AWS securityhub documentation change
Summary
Restructured documentation to distinguish between automatic service-linked AWS Config setup (when both Security Hub CSPM and Security Hub are enabled) and manual AWS Config setup (when only Security Hub CSPM is enabled). Added details about service-linked configuration recorder behavior, updated prerequisites, and cost optimization guidance.
Security assessment
The changes document operational improvements for Security Hub CSPM integration with AWS Config, including automated resource recording via service-linked configuration recorders. While this relates to security posture management, there's no evidence of addressing a specific vulnerability or security incident. The updates primarily clarify setup procedures and cost considerations.
Diff
diff --git a/securityhub/latest/userguide/securityhub-setup-prereqs.md b/securityhub/latest/userguide/securityhub-setup-prereqs.md index 0c16c0caa..0c780714f 100644 --- a//securityhub/latest/userguide/securityhub-setup-prereqs.md +++ b//securityhub/latest/userguide/securityhub-setup-prereqs.md @@ -7 +7 @@ -Considerations before enabling and configuring AWS ConfigRecording resources in AWS ConfigWays to enable and configure AWS ConfigUnderstanding the Config.1 controlGenerating service-linked rulesCost considerations +Using the service-linked configuration recorderManually configuring AWS ConfigUnderstanding the Config.1 controlGenerating service-linked rules @@ -15 +15 @@ Some rules, referred to as AWS Config managed rules, are predefined and develope -To receive control findings in Security Hub CSPM, you must enable AWS Config for your account. You must also turn on resource recording for the types of resources that enabled controls evaluate. Security Hub CSPM can then create the appropriate AWS Config rules for the controls and begin to run security checks and generate findings for the controls. +If you have both AWS Security Hub CSPM and Security Hub enabled, Security Hub CSPM automatically creates a service-linked configuration recorder to assess your security controls. You don't need to manually enable or configure AWS Config. For more information, see Using the service-linked configuration recorder. @@ -17 +17 @@ To receive control findings in Security Hub CSPM, you must enable AWS Config for -###### Topics +If you have Security Hub CSPM enabled without Security Hub, you must manually enable AWS Config and turn on resource recording. For more information, see Manually configuring AWS Config. @@ -19 +19 @@ To receive control findings in Security Hub CSPM, you must enable AWS Config for - * Considerations before enabling and configuring AWS Config +###### Topics @@ -21 +21 @@ To receive control findings in Security Hub CSPM, you must enable AWS Config for - * Recording resources in AWS Config + * Using the service-linked configuration recorder @@ -23 +23 @@ To receive control findings in Security Hub CSPM, you must enable AWS Config for - * Ways to enable and configure AWS Config + * Manually configuring AWS Config @@ -29 +28,0 @@ To receive control findings in Security Hub CSPM, you must enable AWS Config for - * Cost considerations @@ -32,0 +32,7 @@ To receive control findings in Security Hub CSPM, you must enable AWS Config for +## Using the service-linked configuration recorder + +When you have both AWS Security Hub CSPM and Security Hub enabled, Security Hub CSPM automatically creates and manages a service-linked configuration recorder across your accounts and Regions. You don't need to manually enable or configure AWS Config. + +The name of this configuration recorder is `AWSConfigurationRecorderForSecurityHubCSPM`. Security Hub CSPM creates a corresponding service-linked configuration recorder for each account and Region where both Security Hub CSPM and Security Hub are enabled. As you enable Security Hub CSPM for new AWS accounts and AWS Regions, Security Hub CSPM automatically creates the service-linked configuration recorder. + +Security Hub CSPM manages the resource configuration of the service-linked configuration recorder, ensuring that recording is enabled for all resources that are tied to controls supported by Security Hub. For a list of required resources, see [Required AWS Config resources for control findings](./controls-config-resources.html). @@ -34 +40,9 @@ To receive control findings in Security Hub CSPM, you must enable AWS Config for -## Considerations before enabling and configuring AWS Config +When Security Hub CSPM creates this service-linked configuration recorder, Security Hub does not use the customer-managed configuration recorder in AWS Config. + +For more information about configuration recorders, see [Working with the configuration recorder](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html) in the _AWS Config Developer Guide_. + +## Manually configuring AWS Config + +The following steps apply when you have Security Hub CSPM enabled without Security Hub. In this case, you must enable AWS Config for your account and turn on resource recording for the types of resources that your enabled controls evaluate. After you do this, Security Hub CSPM creates the appropriate AWS Config rules and begins running security checks to generate findings. + +### Considerations before enabling and configuring AWS Config @@ -40 +54 @@ We strongly recommend that you turn on resource recording in AWS Config _before_ -To turn on resource recording in AWS Config, you must have sufficient permissions to record resources in the AWS Identity and Access Management (IAM) role that's attached to the configuration recorder. In addition, ensure that no IAM policies or AWS Organizations policies prevent AWS Config from having permission to record your resources. Security Hub CSPM controls evaluate resource configurations directly and don’t take AWS Organizations policies into account. For more information about AWS Config recording, see [Working with the configuration recorder](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html) in the _AWS Config Developer Guide_. +To turn on resource recording in AWS Config, you must have sufficient permissions to record resources in the AWS Identity and Access Management (IAM) role that's attached to the configuration recorder. In addition, ensure that no IAM policies or AWS Organizations policies prevent AWS Config from having permission to record your resources. Security Hub CSPM controls evaluate resource configurations directly and don't take AWS Organizations policies into account. For more information about AWS Config recording, see [Working with the configuration recorder](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html) in the _AWS Config Developer Guide_. @@ -57 +71 @@ If you use central configuration, Security Hub CSPM also tries to create service -## Recording resources in AWS Config +### Recording resources in AWS Config @@ -80 +94 @@ For more information about AWS Config recording, see [Recording AWS resources](h -## Ways to enable and configure AWS Config +### Ways to enable and configure AWS Config @@ -98,0 +113,6 @@ For more information, see the following blog post on the _AWS Security blog_ : [ +### Cost considerations + +Security Hub CSPM can impact your AWS Config configuration recorder costs by updating the `AWS::Config::ResourceCompliance` configuration item. Updates can occur each time a Security Hub CSPM control associated with an AWS Config rule changes compliance state, is enabled or disabled, or has parameter updates. If you use the AWS Config configuration recorder only for Security Hub CSPM, and don't use this configuration item for other purposes, we recommend turning off recording for it in AWS Config. This can reduce your AWS Config costs. You don't need to record `AWS::Config::ResourceCompliance` for security checks to work in Security Hub CSPM. + +For information about the costs associated with resource recording, see [AWS Security Hub CSPM pricing](https://aws.amazon.com/security-hub/pricing/) and [AWS Config pricing](https://aws.amazon.com/config/pricing/). + @@ -100,0 +121,4 @@ For more information, see the following blog post on the _AWS Security blog_ : [ +###### Note + +When AWS Security Hub CSPM and Security Hub are both enabled, the Config.1 control always has a status of `PASSED`. Security Hub CSPM has direct access to configuration items through a service-linked configuration recorder. For more information, see Using the service-linked configuration recorder. + @@ -117,3 +141 @@ There are quotas for the number of AWS Config managed rules that can be used to -## Cost considerations - -Security Hub CSPM can impact your AWS Config configuration recorder costs by updating the `AWS::Config::ResourceCompliance` configuration item. Updates can occur each time a Security Hub CSPM control associated with an AWS Config rule changes compliance state, is enabled or disabled, or has parameter updates. If you use the AWS Config configuration recorder only for Security Hub CSPM, and don't use this configuration item for other purposes, we recommend turning off recording for it in AWS Config. This can reduce your AWS Config costs. You don't need to record `AWS::Config::ResourceCompliance` for security checks to work in Security Hub CSPM. +###### Note @@ -121 +143 @@ Security Hub CSPM can impact your AWS Config configuration recorder costs by upd -For information about the costs associated with resource recording, see [AWS Security Hub CSPM pricing](https://aws.amazon.com/security-hub/pricing/) and [AWS Config pricing](https://aws.amazon.com/config/pricing/). +If you are using Security Hub CSPM and Security Hub you can see the service-linked rules in AWS Config but you will not be able to see the compliant or noncompliant resources associated with the rule. Compliant and noncompliant resources will only be visible in Security Hub CSPM and Security Hub.