top of page

More about AWS Landing Zone (Part 2)

Automat-IT is moving forward with our Landing Zone solutions. The previous post demonstrated an IP management solution, Backup Policies and License Manager. This post describes some security and compliance topics as well as cost optimization, in particular we will take a look at Security Hub, Tag Policies, Resource groups and Budgets with alerts.

AWS Security Hub

Security is an area that should be continuously monitored and adjusted. Even if your environment is 100% secure at the start of the project, later it will be undergoing a change. New components appear in the environment, vulnerabilities appear, people make mistakes in configurations, etc. One of AWS services that can help us here is Security Hub.

AWS Security Hub is a cloud security posture management service that performs security best practice checks, aggregates alerts, and enables automated remediation. In the first post I explained how we use Detective Guardrails for compliance check and Amazon GuardDuty for threat detection. AWS Security Hub aggregates this data and other findings from sources such as:

  • Amazon Macie

  • Amazon Inspector

  • AWS Firewall Manager

  • IAM Access Analyzer

  • AWS Systems Manager

  • Integrations with APN solutions

AWS Config must be enabled for all accounts which will be monitored with Security Hub. AWS Config and Cloudtrail are enabled by default in all AWS accounts under the Control Tower. Audit account is the central point for AWS Config and GuardDuty, so we also enable AWS Security Hub here.

First of all you need to navigate to AWS Security Hub in the master account and delegate administrator access to the Audit account.

You can also select from a list of security standards:

  • AWS Foundational Security Best Practices

  • CIS AWS Foundations Benchmark


On the “Accounts” tab you can activate the “Auto-Enable” to automatically enroll new accounts to Security Hub.

To enroll an existing account you can select the desired account on the “Accounts” tab in the Security Hub settings, then click on “Actions” → “Add member”, wait until account status changes to “Enabled”.

AWS Security Hub creates a score to show you how you're doing against security standards and displays it on the main AWS Security Hub dashboard. When you click through to the security standard, you will see a summary of the controls that need attention. AWS Security Hub shows how the control was evaluated and informational best practices on how to mitigate the issue.