Verifying necessary permissions Enabling Security Hub with Organizations integration Enabling Security Hub manually Next steps: Posture management and integrations

Enabling Security Hub

There are two ways to enable AWS Security Hub, by integrating with AWS Organizations or manually.

We strongly recommend integrating with Organizations for multi-account and multi-Region environments. If you have a standalone account, it's necessary to set up Security Hub manually.

Verifying necessary permissions

After you sign up for Amazon Web Services (AWS), you must enable Security Hub to use its capabilities and features. To enable Security Hub, you first have to set up permissions that allow you to access the Security Hub console and API operations. You or your AWS administrator can do this by using AWS Identity and Access Management (IAM) to attach the AWS managed policy called AWSSecurityHubFullAccess to your IAM identity.

To enable and manage Security Hub through the Organizations integration, you also should attach the AWS managed policy called AWSSecurityHubOrganizationsAccess.

For more information, see AWS managed policies for AWS Security Hub.

Enabling Security Hub with Organizations integration

To start using Security Hub with AWS Organizations, the AWS Organizations management account for the organization designates an account as the delegated Security Hub administrator account for the organization. Security Hub is automatically enabled in the delegated administrator account in the current Region.

Choose your preferred method, and follow the steps to designate the delegated administrator.

For more information about the integration with Organizations, see Integrating Security Hub with AWS Organizations.

Central configuration

When you integrate Security Hub and Organizations, you have the option to use a feature called central configuration to set up and manage Security Hub for your organization. We strongly recommend using central configuration because it lets the administrator customize security coverage for the organization. Where appropriate, the delegated administrator can allow a member account to configure its own security coverage settings.

Central configuration lets the delegated administrator configure Security Hub across accounts, OUs, and AWS Regions. The delegated administrator configures Security Hub by creating configuration policies. Within a configuration policy, you can specify the following settings:

Whether Security Hub is enabled or disabled
Which security standards are enabled and disabled
Which security controls are enabled and disabled
Whether to customize parameters for select controls

As the delegated administrator, you can create a single configuration policy for your entire organization or different configuration policies for your various accounts and OUs. For example, test accounts and production accounts can use different configuration policies.

Member accounts and OUs that use a configuration policy are centrally managed and can be configured only by the delegated administrator. The delegated administrator can designate specific member accounts and OUs as self-managed to give the member the ability to configure its own settings on a Region-by-Region basis.

If you don't use central configuration, you must largely configure Security Hub separately in each account and Region. This is called local configuration. Under local configuration, the delegated administrator can automatically enable Security Hub and a limited set of security standards in new organization accounts in the current Region. Local configuration doesn't apply to existing organization accounts or to Regions other than the current Region. Local configuration also doesn't support the use of configuration policies.

Enabling Security Hub manually

You must enable Security Hub manually if you have a standalone account, or if you don't integrate with AWS Organizations. Standalone accounts can't integrate with AWS Organizations and must use manual enablement.

When you enable Security Hub manually, you designate a Security Hub administrator account and invite other accounts to become member accounts. The administrator-member relationship is established when a prospective member account accepts the invitation.

Choose your preferred method, and follow the steps to enable Security Hub. When you enable Security Hub from the console, you also have the option to enable the supported security standards.

Security Hub console

Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.
When you open the Security Hub console for the first time, choose Go to Security Hub.
On the welcome page, the Security standards section lists the security standards that Security Hub supports.

Select the check box for a standard to enable it, and clear the check box to disable it.

You can enable or disable a standard or its individual controls at any time. For information about managing security standards, see Understanding security standards in Security Hub.
Choose Enable Security Hub.

Security Hub API

Invoke the EnableSecurityHub API. When you enable Security Hub from the API, it automatically enables the following default security standards:

AWS Foundational Security Best Practices
Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0

If you do not want to enable these standards, then set EnableDefaultStandards to false.

You can also use the Tags parameter to assign tag values to the hub resource.

AWS CLI

Run the enable-security-hub command. To enable the default standards, include --enable-default-standards. To not enable the default standards, include --no-enable-default-standards. The default security standards are as follows:

AWS Foundational Security Best Practices
Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0


aws securityhub enable-security-hub [--tags <tag values>] [--enable-default-standards | --no-enable-default-standards]

Example


aws securityhub enable-security-hub --enable-default-standards --tags '{"Department": "Security"}'

Multi-account enablement script

Note

Instead of this script, we recommend using central configuration to enable and configure Security Hub across multiple accounts and Regions.

The Security Hub multi-account enablement script in GitHub allows you to enable Security Hub across accounts and Regions. The script also automates the process of sending invitations to member accounts and enabling AWS Config.

The script automatically enables AWS Config resource recording for all resources, including global resources, in all Regions. It does not limit recording of global resources to a single Region. To conserve costs, we recommend recording global resources in a single Region only. If you use central configuration or cross-Region aggregation, this should be your home Region. For more information, see Recording resources in AWS Config.

There is a corresponding script to disable Security Hub across accounts and Regions.

Next steps: Posture management and integrations

After enabling Security Hub, we recommend enabling security standards and controls to monitor your security posture. After you enable controls, Security Hub begins running security checks and generating control findings that help you detect misconfigurations in your AWS environment. To receive control findings, you must enable and configure AWS Config for Security Hub. For more information, see Enabling and configuring AWS Config for Security Hub.

After enabling Security Hub, you can also leverage integrations between Security Hub and other AWS services and third-party solutions to see their findings in Security Hub. Security Hub aggregates findings from different sources and ingests them in a consistent format. For more information, see Understanding integrations in Security Hub.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Security Hub concepts

Configuring AWS Config for Security Hub