Security Hub Master Invites Not Received

Yes the problem is that in control tower master, aws config is not enabled when control tower is set up. Cloudtrail is enabled but not config.

I've replied to an older conversation in the Control Tower forum seeking to find out if this is deliberate or an omission. It should be straight forward to fix, but would like to know if there is any particular reason why it isn't done during control tower setup.

When you say the invites weren't received, were you expecting emails to be sent? If so, we don't send emails. However, if you send out invites from the master account, you should be able to log into the member accounts and see the invites in the settings page. This script is the best way to automate invites and acceptances:https://github.com/awslabs/aws-securityhub-multiaccount-scripts

We are in the process of onboarding with AWS Organizations and when that is completed, you will be able to bypass the invite process all together (similar to GuardDuty).

Thanks for getting back to me. I wasn't expecting an email invitation, I believe I should be able to go to Security Hub -> Settings -> Accounts and find the invitation there. It wasn't but just figured it out.

I'm used to using cross-account roles with an IAM user for switching between accounts but have started using SSO. With the IAM user you end up in the same region, whereas SSO either remembers it or puts you in a random region? With the three accounts I checked I had security hub master in Ireland, control tower master in Sydney and another in Ohio. Hence the invitations didn't match up. I've now moved everything to Sydney where it was supposed to be and disabled the security hubs in the other regions

However, I'm now seeing the following message on the summary screen of all enabled accounts and "Findings" in Security Hub master are all showing as failed (other account findings haven't failed). Could this be due to deleting in one region and creating in another? Will it resolve itself? AWS config was setup by control tower and hasn't been altered manually.

AWS Config is not appropriately enabled on some accounts
AWS Config is required for Security Hub's security checks. Review remediation steps for the related findings for CIS 2.5. If you recently enabled AWS Config, note that it can take up to 12 hours for Security Hub to detect the change.

Thanks for you help.

Whoops. Sorry those "failed" status are not that the check failed to execute, just that the check failed.

The AWS Config message from the summary screen now only appears on Security Hub master and Security Hub in the Control Tower master account. Both cases seem to be related to the one issue "2.5 Ensure AWS Config is enabled" in the control tower member account.

Since it did disappear from the other account, I'm assuming it will resolve itself within the mentioned 12 hour period.

You do need to turn on recording of all resources, including global resources for that control to PASS. If you dont want to record global resources in that particular region, we recommend disabling that control. See guidance here: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis-to-disable.html

In the future we do plan to make that 2.5 check smarter so that it passes if you have global resources recorded in at least one region.