Enabling Security Hub - AWS Security Hub
Enable Security Hub for an organizationEnable Security Hub for the delegated administratorEnable Security Hub for a standalone account

Enabling Security Hub

Note

Security Hub is in preview release and is subject to change.

You can enable Security Hub for any AWS account. The procedures in this topic describe how to enable Security Hub from an AWS organization management account, a delegated administrator account, and a standalone account.

Note

After you enable Security Hub, exposures in your environment are analyzed immediately. However, you can wait up to 6 hours to receive an exposure finding for a resource.

Enable Security Hub for an organization

The procedure in this section describes how to enable Security Hub for the AWS organization management account. The procedure assumes you have set a delegated administrator for Security Hub CSPM and includes a step where you can set a delegated administrator for your organization in Security Hub. For more information about setting a delegated administrator in Security Hub, see Setting a delegated administrator account in Security Hub.

If you decide to set a delegated administrator for Security Hub during enablement, you will need to create a resource policy in the AWS Organizations console allowing the delegated administrator to perform actions on behalf of your organization. You can use the following sample resource policy for the delegated administrator account. 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::delegated-administrator-account-id:root"
      },
      "Action": [
        "organizations:AttachPolicy",
        "organizations:CreatePolicy",
        "organizations:DetachPolicy",
        "organizations:DeletePolicy",
        "organizations:UpdatePolicy",
        "organizations:ListPolicies",
        "organizations:ListPoliciesForTarget",
        "organizations:ListTargetsForPolicy",
        "organizations:DescribePolicy",
        "organizations:DescribeEffectivePolicy",
        "organizations:DisablePolicyType",
        "organizations:EnablePolicyType"
      ],
      "Resource": "*"
    }
  ]
}

If you do not set a delegated administrator, you can set a delegated administrator later. For more information, see Setting a delegated administrator account in Security Hub. The topic includes a procedure that describes how to set a delegated administrator for your organization from the General page in the Security Hub console.

The following procedure describes how to set a delegated administrator account for your organization in Security Hub.

To enable Security Hub for an AWS organization management account

  1. Sign in to your AWS account with your AWS organization management account credentials. Open the Security Hub console at https://console.aws.amazon.com/securityhub/v2/home.

  2. From the Security Hub homepage, select Security Hub. Choose Get started.

  3. (Optional) For Delegated administrator account, set a delegated administrator based on the options provided. As a best practice, we recommend using the same delegated administrator across security services for consistent governance. For more information about setting a delegated administrator account, see Setting a delegated administrator account in Security Hub.

  4. (Optional) For Account enablement, select the box to enable Security Hub for your AWS account.

  5. Choose Copy and attach to open organization settings. In the Organizations console, select Delegate under Delegated administrator for AWS Organizations, and paste the resource policy. Choose Create Policy.

  6. Go to the Security Hub console. Choose Configure.

When you enable Security Hub, a service-linked role called AWSServiceRoleForSecurityHubV2 is created in your account, and a service-linked recorder is added to your account. A service-linked recorder is a type of AWS Config recorder managed by an AWS service that can record configuration data on service-specific resources. With a service linked recorder, Security Hub enables an event-driven approach for obtaining resource configuration items required for exposure analysis coverage. A service linked recorder is configured per AWS account and AWS Region.

Note

If you set a delegated administrator, the delegated administrator can create and apply a policy allowing it to enable and disable member accounts for Security Hub. For more information, see Creating a policy as the delegated administrator to manage member accounts.

Enable Security Hub for the delegated administrator

If the AWS organization management account sets a delegated administrator for their organization, the delegated administrator must enable Security Hub for their account. The following procedure must be completed by the delegated administrator, but only if the delegated administrator hasn't enabled Security Hub for their account. For information about setting a delegated administrator, see Setting a delegated administrator account in Security Hub.

To enable Security Hub for a delegated administrator account

  1. Sign in to your AWS account with your delegated administrator credentials, and open the Security Hub console at https://console.aws.amazon.com/securityhub/v2/home.

  2. From the Security Hub homepage, select Security Hub, and choose Get started.

  3. Choose Enable.

  4. (Optional) For Tags, determine whether to add a key-value pair to the account setup.

  5. Choose Go to Security Hub.

When you enable Security Hub, a service-linked role called AWSServiceRoleForSecurityHubV2 is created in your account, and a service-linked recorder is added to your account. A service-linked recorder is a type of AWS Config recorder managed by an AWS service that can record configuration data on service-specific resources. With a service linked recorder, Security Hub enables an event-driven approach for obtaining resource configuration items required for exposure analysis coverage. A service linked recorder is configured per AWS account and AWS Region.

Note

As the delegated administrator for an organization, you can create and apply a policy allowing you to enable and disable member accounts for Security Hub. For more information, see Creating a policy as the delegated administrator to manage member accounts.

Enable Security Hub for a standalone account

The following procedure describes how to enable Security Hub for a standalone account. There are two types of standalone accounts that can enable Security Hub: an AWS account not inside of an organization and an AWS account inside of an organization. An AWS account inside of an AWS organization can be an AWS account where a delegated administrator attaches AWS Organizations policy to the AWS account. For more information, see Security Hub policies in the AWS Organizations User Guide.

To enable Security Hub for a standalone account

  1. Sign in to your AWS account with your credentials, and open the Security Hub console at https://console.aws.amazon.com/securityhub/v2/home.

  2. From the Security Hub homepage, select Security Hub, and choose Get started.

  3. Choose Enable.

When you enable Security Hub, a service-linked role called AWSServiceRoleForSecurityHubV2 is created in your account, and a service-linked recorder is added to your account. A service-linked recorder is a type of AWS Config recorder managed by an AWS service that can record configuration data on service-specific resources. With a service linked recorder, Security Hub enables an event-driven approach for obtaining resource configuration items required for exposure analysis coverage. A service linked recorder is configured per AWS account and AWS Region.