Best Practices for AWS Config/SecurityHub in Organization to be Monitored

Based on your setup with a Management account, Security Account (delegated admin), and two member accounts (Production and Staging), I understand the challenges you're facing with Security Hub findings and AWS Config enablement. Understanding Your Issue Your key concerns are: Critical findings in the Management account about AWS Config not being enabled in various regions Inability to enable AWS Config because regions appear disabled in the management account Questions about applicability of certain findings like ECR VPC endpoint requirements for Management/Security accounts

Expected Configuration in Your Environment

Yes, it is expected and recommended that Security Hub and AWS Config monitor both the delegated admin account and the management account. This follows security best practices for complete coverage across your entire organization. However, there's an important distinction to make: the Management account and Security account often have different requirements and workloads compared to your application accounts (Production/Staging). Managing Different Requirements Across Account Types Here are some strategies to handle your specific situation:

1. For the Region Disablement Issue

If regions appear disabled in the management account, you might need to: Check if there are any Service Control Policies (SCPs) restricting AWS Config in certain regions Ensure the IAM permissions in the Management account allow AWS Config enablement Consider enabling only the regions you actually use in your organization

2. For Control Scope Management You have several options to manage control scopes between different account types:

Option A: Use Central Configuration

Security Hub's central configuration feature allows you to create different configuration policies for different account types: aws securityhub create-configuration-policy --name "Management-Security-Policy" --description "Limited controls for management accounts" --security-hub-configuration '{"EnabledStandardIdentifiers":["arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"]}' --configuration-policy-id Management-Policy Then apply this policy to your management and security accounts, and a more comprehensive policy to your application accounts.

Option B: Selectively Disable Irrelevant Controls

In your Security account (delegated admin), you can selectively disable controls that don't make sense for management accounts: aws securityhub batch-update-standards-control-associations --standards-control-association-updates '[{"SecurityControlId":"CloudTrail.1","StandardsArn":"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0","AssociationStatus":"DISABLED","DisabledReason":"Not applicable for management account"}]'

Best Practices for Your Setup

Enable AWS Config in All Accounts: Even management accounts should have AWS Config enabled for proper security monitoring. Focus on the regions you actually use. Use Configuration Policies: Create separate configuration policies for: Management/Security accounts (with fewer applicable controls) Application accounts (with more comprehensive controls) Regional Strategy: If you only use specific regions, consider limiting Config/Security Hub enablement to those regions to reduce costs. Review Control Applicability: Review the Security Hub controls and disable those that don't apply to specific account types.

Useful Documentation

Understanding Central Configuration in Security Hub Managing Security Hub Administrator and Member Accounts with Organizations Enabling and Configuring AWS Config for Security Hub