Enable AWS Security Hub

Overview

This check verifies that AWS Security Hub is enabled in your account and has at least one security standard or integration configured. Security Hub is a centralized service that aggregates security findings from across your AWS environment, giving you a single place to monitor threats and compliance.

Risk

Without Security Hub enabled, you lose centralized visibility into security issues across your AWS account. Security findings from services like GuardDuty, Inspector, and Macie remain scattered, making it difficult to identify and respond to threats. This gap can allow attackers to operate undetected, potentially leading to data breaches, unauthorized access, or compliance violations.

Remediation Steps

Prerequisites

• Access to the AWS Console with permissions to enable Security Hub
• IAM permissions: securityhub:EnableSecurityHub, securityhub:BatchEnableStandards

AWS Console Method

1. Sign in to the AWS Console and navigate to Security Hub (search for "Security Hub" in the search bar)

2. If Security Hub is not yet enabled, you will see a welcome page:

   • Click Go to Security Hub
   • Review the default security standards (AWS Foundational Security Best Practices and CIS AWS Foundations Benchmark are selected by default)
   • Click Enable Security Hub

3. If Security Hub is already enabled but no standards are active:

   • Click Security standards in the left navigation menu
   • Find AWS Foundational Security Best Practices v1.0.0
   • Click Enable

4. Confirm the status shows Enabled on the Security Hub summary page

AWS CLI (optional)

Enable Security Hub with Default Standards

# Enable Security Hub with default standards (CIS and AWS Foundational)
aws securityhub enable-security-hub \
    --enable-default-standards \
    --region us-east-1

Enable Security Hub Without Default Standards

If you prefer to choose standards manually:

# Enable Security Hub without default standards
aws securityhub enable-security-hub \
    --no-enable-default-standards \
    --region us-east-1

Enable Specific Security Standards

After enabling Security Hub, you can enable specific standards:

# Enable AWS Foundational Security Best Practices
aws securityhub batch-enable-standards \
    --standards-subscription-requests \
    StandardsArn=arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0 \
    --region us-east-1

# Enable CIS AWS Foundations Benchmark v1.2.0
aws securityhub batch-enable-standards \
    --standards-subscription-requests \
    StandardsArn=arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0 \
    --region us-east-1

CloudFormation (optional)

CloudFormation Template

Save the following template as securityhub.yaml:

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable AWS Security Hub with default security standards

Resources:
  SecurityHub:
    Type: AWS::SecurityHub::Hub
    Properties:
      Tags:
        Environment: Production
        ManagedBy: CloudFormation

Outputs:
  SecurityHubArn:
    Description: ARN of the Security Hub
    Value: !Ref SecurityHub
    Export:
      Name: SecurityHubArn

Deploy the Stack

aws cloudformation create-stack \
    --stack-name security-hub-enablement \
    --template-body file://securityhub.yaml \
    --region us-east-1

# Wait for stack creation to complete
aws cloudformation wait stack-create-complete \
    --stack-name security-hub-enablement \
    --region us-east-1

Note: The AWS::SecurityHub::Hub resource automatically enables the default security standards (AWS Foundational Security Best Practices and CIS AWS Foundations Benchmark).

Terraform (optional)

Terraform Configuration

Create a file named main.tf:

terraform {
  required_version = ">= 1.0"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 4.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

# Enable AWS Security Hub
resource "aws_securityhub_account" "main" {
  enable_default_standards  = true
  control_finding_generator = "SECURITY_CONTROL"

  # Auto-enable new controls as they are released
  auto_enable_controls = true
}

# Enable AWS Foundational Security Best Practices standard
resource "aws_securityhub_standards_subscription" "aws_foundational" {
  depends_on    = [aws_securityhub_account.main]
  standards_arn = "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"
}

# Enable CIS AWS Foundations Benchmark
resource "aws_securityhub_standards_subscription" "cis" {
  depends_on    = [aws_securityhub_account.main]
  standards_arn = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"
}

Deploy with Terraform

terraform init
terraform plan
terraform apply

Verification

After enabling Security Hub, verify it is working correctly:

1. In the AWS Console, navigate to Security Hub
2. Confirm the Summary page displays findings and a compliance score
3. Click Security standards and verify at least one standard shows as Enabled

CLI Verification Commands

# Check if Security Hub is enabled
aws securityhub describe-hub --region us-east-1

# List enabled security standards
aws securityhub get-enabled-standards --region us-east-1

Expected output for describe-hub shows a HubArn and SubscribedAt timestamp:

{
    "HubArn": "arn:aws:securityhub:us-east-1:123456789012:hub/default",
    "SubscribedAt": "2024-01-15T10:30:00.000Z",
    "AutoEnableControls": true,
    "ControlFindingGenerator": "SECURITY_CONTROL"
}

Additional Resources

• AWS Security Hub User Guide
• Security Hub Setup Guide
• Enable/Disable Security Standards
• AWS Foundational Security Best Practices Standard
• CIS AWS Foundations Benchmark

Notes

• Multi-region consideration: Security Hub operates on a per-region basis. You need to enable it in each region where you have resources you want to monitor. Consider using AWS Organizations with delegated administrator for centralized management.

• Cost implications: Security Hub has costs based on the number of security checks and findings ingested. Review the Security Hub pricing page before enabling.

• Aggregation regions: You can designate one region as an aggregation region to consolidate findings from multiple regions into a single view.

• Initial findings: After enabling Security Hub, it may take up to 24 hours for the initial set of security findings to be generated as standards are evaluated against your resources.

• AWS Organizations: If you are using AWS Organizations, consider enabling Security Hub centrally through the organization management account or a delegated administrator account for consistent coverage across all member accounts.