By using AWS re:Post, you agree to the Terms of Use

Security standards in config and security hub


I see you can enable pre defined security conformance packs like CIS, AwS foundational or PCI via both aws config and security hub is there any difference in enabling them from one or other? can we enable them via security hub only and leave the conformance pack deactivated in config?

1 Answers

Hi rePost-User-6703621,

The AWS Config conformance packs are not needed if you are using the standard in Security Hub.

The Security Hub FAQ gives a good explanation to help answer this:

Q: When do I use AWS Security Hub and AWS Config conformance packs?

If a compliance standard, such as PCI-DSS, is already present in AWS Security Hub, then the fully managed AWS Security Hub service is the easiest way to operationalize it. You can investigate findings via AWS Security Hub’s integration with Amazon Detective, and you can build automated or semi-automated remediation actions using AWS Security Hub’s Amazon Eventbridge integration. However, if you want to assemble your own compliance or security standard, which may include security, operational or cost optimization checks, AWS Config conformance packs are the way to go. AWS Config conformance packs simplify management of AWS Config rules by packaging a group of AWS Config rules and associated remediation actions into a single entity. This packaging simplifies deployment of rules and remediation actions across an organization. It also enables aggregated reporting, as compliance summaries can be reported at the pack level. You can start with the AWS Config conformance samples we provide, and customize as you see fit.

answered 17 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions