Enabling Security Hub
Note
Security Hub is in preview release and is subject to change.
You can enable Security Hub for any AWS account. The procedures in this topic describe how to enable Security Hub from an AWS organization management account, a delegated administrator account, and a standalone account.
Enable Security Hub for an organization
This section includes three steps. In Step 1, the AWS organization management account enables Security Hub, designates a delegated administrator for their organization, and creates the delegated administrator policy. In Step 2, the delegated administrator for the organization enables Security Hub. In Step 3, the delegated administrator for the organization creates a policy that enables Security Hub for all member accounts in the organization.
Step 1. Enable Security Hub in the AWS organization management account
This step includes two procedures. The first procedure describes how to enable Security Hub if you enabled Security Hub CSPM and designated a delegated administrator in Security Hub CSPM. The second procedure describes how to enable Security Hub if you have not enabled Security Hub CSPM and designated a delegated administrator in Security Hub CSPM. In both procedures, if you skip the step to designate a delegated administrator, you must skip the step to create the delegated administrator policy. You can only create the delegated administrator policy after you designate a delegated administrator. For information about designating a delegated administrator in Security Hub, see Designating a delegated administrator account in Security Hub. For information about creating the delegated administrator policy in Security Hub, see Creating the delegated administrator policy in Security Hub.
After you enable Security Hub, a service-linked role called AWSServiceRoleForSecurityHubV2 and a service-linked recorder are created in your account. The service-linked recorder is a type of AWS Config recorder managed by an AWS service that can record configuration data on service-specific resources. With a service-linked recorder, Security Hub enables an event-driven approach for obtaining resource configuration items required for exposure analysis coverage and reporting resource inventory. A service-linked recorder is configured per AWS account and AWS Region. For more information, see Considerations for service-linked configuration recorders.
Step 2. Enable Security Hub in the delegated administrator account
This step is for the delegated administrator to complete. After the AWS organization management account designates a delegated administrator for their organization, the delegated administrator must enable Security Hub.
To enable Security Hub in the delegated administrator account
-
Sign in to your AWS account with your delegated administrator credentials. Open the Security Hub console at https://console.aws.amazon.com/securityhub/v2/home
. -
From the Security Hub homepage, select Security Hub, and choose Get started.
-
Choose Enable.
-
(Optional) For Tags, determine whether to add a key-value pair to the account setup.
-
Choose Go to Security Hub.
After you enable Security Hub, a service-linked role called AWSServiceRoleForSecurityHubV2 and a service-linked recorder are created in your account. The service-linked recorder is a type of AWS Config recorder managed by an AWS service that can record configuration data on service-specific resources. With a service-linked recorder, Security Hub enables an event-driven approach for obtaining resource configuration items required for exposure analysis coverage and reporting resource inventory. A service-linked recorder is configured per AWS account and AWS Region. For more information, see Considerations for service-linked configuration recorders.
Step 3. Create a policy that enables Security Hub in all member accounts
This step is for the delegated administrator to complete. After the delegated administrator for an organization enables Security Hub, it must create a policy allowing it to define which member accounts in an organization are enabled and disabled. For more information, see Creating a policy as the delegated administrator to manage member accounts.
Enable Security Hub in a standalone account
This procedure describes how to enable Security Hub in a standalone account. A standalone account is an AWS account that has not enabled AWS organizations.
To enable Security Hub in a standalone account
-
Sign in to your AWS account with your standalone account credentials. Open the Security Hub console at https://console.aws.amazon.com/securityhub/v2/home
. -
From the Security Hub homepage, select Security Hub, and choose Get started.
-
Choose Enable.
After you enable Security Hub, a service-linked role called AWSServiceRoleForSecurityHubV2 and a service-linked recorder are created in your account. The service-linked recorder is a type of AWS Config recorder managed by an AWS service that can record configuration data on service-specific resources. With a service-linked recorder, Security Hub enables an event-driven approach for obtaining resource configuration items required for exposure analysis coverage and reporting resource inventory. A service-linked recorder is configured per AWS account and AWS Region. For more information, see Considerations for service-linked configuration recorders.