Hey folks! I'm working with a multi-account setup using AWS Control Tower and AWS Organizations. I'm trying to figure out how to keep production and non-production findings separate in AWS Security Hub. Specifically, I want to know if it's possible to aggregate all findings from production accounts into one Security Hub, and separately have another Security Hub for non-production accounts. Has anyone done something similar?
3 Answers
Unfortunately, you can't have multiple Security Hubs in one account to separate production and non-production findings. AWS allows only one Security Hub per region per account. We tried setting up something similar to prioritize production findings, but AWS doesn't support that feature directly. We ended up using Security Lake and QuickSight for dashboards after facing limitations with Security Hub. If you're looking for better presentation and visualization tools, consider exploring integrations with other platforms.
Yeah, I also looked into this. If you want to keep things organized, I recommend using service tagging to filter your accounts or implementing some automation to gather your production and non-production data. It seems like AWS Security Hub has some gaps, especially in terms of features for visualization and reporting.
It sounds like you're looking for a way to better manage alerts based on your team’s focus. You might want to consider that instead of keeping them completely separate, focusing on automation could help reduce false positives and distribute the ownership of findings across your team. Which security controls are you currently using?
Thanks for the heads-up! That helps clarify things. I've been thinking about those limitations too.