Changes to Stax-managed Security Hub
On 12 February 2024, Stax will implement changes to the configuration of Stax-managed Security Hub. This update will align the Stax-managed Security Hub service with the new AWS Security Hub central configuration capability announced by AWS. This new feature enables the centralization of your Organization's Security Hub configuration and aggregation of all findings across your Organization accounts and Regions to a single account and Region.
About Security Hub central configuration
Central configuration in Security Hub allows the delegated Security Hub administrator (Stax-managed Security account) to set up the Security Hub service, security standards, and controls for all Organization accounts in a single aggregation Region referred to as the home Region.
The home Region controls the enablement of Security Hub in all other available Regions which are known as linked Regions. It is an AWS requirement that a home Region and at least one linked Region be enabled to use Security Hub central configuration. At a minimum, findings, insights, and other data from the home Region and one linked Region will be aggregated to the home Region in the Stax-managed Security account.
Migrating to central configuration in Security Hub provides several benefits:
- Streamlined configuration process: Security Hub central configuration simplifies the setup of security best practices.
- Consistent cross-account setup: Ensures a uniform Security Hub setup across multiple accounts and regions, promoting consistent security coverage throughout the organization.
- Fine-grained configuration at OU level: Allows for customized setups, accommodating different configurations for accounts and OUs within the organization to meet specific needs.
- Prevention of configuration drift: Prevents configuration drift by restricting changes to delegated administrators, and maintaining consistency in settings, while also offering the option for self-management in specific accounts or OUs.
- Customization of control parameters: Configuration policies can be deployed to specify which standards and controls are enabled and disabled and can also be used to customize parameters for certain controls.
To find out more about AWS Security Hub central configuration, see the AWS User Guide.
Identifying you Security Hub home and linked Regions in Stax
Stax will delegate your Stax Installation Region as your home Region in centrally configured Security Hub. All other AWS Regions enabled in your AWS Organization can be delegated as linked Regions in Stax-managed Security Hub.
Changes to Stax-managed Security Hub configuration
The following sections outline the Stax-managed Security Hub configuration before and after the change.
Before the change
- Stax enables Security Hub and configures cross-region aggregation for every available Region in every account in the Stax organization.
- Supported Security Hub standards and controls are only enabled in the Regions explicitly enabled in the Stax-managed Security Hub.
- The designated Security Hub administrator account is the Stax-managed Security account.
After the change
- Stax will continue to configure the Stax-managed Security account as the designated Security Hub administrator account for your Organization.
- Stax will deploy Security Hub configuration policies to the home Region in the delegated administrator (Stax-managed security account) for central management of Security Hub in all accounts in your organization.
- Your Stax Installation Region will be designated as your home Region for centralized Security Hub configuration. This will be the aggregation location of findings for all linked Regions.
- Cross-region aggregation will only be enabled for your home Region, and at least one linked Region.
- Supported Security Hub standards and controls will only be enabled in your home Region and any linked Regions you enable.
How to prepare for the change
For those who have already activated Stax-managed Security Hub, carefully review the following to understand the impact of these changes on your organization.
You may be required to take action to avoid interruption to service.
Scenario 1: Stax-managed Security Hub is not enabled in your organization
If your organization has not enabled Stax-managed Security Hub, you don't need to take any action.
You can follow our guide Using Stax-managed Security Hub to enable the new capability at any time.
Scenario 2: Stax-managed Security Hub is enabled in all Stax-supported Regions
For users who have already enabled Stax-managed Security Hub but have no standards or controls enabled and wish to maintain the service with cross-region aggregation in all available Regions, take the following action:
- Log in to the Stax Console
- Click Organization in the left-hand nav
- Choose Foundation Services in the sub-menu
- On the Foundation Services page, choose the settings cog on the Stax-managed Security Hub tile
- Click on the Edit button next to Settings
- Update your current Stax-managed Security Hub configuration by toggling on the "All Regions" option or selecting individual AWS Regions from the list
- Click Save
Stax Action
Stax will automatically update your settings by configuring your Stax Installation Region as your home Region. Any other enabled Regions in Stax-managed Security Hub will be treated like linked Regions.
Note: If no action is taken, Stax will only enable and aggregate Security Hub in Regions enabled in the Stax-managed Security Hub service.
Scenario 3: Stax-managed Security Hub is only enabled in your Stax Installation Region
If you currently have Stax-managed Security Hub in a single AWS Region and that Region is the same as your Stax Installation Region, you must now specify at least one other linked Region to use central configuration. Follow these steps to enable a linked Region in Stax-managed Security Hub:
- Log in to the Stax Console
- Click Organization in the left-hand nav
- Choose Foundation Services in the sub-menu
- On the Foundation Services page, choose the settings cog on the Stax-managed Security Hub tile
- Click on the Edit button next to Settings
- Ensure your Stax home installation is already enabled (toggled on)
- Toggle on at least one other AWS Region from the list
- Click Save
Stax Action
Stax will automatically update your settings by configuring your Stax Installation Region as your home region. Any other enabled Regions in Stax-managed Security Hub will be treated like linked Regions. There will be no changes made to your enabled or disabled standards settings.
Note: If no action is taken by you, Stax will automatically enable your Stax Installation Region as your home Region. In addition, Stax will designate us-east-1 as your required linked Region. This action will result in AWS Security Hub aggregating findings in a minimum of two Regions across all your AWS accounts and may result in additional costs. See Security Hub free trial, usage, and pricing to understand the cost implications of enabling AWS Security Hub in your home and linked Regions.
Scenario 4: Stax-managed Security Hub is not enabled in the home (Stax Installation) Region
For users with Stax-managed Security Hub enabled in a single AWS Region that is not their Stax Installation Region, no action is necessary.
Stax Action
Stax will automatically configure your Stax Installation Region as your home Region. All other enabled Regions will be treated as linked Regions. See Security Hub free trial, usage, and pricing to understand the cost implications of Stax enabling the home Region in centrally configured AWS Security Hub.
Note: If you do not want Stax to make these changes to your configuration, you can opt out of Stax-managed Security Hub by raising a support case.