Many buckets created by AWSConfig StackSet (required for SecurityHub)
Enabling SecurityHub on my accounts. Thus asked to enable AWS Config on all accounts in all regions. Found the AWSConfig StackSet that does this automatically. Great automation, but is it expected that I get buckets for all regions in my accounts? That's around 20 buckets already and the regular S3 quota in an account is 100. One account runs into bucket limits now. It seems odd Config logs occupy 20% of S3 quota...
I do have a Config Aggregator enabled in the security-tooling account, but that doesn't seem to help.
Can anyone confirm this is expected, or advise a best practice to do it another way?
I do have a separate log-archive account, too. Best to have the logs here, even, I think, if possible. Yet even then with around 20 buckets per account, can only host 5 accounts until limit of 100 is reached (?) There must be a better way.
Thanks for reaching out to us. I understand that you're concerned about having to enable an S3 bucket per region, to meet the compliance requirement for CIS AWS Foundations Benchmark controls 2.5 – Ensure AWS Config is enabled for an AWS account.
- CIS AWS Foundations Benchmark controls - 2.5 – Ensure AWS Config is enabled - https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-2.5
You are able to use one S3 bucket for all regions per account to meet the compliance requirement. You do not need to use individual buckets per region. The audit steps performed by Security Hub service to evaluate compliance is outlined in the document below and step 6 (in page 72) for remediation mentions the following:
"Specify an S3 bucket in the same account or in another managed AWS account"
Therefore, you may incorporate this solution into your implementation.
I hope this clears your concerns. Let us know if you have any further questions that we can answer!
Thank you. That clears my concerns. It's just the StackSet example which automates this for all regions that creates all the different buckets then, but I can (manually, or by changing the stackset settings perhaps) consolidate it into a single bucket per account, that's good to know. Thanks!
Hi, can I follow up on your answer. This works well for AWS Config and AWS CloudTrail, which can record their logs/trails in one bucket (and subfolders for regions). However, when I enable server access logging for S3 and VPC Flow Logging (both security requirements), I cannot specify a bucket in a different region in the S3 Permissions Tab. This means I have to have server access logging buckets for each region in my account plus VPC flow logging buckets for each region? Can I consolidate this in fewer buckets? Thanks!
Updating CFN stack over multiple accountsAccepted AnswerMODERATORasked 4 years ago
Control Tower dependency to other regions?Accepted Answerasked 2 years ago
Error about AWS Config in Master Account after setting up Control Tower and SecurityHubasked 6 months ago
SecurityHub member accounts stuck in "Enabling in process" for over a dayasked 6 months ago
How to get the list of fleets available across all the AWS accounts.Accepted Answerasked 2 months ago
Small Charge for Security Hub every dayAccepted Answerasked 6 months ago
Security Hub - Disabled in all accountsasked 3 months ago
Cannot add AWS Management Account as member of Security HubAccepted Answer
Many buckets created by AWSConfig StackSet (required for SecurityHub)Accepted Answer
Public IPs - List all in Organizationasked 2 years ago