and
Your Account Hierarchy
Ensure that you have set up an org hierarchy – which can be a Single top level Org without OUs or with OUs. And multiple accounts under the top level Org (or top level OU).
Always have a Master Account, a Security account (aka Audit account). The security account should be different from the master account.
Security Hub Considerations
Security Hub should be enabled on all accounts (Control Tower can enforce this for new accounts).
Security Hub can have pre-defined remediation rules for certain compliance violations (SGs and IAM specific).
For Security Hub Notifications, you still need a cloudwatch and sns based notification. These notifications can be real-time (at the time of event) or a recurring email.

https://aws.amazon.com/blogs/security/how-to-set-up-a-recurring-security-hub-summary-email/

 





Need an experienced Data Protection Expert?  Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma.

 

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.