Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Enabling and configuring AWS Config for Security Hub

PDF
RSS
Focus mode
Enabling and configuring AWS Config for Security Hub - AWS Security Hub
Considerations before enabling and configuring AWS ConfigRecording resources in AWS ConfigWays to enable and configure AWS ConfigConfig.1 controlGenerating the service-linked rulesCost considerations

AWS Security Hub uses AWS Config rules to run security checks and generate findings for most controls. AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. It uses rules to establish a baseline configuration for your resources and a configuration recorder to detect whether a particular resource violates the conditions of a rule. Some rules, called AWS Config managed rules, are predefined and developed by AWS Config. Other rules are AWS Config custom rules that Security Hub develops.

AWS Config rules that Security Hub uses for controls are referred to as service-linked rules. Service-linked rules allow AWS services such as Security Hub to create AWS Config rules in your account.

To receive control findings in Security Hub, you must enable AWS Config in your account and turn on recording for resources that your enabled controls evaluate. This page explains how to enable AWS Config for Security Hub and turn on resource recording.

Considerations before enabling and configuring AWS Config

To receive control findings in Security Hub, your account must have AWS Config enabled in each AWS Region where Security Hub is enabled. If you use Security Hub for a multi-account environment, AWS Config must be enabled in each Region for the administrator account and all member accounts.

We strongly recommend that you turn on resource recording in AWS Config before you enable any Security Hub standards and controls. This helps you ensure that your control findings are accurate.

To turn on resource recording in AWS Config, you must have sufficient permissions to record resources in the AWS Identity and Access Management (IAM) role that is attached to the configuration recorder. In addition, make sure there is no IAM policy or policy managed in AWS Organizations that prevents AWS Config from having permission to record your resources. Security Hub control checks evaluate the configuration of a resource directly and don’t take AWS Organizations policies into account. For more information about AWS Config recording, see Working with the configuration recorder in the AWS Config Developer Guide.

If you enable a standard in Security Hub but haven't enabled AWS Config, Security Hub tries to create AWS Config rules according to the following schedule:

  • On the day that you enable the standard.

  • The day after you enable the standard.

  • 3 days after you enable the standard.

  • 7 days after you enable the standard, and continuously every 7 days thereafter.

If you use central configuration, Security Hub also tries to create service-linked AWS Config rules each time you associate a configuration policy that enables one or more standards with accounts, organizational units (OUs), or the root.

Recording resources in AWS Config

When you enable AWS Config, you must specify which AWS resources you want the AWS Config configuration recorder to record. Through the service-linked rules, the configuration recorder allows Security Hub to detect changes to your resource configurations.

For Security Hub to generate accurate control findings, you must turn on recording in AWS Config for the resources that correspond to your enabled controls. It's primarily enabled controls with a change triggered schedule type that require resource recording. Some controls with a periodic schedule type also require resource recording. For a list of these controls and their corresponding resources, see Required AWS Config resources for Security Hub control findings.

Warning

If you don't configure AWS Config recording correctly for Security Hub controls, it can result in inaccurate control findings, particularly in the following instances:

  • You never recorded the resource for a given control, or you disabled recording of a resource before creating that type of resource. In these cases, you receive a WARNING finding for the control at issue, even though you might have created resources in scope of the control after you disabled recording. This WARNING finding is a default finding that doesn't actually evaluate the configuration state of the resource.

  • You disable recording for a resource that's evaluated by a particular control. In this case, Security Hub retains the control findings that were generated before you disabled recording, even though the control isn't evaluating new or updated resources. Security Hub also changes the compliance status of the findings to WARNING. These retained findings might not accurately reflect a resource's current configuration state.

By default, AWS Config records all supported Regional resources that it discovers in the AWS Region in which it is running. To receive all Security Hub control findings, you must also configure AWS Config to record global resources. To conserve costs, we recommend recording global resources in a single Region only. If you use central configuration or cross-Region aggregation, this Region should be your home Region.

In AWS Config, you can choose between continuous recording and daily recording of changes in resource state. If you choose daily recording, AWS Config delivers resource configuration data at the end of each 24–hour period if there are changes in resource state. If there are no changes, no data is delivered. This can delay the generation of Security Hub findings for change-triggered controls until a 24–hour period is complete.

For more information about AWS Config recording, see Recording AWS resources in the AWS Config Developer Guide.

Ways to enable and configure AWS Config

You can enable AWS Config and turn on resource recording in any of the following ways:

  • AWS Config console – You can enable AWS Config for an account by using the AWS Config console. For instructions, see Setting up AWS Config with the console in the AWS Config Developer Guide.

  • AWS CLI or SDKs – You can enable AWS Config for an account by using the AWS Command Line Interface (AWS CLI). For instructions, see Setting up AWS Config with the AWS CLI in the AWS Config Developer Guide. AWS software development kits (SDKs) are also available for many programming languages.

  • CloudFormation template – To enable AWS Config for many accounts, we recommend using the AWS CloudFormation template named Enable AWS Config. To access this template, see AWS CloudFormation StackSet sample templates in the AWS CloudFormation User Guide.

    By default, this template excludes recording for IAM global resources. Ensure that you turn on recording for IAM global resources in only one AWS Region to conserve recording costs. If you have cross-Region aggregation enabled, this should be your Security Hub home Region. Otherwise, it can be any Region that Security Hub is available in that supports recording of IAM global resources. We recommend running one StackSet to record all resources, including IAM global resources, in the home Region or other selected Region. Then, run a second StackSet to record all resources except IAM global resources in other Regions.

  • GitHub script – Security Hub offers a GitHub script that enables Security Hub and AWS Config for multiple accounts across Regions. This script is useful if you haven't integrated with AWS Organizations, or you have some member accounts that aren't part of an organization.

For more information, see the following blog post on the AWS Security blog: Optimize AWS Config for AWS Security Hub to effectively manage your cloud security posture.

Config.1 control

In Security Hub, the Config.1 control generates FAILED findings in your account if AWS Config is disabled. It also generates FAILED findings in your account if AWS Config is enabled but resource recording isn't turned on.

If AWS Config is enabled and resource recording is turned on, but resource recording isn't turned on for a type of resource that an enabled control checks, Security Hub generates a FAILED finding for the Config.1 control. In addition to this FAILED finding, Security Hub generates WARNING findings for the enabled control and the types of resources that the control checks. For example, if you enable the KMS.5 control and resource recording isn't turned on for AWS KMS keys, Security Hub generates a FAILED finding for the Config.1 control. Security Hub also generates WARNING findings for the KMS.5 control and your KMS keys.

To receive a PASSED finding for the Config.1 control, turn on resource recording for all the resource types that correspond to enabled controls. Also disable controls that aren't required for your organization. This helps ensure that you don't have configuration gaps in your security control checks. It also helps ensure that you receive accurate findings about misconfigured resources.

If you're the delegated Security Hub administrator for an organization, AWS Config recording must be configured correctly for your account and your member accounts. If you use cross-Region aggregation, AWS Config recording must be configured correctly in the home Region and all linked Regions. Global resources do not need to be recorded in linked Regions.

Generating the service-linked rules

For every control that uses a service-linked AWS Config rule, Security Hub creates instances of the required rule in your AWS environment.

These service-linked rules are specific to Security Hub. Security Hub creates these service-linked rules even if other instances of the same rules already exist. The service-linked rule adds securityhub before the original rule name and a unique identifier after the rule name. For example, for the AWS Config managed rule vpc-flow-logs-enabled, the service-linked rule name might be securityhub-vpc-flow-logs-enabled-12345.

There are quotas for the number of AWS Config managed rules that can be used to evaluate controls. Custom AWS Config rules that Security Hub creates don't count towards those quotas. You can enable a security standard even if you've already reached the AWS Config quota for managed rules in your account. To learn more about quotas for AWS Config rules, see Service limits for AWS Config in the AWS Config Developer Guide.

Cost considerations

Security Hub can impact your AWS Config configuration recorder costs by updating the AWS::Config::ResourceCompliance configuration item. Updates can occur each time a Security Hub control associated with an AWS Config rule changes compliance state, is enabled or disabled, or has parameter updates. If you use the AWS Config configuration recorder only for Security Hub, and don't use this configuration item for other purposes, we recommend turning off recording for it in AWS Config. This can reduce your AWS Config costs. You don't need to record AWS::Config::ResourceCompliance for security checks to work in Security Hub.

For information about the costs associated with resource recording, see AWS Security Hub pricing and AWS Config pricing.

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.