Security Hub with Organisations


when using aws security hub with organisations do we need to enable and setup aws security hub in each child account that exists in the organisation?

asked 2 years ago1412 views
2 Answers

You do need to enable Security Hub in each account and in each region that your workloads are hosted in, individually.

You can of course achieve this easily by using CloudFormation.

To use Security Hub within an AWS Organization, do the following:

  1. Choose one account (lets call it security-tooling account with id 123456789012) as your org wide security tooling account.

  2. Delegate AWS Security Hub administration to this security-tooling account. Enter image description here

  3. If are going to use other security services its best practice to make this security-tooling account the delegated administrator for those services as well (ex: Amazon GuardDuty, Amazon Inspector).

  4. Enable AWS Config in every account and every region that you want to use AWS Security Hub in (This is because AWS Security Hub depends on AWS Config). Enter image description here

  5. Enable AWS Security Hub in every account and every region that you want to.

  6. In the Security-tooling (delegated administrator ) account; navigage to: Security Hub --> Settings --> Account Management.

  7. Here you will see the list of accounts in your AWS Organization. You can enable these accounts. This enablement is so that those accounts send findings to the Security-tooling (delegated administrator) account.

  8. Check the "auto enable accounts". When you do this, all subsequent accounts that get added to the organization will directly become members and start sending findings to the delegated administrator account. (IF AWS SECURITY HUB IS ENABLED IN THOSE ACCOUNTS) Enter image description here

  9. Finally navigate to Security Hub --> Settings --> Regions. Select an aggregation region and add Linked regions, so as to aggregate findings in one region. Enter image description here

KEY POINT: An account may become a member but that would be of no use if AWS Security Hub is not enabled in it. An account may have AWS Security Hub enabled in it, but your findings will not be centralised if it is not made member account.

answered a year ago

When you use both Security Hub and AWS Organizations together, you can automatically enable Security Hub for all of your accounts, including new accounts as they are added. This increases the coverage for Security Hub checks and findings, which provides a more comprehensive and accurate picture of your overall security posture.

The detail instruction is at here:

answered 2 years ago
  • I have enabled that and i can see the child accounts in the masters security hub however there are no finding for sub accounts. if a security standard has been enabled at the master security hub than does it automatically propagate to the linked accounts?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions