resource recording in AWS Config before you enable Security Hub standards. If Security Hub tries to run security checks when resource recording is turned off, the checks return errors.

Security Hub does not manage AWS Config for you. If you already have AWS Config enabled, you can configure its settings through the AWS Config console or APIs.

If you enable a standard but haven't enabled AWS Config, Security Hub tries to create the AWS Config rules according to the following schedule:

  • On the day you enable the standard

  • The day after you enable the standard

  • 3 days after you enable the standard

  • 7 days after you enable the standard (and continuously every 7 days thereafter)

If you use central configuration, Security Hub also tries to create the AWS Config rules when you re-apply a configuration policy that enables one or more standards.

Enabling AWS Config

If you have not enabled AWS Config already, you can enable it in one of the following ways:

  • Console or AWS CLI – You can manually enable AWS Config using the AWS Config console or AWS CLI. See Getting started with AWS Config in the AWS Config Developer Guide.

  • AWS CloudFormation template – If you want to enable AWS Config on a large number of accounts, you can enable AWS Config with the CloudFormation template Enable AWS Config. To access this template, see AWS CloudFormation StackSets sample templates in the AWS CloudFormation User Guide.

  • Github script – Security Hub offers a GitHub script that enables Security Hub for multiple accounts across Regions. This script is useful if you haven't integrated with Organizations or if you have accounts that are not part of your organization. When you use this script to enable Security Hub, it also automatically enables AWS Config for these accounts.

For more information about enabling AWS Config to help you run Security Hub security checks, see Optimize AWS Config for AWS Security Hub to effectively manage your cloud security posture.

Turning on resource recording in AWS Config

When you turn on resource recording in AWS Config with default settings, it records all supported types of Regional resources that AWS Config discovers in the AWS Region in which it is running. You can also configure AWS Config to record supported types of global resources. You only need to record global resources in a single Region (we recommend that this be your home Region if you're using central configuration).

If you are using CloudFormation StackSets to enable AWS Config, we recommend that you run two different StackSets. Run one StackSet to record all resources, including global resources, in a single Region. Run a second StackSet to record all resources except global resources in other Regions.

You can also use Quick Setup, a capability of AWS Systems Manager, to quickly configure resource recording in AWS Config across your accounts and Regions. During the Quick Setup process, you can choose which Region you would like to record global resources in. For more information, see AWS Config configuration recorder in the AWS Systems Manager User Guide.

The security control Config.1 will generate failed findings in Regions where global resources are not recorded. This is expected, and you can use an automation rule to suppress these findings.

If you use the multi-account script to enable Security Hub, it automatically enables resource recording for all resources, including global resources, in all Regions. You can then update the configuration to record global resources in a single Region only. For information, see Selecting which resources AWS Config records in the AWS Config Developer Guide.

In order for Security Hub to accurately report findings for controls that rely on AWS Config rules, you must enable recording for the relevant resources. For a list of controls and their related AWS Config resources, see AWS Config resources required to generate control findings.AWS Config lets you choose between continuous recording and daily recording of changes in resource state. If you choose daily recording, AWS Config delivers resource configuration data at the end of each 24 hour period if there are changes in resource state. If there are no changes, no data is delivered. This may delay the generation of Security Hub findings for change-triggered controls until a 24-hour period is complete.


To generate new findings after security checks and avoid stale findings, you must have sufficient permissions for the IAM role that is attached to the configuration recorder to evaluate the underlying resources.

Cost considerations

For details about the costs associated with resource recording, see AWS Security Hub pricing and AWS Config pricing.

Security Hub may impact your AWS Config configuration recorder costs by updating the AWS::Config::ResourceCompliance configuration item. Updates may occur each time a Security Hub control associated with an AWS Config rule changes compliance state, is enabled or disabled, or has parameter updates. If you use the AWS Config configuration recorder only for Security Hub, and don't use this configuration item for other purposes, we recommend turning off recording for it in the AWS Config console or AWS CLI. This can reduce your AWS Config costs. You don't need to record AWS::Config::ResourceCompliance for security checks to work in Security Hub.