You need to configure AWS Security Hub to provide a comprehensive view of the security state in AWS and to check AWS Organizations against industry-based security standards. Security Hub should include the security standards of CIS AWS Foundations Benchmark and PCI DSS. Which of the following actions must be done before enabling AWS Security Hub?

Answer options:

A.Enable Trusted Advisor in each AWS account of the AWS Organizations to include the security checks of AWS accounts and workloads.
B.Create the CloudFormation StackSet to enable AWS Security Hub and add the IAM service account in all AWS accounts of the AWS Organizations.
C.Configure an SNS topic to perform notifications of security findings in AWS Security Hub for all the AWS accounts of the AWS Organizations.
D.Enable AWS Config on all accounts of the AWS Organization in the Region where Security Hub is enabled.

Correct Answer: D
Option A is incorrect because enabling Trusted Advisor is not a prerequisite for AWS Security Hub. The Trusted Advisor data is not sent to the Security Hub.
Option B is incorrect because you do not need to create any CloudFormation StackSet to enable Security Hub.
Option C is incorrect because the SNS topic is not required for enabling Security Hub.
Option D is CORRECT because before enabling Security Hub, you must first enable resource recording in AWS Config:
Security Hub uses Service-linked AWS Config rules to perform most of its security checks for controls.
Reference:
https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-prereq-config.html