# Enabling Security Hub
You can enable Security Hub for any AWS account. This section of the documentation describes all the steps required to enable Security Hub for an AWS Organization, or a standalone account.
## Enable Security Hub for an AWS Organization
This section includes three steps:
+ In **Step 1**, the AWS organization management account designates a delegated administrator for their AWS Organization, creates the delegated administrator policy, and optionally enables Security Hub for their own account.
+ In **Step 2**, the delegated administrator for the organization enables Security Hub for their own account.
+ In **Step 3**, the delegated administrator for the organization configures all member accounts in the organization, for Security Hub and other supported security services.
### Step 1. Delegating an administrator account and optionally enabling Security Hub in the AWS organization management account
**Note**
This step only needs to be completed in one region of the organization management account.
When assigning the delegated administrator account for Security Hub, the account you can choose for your delegated administrator will depend how you have configured a delegated administrator for Security Hub CSPM. If you have configured a delegated administrator for Security Hub CSPM, and that account is not the organizations management account, then that account will automatically be set as the Security Hub delegated administrator and a different account cannot be chosen. If the delegated administrator account for Security Hub CSPM is set as the organizations management account or is not set at all, you can choose which account will be your Security Hub delegated administrator account, except for the organizations management account.
For information about designating a delegated administrator in Security Hub, see [Designating a delegated administrator account in Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-v2-set-da.html). For information about creating the delegated administrator policy in Security Hub, see [Creating the delegated administrator policy in Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-v2-policy-statement.html).
**To designate an admistrator for Security Hub**
1. Sign in to your AWS account with your AWS organization management account credentials. Open the Security Hub console at [https://console.aws.amazon.com/securityhub/v2/home](https://console.aws.amazon.com/securityhub/v2/home).
1. From the Security Hub homepage, select **Security Hub**, and choose **Get started**.
1. In the **Delegated administrator** section, choose an administrator account based on the provided options. As a best practice, we recommend using the same delegated administrator across security services for consistent governance.
1. Choose the **Trusted access** checkbox. Choosing this option grants your delegated administrator account the ability to configure certain capabilities, such as GuardDuty Malware Protection, on member accounts. If you uncheck this option Security Hub will not be able to enable these features on your behalf and you will need to enable them directly through the service that the feature is associated with.
1. (Optional) For **Account enablement**, select the box to enable Security Hub for your AWS account.
1. For **Delegated administrator policy**, choose one of the following options to add the policy statement.
1. (Option 1) Choose **Update this for me**. Select the box under the policy statement to confirm Security Hub will automatically create a delegation policy granting all required permission to the delegated administrator.
1. (Option 2) Choose **I want to attach this manually**. Choose **Copy and attach**. In the AWS Organizations console, under **Delegated administrator for AWS Organizations**, choose **Delegate**, and paste the resource policy in the delegation policy editor. Choose **Create Policy**. Open the tab where you are in the Security Hub console.
1. Choose **Configure**.
### Step 2. Enable Security Hub in the delegated administrator account
The delegated administrator account completes this step. After the AWS Organization management account designates a delegated administrator for their organization, the delegated administrator must enable Security Hub for their own account before enabling for the entire AWS Organization.
**To enable Security Hub in the delegated administrator account**
1. Sign in to your AWS account with your delegated administrator credentials. Open the Security Hub console at [https://console.aws.amazon.com/securityhub/v2/home](https://console.aws.amazon.com/securityhub/v2/home).
1. From the Security Hub homepage and choose **Get started**.
1. The security capabilities section outlines the capabilities that are automatically enabled and includedin the base per-resource price of Security Hub
1. (Optional) For **Tags**, determine whether to add a key-value pair to the account setup.
1. Choose **Enable Security Hub** to finish enabling Security Hub.
1. (Recommended) from the popup choose **Configure my organization** and proceed to Step 3.
After you enable Security Hub, a service-linked role called [AWSServiceRoleForSecurityHubV2](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhubv2servicerolepolicy) and a service-linked recorder are created in your account. The service-linked recorder is a type of AWS Config recorder managed by an AWS service that can record configuration data on service-specific resources. With a service-linked recorder, Security Hub enables an event-driven approach for obtaining resource configuration items required for exposure analysis coverage and reporting resource inventory. A service-linked recorder is configured per AWS account and AWS Region. For global resource types, an additional service-linked recorder is automatically created in the home region to record configuration changes for global resources, as AWS Config only records global resource types in their designated home region. For more information, see [Considerations for service-linked configuration recorders](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html#stop-start-recorder-considerations-service-linked) and [Recording regional and global resources](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all).
### Step 3. Create a policy that enables Security Hub in all member accounts
After enbling Security Hub in the delegated administrator account for an organization you need to create a policy that defines which services and capabilities are enabled in the organization member accounts. For more information, see [Enabling a configuration with a type of policy](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-v2-da-policy.html#securityhub-v2-configuration-enable-policy).
## Enable Security Hub in a standalone account
This procedure describes how to enable Security Hub in a standalone account. A standalone account is an AWS account that has not enabled AWS organizations.
**To enable Security Hub in a standalone account**
1. Sign in to your AWS account with your account credentials. Open the Security Hub console at [https://console.aws.amazon.com/securityhub/v2/home](https://console.aws.amazon.com/securityhub/v2/home).
1. From the Security Hub homepage, select **Get started**.
1. In the **Security capabilities** section do one of the following:
1. (Option 1) Choose **Enable all capabilities**. This will turn on all of the Security Hub essential capabilties, threat analytics, and additional capabilties.
1. (Option 2) Choose **Customize capabilities**. Select the threat analytics and additional capabilities that should be turned on. You cannot deselect any capabilities that are part of the Security Hub essential plan capabilities.
1. In the **Regions** section, choose **Enable all Regions** or **Enable specific Regions**. If you choose **Enable all Regions**, you can determine whether to automatically enable new Regions. If you choose **Enable specific Regions**, you must choose which Regions you want to enable.
1. (Optional) For **Resource tags**, add tags as key-value pairs to help you easily identify the configuration.
1. Choose **Enable Security Hub**.
After you enable Security Hub, a service-linked role called [AWSServiceRoleForSecurityHubV2](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhubv2servicerolepolicy) and a service-linked recorder are created in your account. The service-linked recorder is a type of AWS Config recorder managed by an AWS service that can record configuration data on service-specific resources. With a service-linked recorder, Security Hub enables an event-driven approach for obtaining resource configuration items required for exposure analysis coverage and reporting resource inventory. A service-linked recorder is configured per AWS account and AWS Region. For global resource types, an additional service-linked recorder is automatically created in the home region to record configuration changes for global resources, as AWS Config only records global resource types in their designated home region. For more information, see [Considerations for service-linked configuration recorders](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html#stop-start-recorder-considerations-service-linked) and [Recording regional and global resources](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-all).
# Designating a delegated administrator in Security Hub
In the AWS organization management account, you can designate a delegated administrator for your organization. As a best practice, we recommend using the same delegated administrator across security services for consistent governance.
The procedure in this topic describes how to designate a delegated administrator in Security Hub. It assumes you previously enabled Security Hub but did not designate a delegated administrator during the enablement workflow.
**Considerations**
Consider the following when designating a delegated administrator in Security Hub:
+ The AWS organization management account can designate itself as the delegated administrator in Security Hub CSPM. The AWS organization management account cannot designate itself as the delegated administrator in Security Hub. In this scenario, the AWS organization management account must designate another AWS account as the delegated administrator in Security Hub. As a best practice, we recommend using the same delegated administrator across security services for consistent governance.
+ If the AWS organization management account designates a delegated administrator in Security Hub CSPM, that delegated administrator automatically becomes the delegated administrator in Security Hub. In this scenario, Security Hub only allows this particular AWS account to serve as the delegated administrator.
**Note**
If the AWS organization management account uses the same delegated administrator in Security Hub as it does in Security Hub CSPM, removing it through the Security Hub CSPM console or with the AWS Organizations API also removes it in Security Hub. Similarly, removing it through the Security Hub console or with the AWS Organizations API also removes it in Security Hub CSPM. When the delegated administrator is removed from Security Hub CSPM, Central Configuration will automatically opt out.
## Designating a delegated administrator after enabling Security Hub
This procedure is for the AWS organization management account to complete. It assumes the AWS organization management account previously enabled Security Hub but did not designate a delegated administrator during the enablement workflow.
**Note**
After you complete this procedure, you must create a policy allowing the delegated administrator for your organization to configure Security Hub and perform specific actions in AWS Organizations. For more information, see [Creating the delegated administrator policy in Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-v2-policy-statement.html).
**To designate a delegated administrator in Security Hub**
1. Sign in to your AWS account with your organization management account credentials, and open the Security Hub console at [https://console.aws.amazon.com/securityhub/v2/home](https://console.aws.amazon.com/securityhub/v2/home).
1. From the navigation pane, choose **General**.
1. In **Delegated administrator**, choose **Configure**. Select one of the provided AWS accounts, or enter the 12-digit AWS account number for the AWS account that you want to designate as the delegated administrator for your organization. Choose **Save**.
# Creating the delegated administrator policy in Security Hub
The AWS organization management account can create a policy allowing the delegated administrator to configure Security Hub and perform specific actions in AWS Organizations. The procedure in this topic describes how to create the policy. When completing the procedure, you can allow Security Hub to create the policy for you or manually create the policy. We recommend allowing Security Hub to create the policy for you, unless you want to customize the policy for a particular use case. The AWS organization management account must complete this procedure only if it enabled Security Hub and designated a delegated administrator, but skipped creating the policy when completing the [enablement](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-v2-enable.html#securityhub-v2-enable-management-account) workflow. For information about how to update this policy, see [Update a resource-based delegation policy with AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs-policy-delegate-update.html) in the *AWS Organizations User Guide*.
**Note**
After you complete this procedure, the delegated administrator can create a policy allowing it to manage member accounts in your organization. For more information, see [Creating a policy as the delegated administrator to manage member accounts](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-v2-da-policy.html).
**To create the delegated administrator policy**
1. Sign in to your AWS account with your organization management account credentials. Open the Security Hub console at [https://console.aws.amazon.com/securityhub/v2/home](https://console.aws.amazon.com/securityhub/v2/home).
1. From the navigation pane, choose **General**.
1. For **Delegated administrator policy**, do one of the following:
1. (Option 1) Choose **Create policy**. Select the box under the policy statement to confirm Security Hub will automatically create a delegation policy granting all required permission to the delegated administrator.
1. (Option 2) Open the policy. Choose **Copy and attach**. In the AWS Organizations console, under **Delegated administrator for AWS Organizations**, choose **Delegate**, and paste the resource policy in the delegation policy editor. Choose **Create Policy**. Open the tab where you are in the Security Hub console, and choose **Configure**.
# Managing configuration of member accounts in an AWS Organization
The delegated administrator for an AWS Organization can configure security capabilities across member accounts and Regions. There are two types of configurations that are available, **Policies** and **Deployments**. **Policies** generate AWS Organizations policies for accounts and Regions for AWS Security Hub and Amazon Inspector. **Deployments** are a one-time action to enable a security capability across selected accounts and Regions for Amazon GuardDuty and AWS Security Hub CSPM. Unlike policies, you cannot view or edit deployments and deployments will not apply to newly enabled accounts. As an alternative, auto-enable features, for new member accounts, are available in Amazon GuardDuty and AWS Security Hub CSPM.
## Security Hub configuration catalog
The configuration catalog of Security Hub offers multiple options to help configure your AWS Organization accounts for the security capabilities provided by .
The following are the options available in the Security Hub configuration catalog.
### Security Hub (essential and additional capabilities)
This is the recommended configuration to deploy for Security Hub.
**Type**: Policy and Deployments
**Description**: This configuration tyurns on Security Hub's essential security management, posture management, threat analytics, and vulnerability management capabilities. It optionally enables additional capabilities.
### Threat analytics from GuardDuty
**Type**: Deployment
**Description**: Turn on selected Amazon GuardDuty capabilities to continuously monitor, analyze, and process AWS data sources and logs in your AWS environment.
### Posture management from AWS Security Hub CSPM)
**Type**: Deployment
**Description**: This configuration turns on Security Hub CSPM's standards and controls which detects when your AWS accounts and resources deviate from security best practices.
### Vulnerability management from Amazon Inspector
**Type**: Policy
**Description**: This configuration turns on selected Amazon Inspector capabilities that automatically discover workloads, instances, container images, etc., and scans them for vulnerabilities and network exposure.
## Enabling a configuration with a type of policy
The following procedure describes how to create a configuration with a type of policy for your AWS Organization accounts. To create a configuration policy the delegated administrator policy needs to be created in the AWS Organization management account. For information about creating the delegated administrator policy in Security Hub, see [Creating the delegated administrator policy in Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-v2-policy-statement.html).
**To create a policy that enables and disables member accounts**
1. Sign in using your AWS account with your delegated administrator credentials. Open the Security Hub console at [https://console.aws.amazon.com/securityhub/v2/home](https://console.aws.amazon.com/securityhub/v2/home?).
1. From the navigation pane, choose **Management**, and then choose **Configurations**.
1. Choose an item with a type of **policy** or **policy and deployment** from the Configuration catalog. To fully configure Security Hub it is recommended to choose **Security Hub (essential and additional capabilities)**.
1. On the **Configure Security Hub** page in the **Details** section enter a name and a description for the policy.
1. In the **Security capabilities** section do one of the following:
1. (Option 1) Choose **Enable all capabilities**. This will turn on all of the Security Hub essential capabilties, threat analytics, and additional capabilties.
1. (Option 2) Choose **Customize capabilities**. Select the threat analytics and additional capabilities that should be turned on. You cannot deselect any capabilities that are part of the Security Hub essential plan capabilities.
1. In the **Account selection** section, select one of the following options. Choose **All organizational units and accounts** if you want to apply the configuration to all organizational units and accounts. Choose **Specific organizational units and accounts** if you want to apply the configuration to specific organizational units and accounts. If you choose this option, use the search bar or organizational structure tree to specify the organizational units and accounts where the policy will be applied. Choose **No organizational units or accounts** if you do not want to apply the configuration to any organizational unit or account.
1. In the **Regions** section, choose **Enable all Regions**, **Disable all Regions**, or **Specify Regions**. If you choose **Enable all Regions**, you can determine whether to automatically enable new Regions. If you choose **Disable all Regions**, you can determine whether to automatically disable new Regions. If you choose **Specify Regions**, you must choose which Regions you want to enable and disable.
1. (Optional) For **Advanced settings**, please refer to the [guidance](https://docs.aws.amazon.com/organizations/latest/userguide/policy-operators.html) from AWS Organizations.
1. (Optional) For **Resource tags**, add tags as key-value pairs to help you easily identify the configuration.
1. Choose **Next**.
1. Review your changes, and then choose **Apply**. Your target accounts are configured based on the policy. The configuration status of your policy will display at the top of the Policies page. Each capability will provide a status on if it was configured or where there are deployment failures. For any failures click on the link for the failure message to see more details. To view the effective policy at the account level, you can review the **Organization** tab on the **Configurations** page where you can choose an account.
## Enabling a configuration with a type of deployment
The following procedure describes how to create a configuration with a type of deployment for your AWS Organization accounts.
**To create a deployment that enables and disables member accounts**
1. Sign in using your AWS account with your delegated administrator credentials. Open the Security Hub console at [https://console.aws.amazon.com/securityhub/v2/home](https://console.aws.amazon.com/securityhub/v2/home?).
1. From the navigation pane, choose **Management**, and then choose **Configurations**.
1. Choose an item with a type of **deployment **from the Configuration catalog. To fully configure Security Hub it is recommended to choose **Security Hub (essential and additional capabilities)**.
1. In the **Security capabilities** section Select the security capabilities that should be turned on.
1. In the **Account selection** section, select one of the following options. Choose **All organizational units and accounts** if you want to apply the configuration to all organizational units and accounts. Choose **Specific organizational units and accounts** if you want to apply the configuration to specific organizational units and accounts. If you choose this option, use the search bar or organizational structure tree to specify the organizational units and accounts where the policy will be applied. Choose **No organizational units or accounts** if you do not want to apply the configuration to any organizational unit or account.
1. In the **Regions** section, choose **Enable all Regions**, **Disable all Regions**, or **Specify Regions**. If you choose **Enable all Regions**, you can determine whether to automatically enable new Regions. If you choose **Disable all Regions**, you can determine whether to automatically disable new Regions. If you choose **Specify Regions**, you must choose which Regions you want to enable and disable.
1. Choose **Configure**.
## Editing a configuration policy
You can edit the capabilities, Regions, and accounts assocaited with configurations that have a type of **policy**.
The following describes how to edit a configuration policy in Security Hub
**To create edit a configuration policy**
1. Sign in using your AWS account with your delegated administrator credentials. Open the Security Hub console at [https://console.aws.amazon.com/securityhub/v2/home](https://console.aws.amazon.com/securityhub/v2/home?).
1. From the navigation pane, choose **Management**, and then choose **Configurations**.
1. In the **Configured policies** tab select the radio button for the policy you want to edit. Choose the **Edit**.
1. To make changes in the **Account selection** section, select one of the following options. Choose **All organizational units and accounts** if you want to apply the configuration to all organizational units and accounts. Choose **Specific organizational units and accounts** if you want to apply the configuration to specific organizational units and accounts. If you choose this option, use the search bar or organizational structure tree to specify the organizational units and accounts where the policy will be applied. Choose **No organizational units or accounts** if you do not want to apply the configuration to any organizational unit or account.
1. To make changes in the **Regions** section, choose **Enable all Regions**, **Disable all Regions**, or **Specify Regions**. If you choose **Enable all Regions**, you can determine whether to automatically enable new Regions. If you choose **Disable all Regions**, you can determine whether to automatically disable new Regions. If you choose **Specify Regions**, you must choose which Regions you want to enable and disable.
1. Choose **Next**.
1. Review your changes, and then choose **Update**. Your target accounts are configured based on the policy.
## Deleting a configuration policy
You can delete configuration that you have a type of **policy**. When you delete a policy all attached accounts and organiational units will be removed from the policy.
The following describes how to delete a configuration policy in Security Hub.
**To create delete a configuration policy**
1. Sign in using your AWS account with your delegated administrator credentials. Open the Security Hub console at [https://console.aws.amazon.com/securityhub/v2/home](https://console.aws.amazon.com/securityhub/v2/home?).
1. From the navigation pane, choose **Management**, and then choose **Configurations**.
1. In the **Configured policies** tab select the radio button for the policy you want to edit. Choose the **Delete** button.
1. Type **delete** in the confirmation box. Choose the **Delete**.
# Removing the delegated administrator account in Security Hub
You can remove the delegated administrator account in the Security Hub console at any time. However, this action not only removes the delegated administrator from Security Hub, but also Security Hub CSPM. We recommend only performing this action when you have confirmed this operation with your security account.
**Note**
If you're using an account other than the organization management account as the Security Hub CSPM delegated administrator, removing it through either the CSPM Console or AWS Organizations API will also remove it from Security Hub.
Similarly, if you remove the Security Hub delegated administrator through either the Security Hub Console or AWS Organizations API, it will also be removed from Security Hub CSPM. When the delegated administrator is removed from CSPM, Central Configuration will automatically opt out.
**To remove the delegated administrator account**
1. Sign in to your AWS account with your organization management account credentials. Open the Security Hub console at [https://console.aws.amazon.com/securityhub/v2/home](https://console.aws.amazon.com/securityhub/v2/home?).
1. From the navigation pane, choose **General**.
1. In **Delegated administrator**, choose **Remove delegated administrator**. In the pop-up window, enter *remove*, and choose **Remove**.
# Re-enabling Security Hub
Before re-enabling Security Hub on accounts that were previously disabled using a Security Hub policy, you must first detach the disable policy. If you attempt to re-enable Security Hub while a disable policy is still attached to the account or organizational unit, the disable policy will override the enablement and Security Hub will remain disabled.
**To remove the Security Hub disable policy for an organization or an account.**
1. Sign in using your AWS account with your organization management account credentials. Open the Security Hub console at [https://console.aws.amazon.com/organizations/v2/home](https://console.aws.amazon.com/organizations/v2/home).
1. From the navigation panel choose **AWS accounts**.
1. If the current Security Hub disable policy was for your entire organization choose **Root** under the **Organizational stucture**. If the current Security Hub disable policy is for specific accounts, choose the specific account under the **Organizational stucture** and then follow the remaining steps for each account.
1. In the **Policies** tab find the section titled **Security Hub policies**
1. Choose the radio button next to the policy that disables Security Hub. Choose **Detatch**.
Once the policy has been attached from your organization or accounts you can then re-enable Security Hub. See [Managing configuration of member accounts in an AWS Organization](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-v2-da-policy.html) for details on re-enabling Security Hub.