Using Stax-managed Security Hub
Stax-managed Security Hub allows you to implement and manage AWS Security Hub central configuration capabilities to ensure any new and existing accounts are consistently being assessed for security threats and best practices.
Follow the below instructions to configure Stax-managed Security Hub or see the Stax API.
AWS Security Hub provides prepackaged standards which you can enable as part of configuring Stax-managed Security Hub. If you choose to enable standards, ensure you are aware of the pricing dimensions for AWS Security Hub.
About Security Hub central configuration
Central configuration in Security Hub allows the delegated Security Hub administrator (Stax-managed Security account) to set up the Security Hub service, security standards, and controls for all Organization accounts in a single aggregation Region referred to as the home Region.
The home Region controls the enablement of Security Hub in all other available Regions which are known as linked Regions. It is an AWS requirement that a home Region and at least one linked Region be enabled to use Security Hub central configuration. At a minimum, findings, insights, and other data from the home Region and one linked Region will be aggregated to the home Region in the Stax-managed Security account.
Migrating to central configuration in Security Hub provides several benefits:
-
Streamlined configuration process: Security Hub central configuration simplifies the setup of security best practices.
-
Consistent cross-account setup: Ensures a uniform Security Hub setup across multiple accounts and regions, promoting consistent security coverage throughout the organization.
-
Fine-grained configuration at OU level: Allows for customized setups, accommodating different configurations for accounts and OUs within the organization to meet specific needs.
-
Prevention of configuration drift: Prevents configuration drift by restricting changes to delegated administrators, and maintaining consistency in settings, while also offering the option for self-management in specific accounts or OUs.
-
Customization of control parameters: Configuration policies can be deployed to specify which standards and controls are enabled and disabled and can also be used to customize parameters for certain controls.
Before You Begin
- Estimated time to complete: 10 minutes (Deployment can take a few minutes or up to 2 hours depending on the number of in-scope accounts)
- Ensure you are a member of the Adminrolein your Stax tenancy
- Ensure you are authorized to override any existing configurations of Security Hub.
Stax does not disable Security Hub if you already have it turned on for an account, hence any existing findings should not be lost
Configure Security Hub
- Log in to the Stax Console
- Click Organization in the left-hand nav
- Choose Foundation Services in the sub-menu, beneath Service Control Policies, then Get Started on the Stax-managed Security Hub tile
- Review the changes that will be made as a result of configuring the service, then choose Continue
- Select the checkbox to confirm you will be overriding any existing Security Hub configuration
- Choose at least one linked Regions you want to enable
Stax recommends choosing the AWS Global Services Region us-east-1 (N. Virginia) as one of your linked Region. Stax deploys several resources into this Region, such as AWS Identity and Access Management (IAM), AWS Organizations, Amazon CloudFront, Amazon Route53, AWS Firewall Manager, and AWS Web Application Firewall (WAF).
-
Optional: Choose the standards you wish to enable
-
Choose Configure
AWS Security Hub will take some time to configure depending on the number of AWS accounts you have. Once configured, Stax-managed Security Hub will transition from Configuring to Active on the Foundation Services page.
Update AWS Security Hub Standards
Once you have configured Stax-managed Security Hub, you can enable and disable the compliance standards offered in AWS Security Hub.
-
On the Foundation Services page, choose the settings cog on the Stax-managed Security Hub tile
-
Click on the Edit button next to Settings
-
By default your Stax Installation Region is enabled
-
Choose the linked Regions you wish to assess. You must enable at least one linked Region to continue
-
Enable or disable a standard by clicking the toggle next to the standard
-
Click Save
AWS Security Hub will take some time to update depending on the number of AWS accounts you have. Once updated, Stax-managed Security Hub will transition from Configuring to Active on the Foundation Services page.
View AWS Security Hub Findings
To view findings from AWS Security Hub, you will need to log into the delegated administrator account in the aggregation region that Stax has configured for you.
Before you can log in to the account, you must be a member of a group that grants you appropriate access to the Security foundation account.
-
Choose Accounts in the left-hand nav
-
Click the log in button next to your organization's Security foundation account
-
Choose the role you wish to assume. The AWS Management Console will open in a new tab
-
Switch to your organization's home Region. The home Region is the AWS Region of your Stax Installation Region
-
Navigate to the AWS Security Hub service to review the findings for your organization's accounts
Customizing your Security Hub central configuration policy
By default, Stax associates the AWS recommended Security Hub policy with your entire AWS Organization by creating the a central configuration policy named StaxConfigurationPolicy and attaching it to the AWS Organizations Root OU. Stax encourages you to modify the StaxConfigurationPolicy within the AWS console to customize the enabled/disabled security controls across standards as well as customize the parameters for those enabled controls. Any modifications other than the above will be overridden by Stax.
For additional information please see the AWS documentation for updating a central configuration policyand available custom control parameters.
If you require further customized configuration Stax allows you to create your own central configuration policies which you can then directly attach to specific AWS Organizational Units (OUs) and AWS Accounts other than the AWS Organizations Root OU. Any central configuration policy attached to an AWS OU or AWS Account will take precedence over the StaxConfigurationPolicy. Policies applied to a specific AWS OUs are inherited by child AWS Accounts. This not only applies to existing accounts, but also to new accounts added to those OUs after you created the policy.
For additional information please see the AWS documentation for creating and associating a central configuration policy.