Enabling and configuring AWS Config for Security Hub
AWS Security Hub uses AWS Config rules to run security checks and generate findings for most controls. AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. It uses rules to establish a baseline configuration for your resources and a configuration recorder to detect whether a particular resource violates the conditions of a rule. Some rules, called AWS Config managed rules, are predefined and developed by AWS Config. Other rules are AWS Config custom rules that Security Hub develops.
AWS Config rules that Security Hub uses for controls are referred to as service-linked rules. Service-linked rules allow AWS services such as Security Hub to create AWS Config rules in your account.
To receive control findings in Security Hub, you must enable AWS Config in your account and turn on recording for resources that your enabled controls evaluate.
This page explains how to enable AWS Config for Security Hub and turn on resource recording.
Considerations before enabling and configuring AWS Config
To receive control findings in Security Hub, your account must have AWS Config enabled in each AWS Region where Security Hub is enabled. If you use Security Hub for a multi-account environment, AWS Config must be enabled in each Region in the administrator account and all member accounts.
We strongly recommend that you turn on resource recording in AWS Config before you enable any Security Hub standards and controls. This helps you ensure that your control findings are accurate.
To turn on resource recording in AWS Config, you must have sufficient permissions to record resources in the AWS Identity and Access Management (IAM) role that is attached to the configuration recorder. In addition, make sure there is no IAM policy or policy managed in AWS Organizations that prevents AWS Config from having permission to record your resources. Security Hub control checks directly evaluate the configuration of a resource and don’t take Organizations policies into account. For more information about AWS Config recording, see List of AWS Config Managed Rules – Considerations in the AWS Config Developer Guide.
If you enable a standard in Security Hub but haven't enabled AWS Config, Security Hub tries to create AWS Config rules according to the following schedule:
-
On the day you enable the standard
-
The day after you enable the standard
-
3 days after you enable the standard
-
7 days after you enable the standard (and continuously every 7 days thereafter)
If you use central configuration, Security Hub also tries to create the AWS Config service-linked rules each time that you associate a configuration policy that enables one or more standards with accounts, organizational units (OUs), or the root.
Recording resources in AWS Config
When enabling AWS Config, you must specify which AWS resources you want the AWS Config configuration recorder to record. Through the service-linked rules, the configuration recorder allows Security Hub to detect changes in your resource configurations.
In order for Security Hub to generate accurate control findings, you must turn on recording in AWS Config for the resources that correspond to your enabled controls. It's primarily enabled controls with a change triggered schedule type that require resource recording. For a list of controls and their related AWS Config resources, see Required AWS Config resources for Security Hub control findings.
Warning
If you don't correctly configure AWS Config recording for Security Hub controls, it can result in inaccurate control findings, particularly in the following instances:
You never recorded the resource for a given control, disabled recording of a resource before creating that resource type, or attached an IAM role to the configuration recorder that didn't provide permissions to record the resource. In these cases, you receive a
PASSEDfinding for the control at issue, even though you might have created resources in scope of the control after you disabled recording. ThisPASSEDfinding is a default finding that doesn't actually evaluate the configuration state of the resource.You disable recording of a resource that is evaluated by a particular control. In this case, Security Hub retains the control findings that were generated before you disabled recording, even though the control isn't evaluating new or updated resources. These retained findings might not accurately reflect a resource's current configuration state.
By default AWS Config records all supported Regional resources that it discovers in the AWS Region in which it is running. To receive all Security Hub control findings, you must also configure AWS Config to record global resources. To conserve costs, we recommend recording global resources in a single Region only. If you use central configuration or cross-Region aggregation, this Region should be your home Region.
In AWS Config, you can choose between continuous recording and daily recording of changes in resource state. If you choose daily recording, AWS Config delivers resource configuration data at the end of each 24 hour period if there are changes in resource state. If there are no changes, no data is delivered. This can delay the generation of Security Hub findings for change-triggered controls until a 24-hour period is complete.
For more information about AWS Config recording, see Recording AWS resources in the AWS Config Developer Guide.
Ways to enable and configure AWS Config
You can enable AWS Config and turn on resource recording in one of the following ways:
-
AWS Config console – You can enable AWS Config for an account by using the AWS Config console. For instructions, see Setting up AWS Config with the console in the AWS Config Developer Guide.
-
AWS CLI or SDKs – You can enable AWS Config for an account by using the AWS Command Line Interface (AWS CLI). For instructions, see Setting up AWS Config with the AWS CLI in the AWS Config Developer Guide. AWS software development kits (SDKs) are also available for many programming languages.
-
CloudFormation template – If you want to enable AWS Config for a large number of accounts, we recommend using the AWS CloudFormation template named Enable AWS Config. To access this template, see AWS CloudFormation StackSets sample templates in the AWS CloudFormation User Guide.
By default, this template excludes recording for IAM global resources. Ensure that you turn on recording for IAM global resources in one Region only to conserve recording costs. If you have cross-Region aggregation enabled, this should be your Security Hub home Region. Otherwise, it can be any AWS Region that Security Hub is available in that supports recording of IAM global resources. We recommend running one StackSet to record all resources, including IAM global resources, in the home Region or other selected Region. Then, run a second StackSet to record all resources except IAM global resources in other Regions.
-
Github script – Security Hub offers a GitHub script
that enables Security Hub and AWS Config for multiple accounts across Regions. This script is useful if you haven't integrated with Organizations or if you have some member accounts that aren't part of an organization.
For more information, see
Optimize AWS Config for AWS Security Hub to
effectively manage your cloud security posture
Config.1 control
The Security Hub control Config.1 generates FAILED findings in your account if
AWS Config is disabled or if you don't have resource recording turned on for enabled controls. If you are the delegated Security Hub
administrator for an organization, AWS Config recording must be correctly configured in your account and member accounts. If you use
cross-Region aggregation, AWS Config recording must be correctly configured in the home Region and all linked Regions (Global
resources need not be recorded in linked Regions).
To receive
a PASSED finding for Config.1, turn on resource recording for all resources that correspond to
enabled Security Hub controls, and disable controls that aren't required in your organization. This helps to ensure
the you don't have configuration gaps in your security control checks and are receiving accurate findings about
misconfigured resources.
Generating the service-linked rules
For every control that uses an AWS Config service-linked rule, Security Hub creates instances of the required rule in your AWS environment.
These service-linked rules are specific to Security Hub. Security Hub creates these service-linked rules even
if other instances of the same rules already exist. The service-linked rule adds
securityhubbefore the original rule name and a unique identifier after the rule
name. For example, for the AWS Config managed rule vpc-flow-logs-enabled, the
service-linked rule name would be something like
securityhub-vpc-flow-logs-enabled-12345.
There are limits on the number of AWS Config managed rules that can be used to evaluate controls. Custom AWS Config rules that Security Hub creates don't count towards that limit. You can enable a security standard even if you've already reached the AWS Config limit for managed rules in your account. To learn more about AWS Config rule limits, see Service limits for AWS Config in the AWS Config Developer Guide.
Cost considerations
Security Hub can impact your AWS Config configuration recorder costs by updating the
AWS::Config::ResourceCompliance configuration item. Updates can
occur each time a Security Hub control associated with an AWS Config rule changes compliance
state, is enabled or disabled, or has parameter updates. If you use the AWS Config configuration recorder only for
Security Hub, and don't use this configuration item for other purposes, we recommend
turning off recording for it in AWS Config. This can reduce your AWS Config
costs. You don't need to record AWS::Config::ResourceCompliance for security
checks to work in Security Hub.
For information about the costs associated with resource recording, see AWS Security Hub pricing
