Central Configuration Policies
Central Configuration Policies is a feature of NTC Security Tooling that provides centralized management of AWS Security Hub configurations across your entire AWS organization. By leveraging AWS Security Hub's native central configuration capabilities, you can define standardized security policies once and automatically apply them to specific organizational units or accounts, eliminating the need for manual configuration in each account.
Overview
The Central Configuration Policies feature in NTC Security Tooling leverages AWS Security Hub's native central configuration capabilities to enforce consistent security standards across your organization.
This feature builds on AWS Security Hub's central configuration, which allows a delegated Security Hub administrator to:
- Enable or disable Security Hub service across multiple accounts and regions
- Configure security standards and controls for organizational units (OUs) and accounts
- Create configuration policies that prevent configuration drift
- Apply different security configurations to different parts of your organization
NTC Security Tooling simplifies this native functionality by providing Infrastructure as Code (IaC) management through Terraform, making it easy to define, version, and deploy configuration policies as part of your overall security automation.
Key Benefits
Using Central Configuration Policies in NTC Security Tooling provides significant advantages over manual account-by-account configuration:
Operational Efficiency
- Centralized Management: Configure Security Hub across multiple accounts and regions from a single location
- Automated Deployment: New accounts automatically inherit security configurations from their organizational unit
- Infrastructure as Code: Version-controlled policies ensure consistent deployments and easy rollbacks
Security & Compliance
- Configuration Drift Prevention: Centrally managed accounts can only be configured by the delegated administrator
- Consistent Security Posture: Identical security configurations across all accounts in your organization
- Compliance Alignment: Apply AWS regulatory standards combined with custom security controls
- Security Baseline: Set minimum security requirements organization-wide
Flexibility & Control
- Granular Targeting: Apply different policies to different organizational units or specific accounts
- Mixed Management: Combine centrally managed and self-managed accounts based on your needs
- Custom Security Controls: Define tailored security controls according to your internal policies
How Central Configuration Policies Work
Central Configuration Policies in NTC Security Tooling utilize AWS Security Hub's native central configuration architecture:
Architecture Overview
- Delegated Administrator: A designated Security Hub administrator account manages policies across the organization
- Home Region: The primary AWS region from which all configuration policies are managed
- Linked Regions: Additional regions where policies are automatically applied
- Configuration Policies: Collections of Security Hub settings that define security standards and controls
- Target Assignment: Policies are applied to specific accounts, organizational units, or the organization root
Policy Components
Central Configuration Policies defined through NTC Security Tooling specify:
- Security Hub Service: Whether Security Hub is enabled or disabled in target accounts
- Security Standards: Which security frameworks to enable (AWS Foundational Security Best Practices, CIS, NIST, PCI-DSS)
- Security Controls: Specific controls to enable or disable across standards
- Custom Parameters: Tailored configurations for specific security controls
- Target Scope: Which organizational units or accounts receive the policy
Implementation
Prerequisites
To use Central Configuration Policies, you must have:
- AWS Organizations set up with a delegated Security Hub administrator account
- NTC Security Tooling deployed in the Security Hub administrator account
- Security Hub aggregation enabled (required for central configuration)
Enabling Central Configuration
First, enable Security Hub central configuration and aggregation in your NTC Security Tooling module:
module "ntc_security_tooling" {
source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-security-tooling?ref=X.X.X"
# set to true to enable securityhub standards that securityhub has designated as automatically enabled
# use 'securityhub_central_configuration_polices' to configure security standards across entire aws organizations
enable_securityhub_default_standards = false
# securityhub aggregration is required for central configuration
enable_securityhub_central_configuration = true
enable_securityhub_aggregation = true
# can be either "ALL_REGIONS" or a list of regions which should be aggregated
# this will also apply the central configuration policies to the specified regions
securityhub_aggregation_regions = [
# "eu-central-1", current region must be excluded from this list
"eu-central-2",
"us-east-1"
]
}
Defining Central Configuration Policies
You can define your central configuration policies using the securityhub_central_configuration_polices variable in the NTC Security Tooling module.
This defines a list of targets and policies.
For each policy, you can specify the following properties:
Policy Properties
| Property | Description | Type | Required |
|---|---|---|---|
name | Unique identifier for the configuration policy | String | Yes |
description | Human-readable description of the policy's purpose | String | Yes |
enable_securityhub | Whether to enable Security Hub in target accounts | Boolean | No (default: true) |
policy_targets | Target OUs or account IDs where policy should be applied | List | Yes |
enabled_standards | Security frameworks to enable (AWS Foundational, CIS, NIST, PCI-DSS) | List | No |
enabled_control_ids | Specific security controls to enable | List | No |
disabled_control_ids | Specific security controls to disable | List | No |
customized_security_controls | Custom parameters for specific security controls | List | No |
Example Central Configuration Policy
In the following HCL example, we define a central configuration policy that enables Security Hub and applies several security standards and default/custom controls across targets.
# define securityhub central configuration policies
# https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html
securityhub_central_configuration_polices = [
{
name = "ntc-securityhub-central-policy"
description = "securityhub central policy"
enable_securityhub = true
policy_targets = [
# you can target specific AWS accounts
local.ntc_parameters["mgmt-account-factory"]["core_accounts"]["aws-c2-management"],
# or you can target specific organizational units (OUs)
local.ntc_parameters["mgmt-organizations"]["ou_ids"]["/root/core"]
]
enabled_standards = [
"aws-foundational-security-best-practices/v/1.0.0",
# "nist-800-53/v/5.0.0",
# "pci-dss/v/3.2.1",
]
# either provide a list of control ids which should be enabled (all other existing and future controls will be disabled)
enabled_control_ids = []
# or a list of control ids which should be disabled (all other existing and future controls will be enabled)
# https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html
disabled_control_ids = [
"IAM.9", # "MFA should be enabled for the root user"
"Config.1", # "AWS Config should be enabled"
"EC2.10", # "Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22"
"S3.1" # "S3 general purpose buckets should have block public access settings enabled"
]
# some controls allow to customize parameters
customized_security_controls = [
{
control_id = "IAM.7"
parameters = [
{
name = "MaxPasswordAge"
value = 60
type = "Integer"
},
{
name = "RequireNumbers"
value = false
type = "Boolean"
}
]
}
]
}
]
Alternative: Default Standards without Central Configuration
If you prefer not to use central configuration and want to enable default Security Hub standards locally, you can use the enable_securityhub_default_standards variable. However, we recommend using central configuration for better organizational control and consistency.
module "ntc_security_tooling" {
source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-security-tooling?ref=X.X.X"
enable_securityhub_default_standards = true
}
Best Practices
- Use Organizational Units: Leverage OU-based targeting for automatic policy application to new accounts
- Start with AWS Baselines: Begin with AWS-defined security standards and customize based on your requirements
- Version Control: Maintain configuration policies in Git repositories for audit trails and change management
- Test in Non-Production: Validate policy changes in development environments before applying to production
- Monitor Policy Associations: Regularly review which accounts and OUs are using each configuration policy
- Document Custom Controls: Clearly document the purpose and parameters of customized security controls
Frequently Asked Questions
What accounts are affected by central configuration policies?
Central configuration policies apply to centrally managed accounts and OUs. Self-managed accounts configure their own Security Hub settings independently. The delegated administrator designates which accounts are centrally managed vs. self-managed.
How do I handle accounts that need different security standards?
Create separate configuration policies for different security requirements and target them to appropriate OUs or specific accounts. For example, create different policies for production, development, and sandbox environments.
What happens to existing Security Hub configurations?
When you apply a central configuration policy to an account, it overrides any existing local Security Hub configurations. The centrally defined settings take precedence and prevent configuration drift.
Can I apply multiple policies to the same account?
No, each account can only have one active configuration policy. However, accounts can inherit policies from their parent OU, and you can apply different policies to different accounts within the same OU by targeting them individually.
What accounts are excluded from central configuration?
- Suspended accounts: Policies are not applied to suspended accounts
- Accounts in transition: Accounts being moved between OUs may temporarily not receive policy updates
- Self-managed accounts: These accounts manage their own Security Hub settings independently
How do policy inheritance and application work?
- Applied policies: Directly assigned to an account or OU by the delegated administrator
- Inherited policies: Accounts inherit policies from their parent OU or organization root
- Precedence: Applied policies take precedence over inherited policies
Conclusion
The Central Configuration Policies feature in NTC Security Tooling provides a powerful and scalable approach to managing AWS Security Hub configurations across your organization. By leveraging AWS Security Hub's native central configuration capabilities through Infrastructure as Code, you can:
- Eliminate Configuration Drift: Ensure consistent security posture across all managed accounts
- Reduce Operational Overhead: Manage security policies centrally instead of configuring each account individually
- Maintain Compliance: Apply standardized security frameworks and custom controls organization-wide
- Enable Flexible Governance: Combine centrally managed and self-managed accounts based on your operational needs
The ability to define policies in Terraform, target specific organizational units, and customize security controls provides the flexibility needed to align with your organization's unique security requirements while maintaining the benefits of centralized management.