Enabling central configuration in Security Hub - AWS Security Hub

Enabling central configuration in Security Hub

The delegated AWS Security Hub administrator account can use central configuration to configure Security Hub, standards, and controls for multiple accounts and organizational units (OUs) across AWS Regions.

For background information about the benefits of central configuration and how it works, see Understanding central configuration in Security Hub.

This section explains prerequisites for central configuration and how to begin using it.

Prerequisites for central configuration

Before you can start using central configuration, you must integrate Security Hub with AWS Organizations and designate a home Region. If you use the Security Hub console, these prerequisites are included in the opt-in workflow for central configuration.

Integrate with Organizations

You must integrate Security Hub and Organizations to use central configuration.

To integrate these services, you begin by creating an organization in Organizations. From the Organizations management account, you then designate a Security Hub delegated administrator account. For instructions, see Integrating Security Hub with AWS Organizations.

Ensure that you designate your delegated administrator in your intended home Region. When you start using central configuration, the same delegated administrator is automatically set in all linked Regions as well. The Organizations management account cannot be set as the delegated administrator account.

Important

When you use central configuration, you can't use the Security Hub console or Security Hub APIs to change or remove the delegated administrator account. If the Organizations management account uses AWS Organizations APIs to change or remove the Security Hub delegated administrator, Security Hub automatically stops central configuration. Your configuration policies are also disassociated and deleted. Member accounts retain the configuration that they had before the delegated administrator was changed or removed.

Designate a home Region

You must designate a home Region to use central configuration. The home Region is the Region from which the delegated administrator configures the organization.

Note

The home Region cannot be a Region that AWS has designated as an opt-in Region. An opt-in Region is disabled by default. For a list of opt-in Regions, see Considerations before enabling and disabling Regions in the AWS Account Management Reference Guide.

Optionally, you can specify one or more linked Regions that are configurable from the home Region.

The delegated administrator can create and manage configuration policies only from the home Region. Configuration policies take effect in the home Region and all linked Regions. You can't create a configuration policy that applies only to a subset of these Regions, and not others. The exception to this is controls that involve global resources. If you use central configuration, Security Hub automatically disables controls that involve global resources in all Regions except the home Region. For more information, see Controls that use global resources.

The home Region is also your Security Hub aggregation Region that receives findings, insights, and other data from linked Regions.

If you have already set an aggregation Region for cross-Region aggregation, then that's your default home Region for central configuration. You can change the home Region before you start to use central configuration by deleting your current finding aggregator and creating a new one in your desired home Region. A finding aggregator is a Security Hub resource that specifies the home Region and linked Regions.

To designate a home Region, see the steps for setting an aggregation Region. If you already have a home Region, you can invoke the GetFindingAggregator API to see details about it, including which Regions currently are linked to it.

Instructions for enabling central configuration

Choose your preferred method, and follow the steps to enable central configuration for your organization.

Security Hub console
To enable central configuration (console)
  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. On the navigation pane, choose Settings and Configuration. Then, choose Start central configuration.

    If you're onboarding to Security Hub, choose Go to Security Hub.

  3. On the Designate delegated administrator page, select your delegated administrator account or enter its account ID. If applicable, we recommend choosing the same delegated administrator that you have set for other AWS security and compliance services. Choose Set delegated administrator.

  4. On the Centralize organization page, in the Regions section, select your home Region. You must be signed in to the home Region to proceed. If you've already set an aggregation Region for cross-Region aggregation, it's displayed as the home Region. To change the home Region, choose Edit Region settings. You can then select your preferred home Region and return to this workflow.

  5. Select at least one Region to link to the home Region. Optionally, choose whether you want to automatically link future supported Regions to the home Region. The Regions you select here will be configurable from the home Region by the delegated administrator. Configuration policies take effect in your home Region and all linked Regions.

  6. Choose Confirm and continue.

  7. You can now use central configuration. Continue following the console prompts to create your first configuration policy. If you're not ready to create a configuration policy yet, choose I'm not ready to configure yet. You can create a policy later by choosing Settings and Configuration in the navigation pane. For instructions on creating a configuration policy, see Creating and associating configuration policies.

Security Hub API
To enable central configuration (API)
  1. Using the credentials of the delegated administrator account, invoke the UpdateOrganizationConfiguration API from the home Region.

  2. Set the AutoEnable field to false.

  3. Set the ConfigurationType field in the OrganizationConfiguration object to CENTRAL. This action has the following impact:

    • Designates the calling account as the Security Hub delegated administrator in all linked Regions.

    • Enables Security Hub in the delegated administrator account in all linked Regions.

    • Designates the calling account as the Security Hub delegated administrator for new and existing accounts that use Security Hub and belong to the organization. This occurs in the home Region and all linked Regions. The calling account is set as the delegated administrator for new organization accounts only if they are associated with a configuration policy that has Security Hub enabled. The calling account is set as the delegated administrator for existing organization accounts only if they already have Security Hub enabled.

    • Sets AutoEnable to false in all linked Regions, and sets AutoEnableStandards to NONE in the home Region and all linked Regions. These parameters aren't relevant in the home and linked Regions when you use central configuration, but you can automatically enable Security Hub and default security standards in organization accounts through the use of configuration policies.

  4. You can now use central configuration. The delegated administrator can create configuration policies to configure Security Hub in your organization. For instructions on creating a configuration policy, see Creating and associating configuration policies.

Example API request:

{ "AutoEnable": false, "OrganizationConfiguration": { "ConfigurationType": "CENTRAL" } }
AWS CLI
To enable central configuration (AWS CLI)
  1. Using the credentials of the delegated administrator account, run the update-organization-configuration command from the home Region.

  2. Include the no-auto-enable parameter.

  3. Set the ConfigurationType field in the organization-configuration object to CENTRAL. This action has the following impact:

    • Designates the calling account as the Security Hub delegated administrator in all linked Regions.

    • Enables Security Hub in the delegated administrator account in all linked Regions.

    • Designates the calling account as the Security Hub delegated administrator for new and existing accounts that use Security Hub and belong to the organization. This occurs in the home Region and all linked Regions. The calling account is set as the delegated administrator for new organization accounts only if they are associated with a configuration policy that has Security Hub enabled. The calling account is set as the delegated administrator for existing organization accounts only if they already have Security Hub enabled.

    • Sets the auto-enablement option to no-auto-enable in all linked Regions, and sets auto-enable-standards to NONE in the home Region and all linked Regions. These parameters aren't relevant in the home and linked Regions when you use central configuration, but you can automatically enable Security Hub and default security standards in organization accounts through the use of configuration policies.

  4. You can now use central configuration. The delegated administrator can create configuration policies to configure Security Hub in your organization. For instructions on creating a configuration policy, see Creating and associating configuration policies.

Example command:

aws securityhub --region us-east-1 update-organization-configuration \ --no-auto-enable \ --organization-configuration '{"ConfigurationType": "CENTRAL"}'