AWS securityhub documentation change
Summary
Updated documentation for AWS Config prerequisites in Security Hub, including clarifications about control findings behavior, resource recording requirements, and Config.1 control details. Added specifics about WARNING findings when resource recording is misconfigured.
Security assessment
Changes focus on improving documentation clarity about security controls and findings accuracy, but there's no evidence of addressing a specific vulnerability or security incident. Updates enhance existing security feature documentation rather than patching a security issue.
Diff
diff --git a/securityhub/latest/userguide/securityhub-setup-prereqs.md index e5be814b7..341a1c53e 100644 --- a/securityhub/latest/userguide/securityhub-setup-prereqs.md +++ b/securityhub/latest/userguide/securityhub-setup-prereqs.md @@ -13,3 +13 @@ AWS Config rules that Security Hub uses for controls are referred to as _service -To receive control findings in Security Hub, you must enable AWS Config in your account and turn on recording for resources that your enabled controls evaluate. - -This page explains how to enable AWS Config for Security Hub and turn on resource recording. +To receive control findings in Security Hub, you must enable AWS Config in your account and turn on recording for resources that your enabled controls evaluate. This page explains how to enable AWS Config for Security Hub and turn on resource recording. @@ -19 +17 @@ This page explains how to enable AWS Config for Security Hub and turn on resourc -To receive control findings in Security Hub, your account must have AWS Config enabled in each AWS Region where Security Hub is enabled. If you use Security Hub for a multi-account environment, AWS Config must be enabled in each Region in the administrator account and all member accounts. +To receive control findings in Security Hub, your account must have AWS Config enabled in each AWS Region where Security Hub is enabled. If you use Security Hub for a multi-account environment, AWS Config must be enabled in each Region for the administrator account and all member accounts. @@ -23 +21 @@ We strongly recommend that you turn on resource recording in AWS Config _before_ -To turn on resource recording in AWS Config, you must have sufficient permissions to record resources in the AWS Identity and Access Management (IAM) role that is attached to the configuration recorder. In addition, make sure there is no IAM policy or policy managed in AWS Organizations that prevents AWS Config from having permission to record your resources. Security Hub control checks directly evaluate the configuration of a resource and don’t take Organizations policies into account. For more information about AWS Config recording, see [List of AWS Config Managed Rules – Considerations](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html) in the _AWS Config Developer Guide_. +To turn on resource recording in AWS Config, you must have sufficient permissions to record resources in the AWS Identity and Access Management (IAM) role that is attached to the configuration recorder. In addition, make sure there is no IAM policy or policy managed in AWS Organizations that prevents AWS Config from having permission to record your resources. Security Hub control checks evaluate the configuration of a resource directly and don’t take AWS Organizations policies into account. For more information about AWS Config recording, see [Working with the configuration recorder](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html) in the _AWS Config Developer Guide_. @@ -27 +25 @@ If you enable a standard in Security Hub but haven't enabled AWS Config, Securit - * On the day you enable the standard + * On the day that you enable the standard. @@ -29 +27 @@ If you enable a standard in Security Hub but haven't enabled AWS Config, Securit - * The day after you enable the standard + * The day after you enable the standard. @@ -31 +29 @@ If you enable a standard in Security Hub but haven't enabled AWS Config, Securit - * 3 days after you enable the standard + * 3 days after you enable the standard. @@ -33 +31 @@ If you enable a standard in Security Hub but haven't enabled AWS Config, Securit - * 7 days after you enable the standard (and continuously every 7 days thereafter) + * 7 days after you enable the standard, and continuously every 7 days thereafter. @@ -38 +36 @@ If you enable a standard in Security Hub but haven't enabled AWS Config, Securit -If you use central configuration, Security Hub also tries to create the AWS Config service-linked rules each time that you associate a configuration policy that enables one or more standards with accounts, organizational units (OUs), or the root. +If you use central configuration, Security Hub also tries to create service-linked AWS Config rules each time you associate a configuration policy that enables one or more standards with accounts, organizational units (OUs), or the root. @@ -42 +40 @@ If you use central configuration, Security Hub also tries to create the AWS Conf -When enabling AWS Config, you must specify which AWS resources you want the AWS Config configuration recorder to record. Through the service-linked rules, the configuration recorder allows Security Hub to detect changes in your resource configurations. +When you enable AWS Config, you must specify which AWS resources you want the AWS Config configuration recorder to record. Through the service-linked rules, the configuration recorder allows Security Hub to detect changes to your resource configurations. @@ -44 +42 @@ When enabling AWS Config, you must specify which AWS resources you want the AWS -In order for Security Hub to generate accurate control findings, you must turn on recording in AWS Config for the resources that correspond to your enabled controls. It's primarily enabled controls with a _change triggered_ schedule type that require resource recording. For a list of controls and their related AWS Config resources, see [Required AWS Config resources for Security Hub control findings](./controls-config-resources.html). +For Security Hub to generate accurate control findings, you must turn on recording in AWS Config for the resources that correspond to your enabled controls. It's primarily enabled controls with a _change triggered_ schedule type that require resource recording. Some controls with a _periodic_ schedule type also require resource recording. For a list of these controls and their corresponding resources, see [Required AWS Config resources for Security Hub control findings](./controls-config-resources.html). @@ -48 +46 @@ In order for Security Hub to generate accurate control findings, you must turn o -If you don't correctly configure AWS Config recording for Security Hub controls, it can result in inaccurate control findings, particularly in the following instances: +If you don't configure AWS Config recording correctly for Security Hub controls, it can result in inaccurate control findings, particularly in the following instances: @@ -50 +48 @@ If you don't correctly configure AWS Config recording for Security Hub controls, - * You never recorded the resource for a given control, disabled recording of a resource before creating that resource type, or attached an IAM role to the configuration recorder that didn't provide permissions to record the resource. In these cases, you receive a `PASSED` finding for the control at issue, even though you might have created resources in scope of the control after you disabled recording. This `PASSED` finding is a default finding that doesn't actually evaluate the configuration state of the resource. + * You never recorded the resource for a given control, or you disabled recording of a resource before creating that type of resource. In these cases, you receive a `WARNING` finding for the control at issue, even though you might have created resources in scope of the control after you disabled recording. This `WARNING` finding is a default finding that doesn't actually evaluate the configuration state of the resource. @@ -52 +50 @@ If you don't correctly configure AWS Config recording for Security Hub controls, - * You disable recording of a resource that is evaluated by a particular control. In this case, Security Hub retains the control findings that were generated before you disabled recording, even though the control isn't evaluating new or updated resources. These retained findings might not accurately reflect a resource's current configuration state. + * You disable recording for a resource that's evaluated by a particular control. In this case, Security Hub retains the control findings that were generated before you disabled recording, even though the control isn't evaluating new or updated resources. Security Hub also changes the compliance status of the findings to `WARNING`. These retained findings might not accurately reflect a resource's current configuration state. @@ -57 +55 @@ If you don't correctly configure AWS Config recording for Security Hub controls, -By default AWS Config records all supported _Regional resources_ that it discovers in the AWS Region in which it is running. To receive all Security Hub control findings, you must also configure AWS Config to record _global resources_. To conserve costs, we recommend recording global resources in a single Region only. If you use central configuration or cross-Region aggregation, this Region should be your home Region. +By default, AWS Config records all supported _Regional resources_ that it discovers in the AWS Region in which it is running. To receive all Security Hub control findings, you must also configure AWS Config to record _global resources_. To conserve costs, we recommend recording global resources in a single Region only. If you use central configuration or cross-Region aggregation, this Region should be your home Region. @@ -59 +57 @@ By default AWS Config records all supported _Regional resources_ that it discove -In AWS Config, you can choose between _continuous recording_ and _daily recording_ of changes in resource state. If you choose daily recording, AWS Config delivers resource configuration data at the end of each 24 hour period if there are changes in resource state. If there are no changes, no data is delivered. This can delay the generation of Security Hub findings for change-triggered controls until a 24-hour period is complete. +In AWS Config, you can choose between _continuous recording_ and _daily recording_ of changes in resource state. If you choose daily recording, AWS Config delivers resource configuration data at the end of each 24–hour period if there are changes in resource state. If there are no changes, no data is delivered. This can delay the generation of Security Hub findings for change-triggered controls until a 24–hour period is complete. @@ -65 +63 @@ For more information about AWS Config recording, see [Recording AWS resources](h -You can enable AWS Config and turn on resource recording in one of the following ways: +You can enable AWS Config and turn on resource recording in any of the following ways: @@ -71 +69 @@ You can enable AWS Config and turn on resource recording in one of the following - * **CloudFormation template** – If you want to enable AWS Config for a large number of accounts, we recommend using the AWS CloudFormation template named **Enable AWS Config**. To access this template, see [AWS CloudFormation StackSets sample templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-sampletemplates.html) in the _AWS CloudFormation User Guide_. + * **CloudFormation template** – To enable AWS Config for many accounts, we recommend using the AWS CloudFormation template named **Enable AWS Config**. To access this template, see [AWS CloudFormation StackSet sample templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-sampletemplates.html) in the _AWS CloudFormation User Guide_. @@ -73 +71 @@ You can enable AWS Config and turn on resource recording in one of the following -By default, this template excludes recording for IAM global resources. Ensure that you turn on recording for IAM global resources in one Region only to conserve recording costs. If you have cross-Region aggregation enabled, this should be your [Security Hub home Region](./finding-aggregation.html). Otherwise, it can be any AWS Region that Security Hub is available in that supports recording of IAM global resources. We recommend running one StackSet to record all resources, including IAM global resources, in the home Region or other selected Region. Then, run a second StackSet to record all resources except IAM global resources in other Regions. +By default, this template excludes recording for IAM global resources. Ensure that you turn on recording for IAM global resources in only one AWS Region to conserve recording costs. If you have cross-Region aggregation enabled, this should be your [Security Hub home Region](./finding-aggregation.html). Otherwise, it can be any Region that Security Hub is available in that supports recording of IAM global resources. We recommend running one StackSet to record all resources, including IAM global resources, in the home Region or other selected Region. Then, run a second StackSet to record all resources except IAM global resources in other Regions. @@ -75 +73 @@ By default, this template excludes recording for IAM global resources. Ensure th - * **Github script** – Security Hub offers a [GitHub script](https://github.com/awslabs/aws-securityhub-multiaccount-scripts) that enables Security Hub and AWS Config for multiple accounts across Regions. This script is useful if you haven't integrated with Organizations or if you have some member accounts that aren't part of an organization. + * **GitHub script** – Security Hub offers a [GitHub script](https://github.com/awslabs/aws-securityhub-multiaccount-scripts) that enables Security Hub and AWS Config for multiple accounts across Regions. This script is useful if you haven't integrated with AWS Organizations, or you have some member accounts that aren't part of an organization. @@ -80 +78 @@ By default, this template excludes recording for IAM global resources. Ensure th -For more information, see [Optimize AWS Config for AWS Security Hub to effectively manage your cloud security posture](https://aws.amazon.com/blogs/security/optimize-aws-config-for-aws-security-hub-to-effectively-manage-your-cloud-security-posture/). +For more information, see the following blog post on the _AWS Security blog_ : [Optimize AWS Config for AWS Security Hub to effectively manage your cloud security posture](https://aws.amazon.com/blogs/security/optimize-aws-config-for-aws-security-hub-to-effectively-manage-your-cloud-security-posture/). @@ -84 +82,5 @@ For more information, see [Optimize AWS Config for AWS Security Hub to effective -The Security Hub control [Config.1](./config-controls.html#config-1) generates `FAILED` findings in your account if AWS Config is disabled or if you don't have resource recording turned on for enabled controls. If you are the delegated Security Hub administrator for an organization, AWS Config recording must be correctly configured in your account and member accounts. If you use cross-Region aggregation, AWS Config recording must be correctly configured in the home Region and all linked Regions (Global resources need not be recorded in linked Regions). +In Security Hub, the [Config.1](./config-controls.html#config-1) control generates `FAILED` findings in your account if AWS Config is disabled. It also generates `FAILED` findings in your account if AWS Config is enabled but resource recording isn't turned on. + +If AWS Config is enabled and resource recording is turned on, but resource recording isn't turned on for a type of resource that an enabled control checks, Security Hub generates a `FAILED` finding for the Config.1 control. In addition to this `FAILED` finding, Security Hub generates `WARNING` findings for the enabled control and the types of resources that the control checks. For example, if you enable the [KMS.5](./kms-controls.html#kms-5) control and resource recording isn't turned on for AWS KMS keys, Security Hub generates a `FAILED` finding for the Config.1 control. Security Hub also generates `WARNING` findings for the KMS.5 control and your KMS keys. + +To receive a `PASSED` finding for the Config.1 control, turn on resource recording for all the resource types that correspond to enabled controls. Also disable controls that aren't required for your organization. This helps ensure that you don't have configuration gaps in your security control checks. It also helps ensure that you receive accurate findings about misconfigured resources. @@ -86 +88 @@ The Security Hub control [Config.1](./config-controls.html#config-1) generates ` -To receive a `PASSED` finding for Config.1, turn on resource recording for all resources that correspond to enabled Security Hub controls, and disable controls that aren't required in your organization. This helps to ensure the you don't have configuration gaps in your security control checks and are receiving accurate findings about misconfigured resources. +If you're the delegated Security Hub administrator for an organization, AWS Config recording must be configured correctly for your account and your member accounts. If you use cross-Region aggregation, AWS Config recording must be configured correctly in the home Region and all linked Regions. Global resources do not need to be recorded in linked Regions. @@ -90 +92 @@ To receive a `PASSED` finding for Config.1, turn on resource recording for all r -For every control that uses an AWS Config service-linked rule, Security Hub creates instances of the required rule in your AWS environment. +For every control that uses a service-linked AWS Config rule, Security Hub creates instances of the required rule in your AWS environment. @@ -92 +94 @@ For every control that uses an AWS Config service-linked rule, Security Hub crea -These service-linked rules are specific to Security Hub. Security Hub creates these service-linked rules even if other instances of the same rules already exist. The service-linked rule adds `securityhub`before the original rule name and a unique identifier after the rule name. For example, for the AWS Config managed rule `vpc-flow-logs-enabled`, the service-linked rule name would be something like `securityhub-vpc-flow-logs-enabled-12345`. +These service-linked rules are specific to Security Hub. Security Hub creates these service-linked rules even if other instances of the same rules already exist. The service-linked rule adds `securityhub` before the original rule name and a unique identifier after the rule name. For example, for the AWS Config managed rule `vpc-flow-logs-enabled`, the service-linked rule name might be `securityhub-vpc-flow-logs-enabled-12345`. @@ -94 +96 @@ These service-linked rules are specific to Security Hub. Security Hub creates th -There are limits on the number of AWS Config managed rules that can be used to evaluate controls. Custom AWS Config rules that Security Hub creates don't count towards that limit. You can enable a security standard even if you've already reached the AWS Config limit for managed rules in your account. To learn more about AWS Config rule limits, see [Service limits for AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/configlimits.html) in the _AWS Config Developer Guide_. +There are quotas for the number of AWS Config managed rules that can be used to evaluate controls. Custom AWS Config rules that Security Hub creates don't count towards those quotas. You can enable a security standard even if you've already reached the AWS Config quota for managed rules in your account. To learn more about quotas for AWS Config rules, see [Service limits for AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/configlimits.html) in the _AWS Config Developer Guide_.