Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0
The Security Hub Organization solution will automate enabling AWS Security Hub by delegating administration to an account (e.g. Audit or Security Tooling) and configuring Security Hub for all the existing and future AWS Organization accounts.
Key solution features:
- Delegates Security Hub administration to another account (i.e Audit account).
- Assumes a role in the delegated administrator account to configure organizations management.
- Adds all existing accounts including the
management accountas members. - Configures a region aggregator within the
Home region. - Assumes a role in each member account to enable/disable standards aligning with the delegated administrator account.
- Ability to disable Security Hub within all accounts and regions via a parameter and CloudFormation update event.
- All resources are deployed via AWS CloudFormation as a
StackSetandStack Instancewithin themanagement accountor a CloudFormationStackwithin a specific account. - The Customizations for AWS Control Tower solution deploys all templates as a CloudFormation
StackSet. - For parameter details, review the AWS CloudFormation templates.
- The
Lambda IAM Roleis used by the Lambda function to enable the Security Hub Delegated Administrator Account within each region provided. - The
Configuration IAM Roleis assumed by the Lambda function to configure Security Hub within the delegated administrator account and all member accounts. - The
Event Rule IAM Roleis assumed by EventBridge to forward Global events to theHome Regiondefault Event Bus.
- The
AWS Control Tower Lifecycle Event Ruletriggers theAWS Lambda Functionwhen a new AWS Account is provisioned through AWS Control Tower. - The
Organization Compliance Scheduled Event Ruletriggers theAWS Lambda Functionto capture AWS Account status updates (e.g. suspended to active).- A parameter is provided to set the schedule frequency.
- See the Instructions to Manually Run the Lambda Function for triggering the
AWS Lambda Functionbefore the next scheduled run time.
- The
AWS Organizations Event Ruletriggers theAWS Lambda Functionwhen updates are made to accounts within the organization.- When AWS Accounts are added to the AWS Organization outside of the AWS Control Tower Account Factory. (e.g. account created via AWS Organizations console, account invited from another AWS Organization).
- When tags are added or updated on AWS Accounts.
- If the
Home Regionis different from theGlobal Region (e.g. us-east-1), then global event rules are created within theGlobal Regionto forward events to theHome Regiondefault Event Bus. - The
AWS Organizations Event Ruleforwards AWS Organization account update events.
- SNS Topic used to fanout the Lambda function for configuring and disabling the service within each account and region.
- SQS dead letter queue used for retaining any failed Lambda events.
- The Lambda function includes logic to enable and configure Security Hub.
- All the
AWS Lambda Functionlogs are sent to a CloudWatch Log Group</aws/lambda/<LambdaFunctionName>to help with debugging and traceability of the actions performed. - By default the
AWS Lambda Functionwill create the CloudWatch Log Group and logs are encrypted with a CloudWatch Logs service managed encryption key. - Parameters are provided for changing the default log group retention and encryption KMS key.
- SNS Topic used to notify subscribers when messages hit the DLQ.
- The Security Hub delegated administrator is registered within the
management accountusing the Security Hub APIs within each provided region.
The example solutions use Audit Account instead of Security Tooling Account to align with the default account name used within the AWS Control Tower setup process for the Security Account. The Account ID for the Audit Account SSM parameter is
populated from the SecurityAccountId parameter within the AWSControlTowerBP-BASELINE-CONFIG StackSet.
- IAM role assumed by the Lambda function within the
management accountto configure Security Hub within each region provided.
- A region aggregator is configured within the
Home regionto aggregate findings from the configured regions, if more than one region is configured. - A parameter is provided to aggregate all configured Security Hub regions including any future regions.
- Security Hub is enabled within each provided region.
- Standards are enabled/disabled based on the provided parameter values.
- Security Hub is enabled from the delegated administrator account.
- Standards are configured by the solution to align with the delegated administrator account.
- Security Hub can be disabled by the solution via a provided parameter and CloudFormation update event.
- Download and Stage the SRA Solutions. Note: This only needs to be done once for all the solutions.
- Verify that the SRA Prerequisites Solution has been deployed.
- Deploy the Config Management Account solution to enable AWS Config within the
management account.
Choose a Deployment Method:
In the management account (home region), launch an AWS CloudFormation Stack using one of the options below:
-
Option 1: (Recommended) Use the sra-securityhub-org-main-ssm.yaml template. This is a more automated approach where some of the CloudFormation parameters are populated from SSM parameters created by the SRA Prerequisites Solution.
aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-main-ssm.yaml --stack-name sra-securityhub-org-main-ssm --capabilities CAPABILITY_NAMED_IAM -
Option 2: Use the sra-securityhub-org-main.yaml template. Input is required for the CloudFormation parameters where the default is not set.
aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/securityhub/securityhub_org/templates/sra-securityhub-org-main.yaml --stack-name sra-securityhub-org-main --capabilities CAPABILITY_NAMED_IAM --parameter-overrides pAuditAccountId=<AUDIT_ACCOUNT_ID> pOrganizationId=<ORGANIZATION_ID> pRootOrganizationalUnitId=<ROOT_ORGANIZATIONAL_UNIT_ID> pSRAStagingS3BucketName=<SRA_STAGING_S3_BUCKET_NAME>
- Log into the
management accountand navigate to the Security Hub page- Select Settings and then General
- Verify that the delegated admin account is set for each region
- Log into the Audit account and navigate to the Security Hub page
- Verify the correct Security Hub configurations have been applied to each region
- Verify all existing accounts have been enabled and auto enabled is ON
- Verify the region aggregator is configured
- Verify the Auto-enable new controls is ON
- Log into a member account and verify the standards are configured correctly
Note: To update the standard version (e.g. CIS 1.2.0 to CIS 1.4.0), first disable the standard and then enable with the new version.
- Download and Stage the SRA Solutions. Note: Get the latest code and run the staging script.
- Update the existing CloudFormation Stack or CFCT configuration. Note: Make sure to update the
SRA Solution Versionparameter and any new added parameters.
- In the
management account (home region), change theDisable Security Hubparameter totrueand update the AWS CloudFormation Stack (sra-securityhub-org-main-ssmorsra-securityhub-org-main). - In the
management account (home region), verify that the Lambda function processing is complete by confirming no more CloudWatch logs are generated. - In the
management account (home region), delete the AWS CloudFormation Stack (sra-securityhub-org-main-ssmorsra-securityhub-org-main). - In the
management account (home region), delete the AWS CloudWatch Log Group (e.g. /aws/lambda/<solution_name>) for the Lambda function deployed.
- In the
management account (home region). - Navigate to the AWS Lambda Functions page.
- Select the
checkboxnext to the Lambda Function and selectTestfrom theActionsmenu. - Scroll down to view the
Test event. - Click the
Testbutton to trigger the Lambda Function with the default values. - Verify that the updates were successful within the expected account(s).