AWS: SecurityHub & Config Configuration Explained

AWS: SecurityHub & Config Configuration Explained

The AWS Documentation is vague on this subject, so this guide will detail the relationship between SecurityHub and Config. It's assumed that knowledge of what SecurityHub and AWS Config are is present. What will follow is based on AWS best practices.

Delegated Admin Account

You need to configure a delegated Admin account to control and house all the findings related to these 2 services. This allows all configuration related to these services across your organization to be done in one central place. This should also be in place for other services, such as GuardDuty, Macie, Detective, Inspector, etc.

This step is simple and involves the following steps:

  1. Login to your master billing account

  2. Go to SecurityHub

  3. Go to Settings

  4. Set Delegated Admin

  5. Enter your Delegated Admin account info

  6. Do the same for the Config service

Upon completing these steps, login to your Delegated Admin account.

Config Requirements

The documentation can be a bit confusing on this subject. Basically, SecurityHub uses a service-linked Config role to create rules in target accounts. These are Config rules specifically and live in the Config service. However, they are managed by AWS and prefixed with securityhub-*. You cannot change these rules, but you can view their compliance outcomes.

Now Config requires certain resource types to be recorded, but the documentation makes it seem like for SecurityHub to run at all you need to enable these. That is not true. You can have no resources at all recorded and still get SecurityHub findings. How is this possible?


There are two types of triggers in Config: Periodic and Change. Periodically triggered checks run on a schedule and do not require the resource recording to be provisioned. Change triggered checks run upon some change happening to the resource, and do require resource recording to be enabled. The list of required resources to be recorded for all checks covered in the documentation here.

This is important to understand because recording resources costs money. Your bill can blow up unexpectedly if you have a lot of one resource, or many resources being created and destroyed, as is usually the case in large environments controlled with Terraform. Consider the following as ways to mitigate this issue:

  • Only enable Config-triggered checks in production accounts

  • Specify only highly critical resources such as IAM users and S3 buckets as being recorded

  • Do not record resources that are created and destroyed constantly such as ENI

  • Setup cost alerts for all accounts

Enabling Standards

Back in SecurityHub, enable all the standards. Picking and choosing is fine, however, it is best practice to get as complete coverage as possible. The pros far outweigh any cons of enabling too many standards. The standards being enabled are what create the Config rules in the target accounts.

Upon enabling the standards, give them 24 hours to completely run. After that, controls will run every 12-24 hours, therefore it is best practice to use EventBridge to capture these events and send them to a SIEM somewhere.