Security Hub standard - AWS Control Tower
Enable or remove controls for the Service-Managed StandardSecurity Hub score and findingsSecurity Hub control drift reportingUnsupported Regions

Security Hub standard

AWS Control Tower is integrated with AWS Security Hub to provide detective controls that help you monitor your AWS environment. The integration is accomplished with a Security Hub standard, called the Service-Managed Standard: AWS Control Tower.

The Service-Managed Standard: AWS Control Tower supports a subset of controls in the AWS Foundational Security Best Practices (FSBP) standard. To learn more about this standard and to view the available controls, see Service-Managed Standard: AWS Control Tower. For more general information about Security Hub standards, see Security standards and controls in Security Hub, in the AWS Security Hub User Guide.

This standard is available only for AWS Control Tower customers who have created the standard in the AWS Control Tower console. AWS Control Tower creates the standard for you when you enable the first Security Hub control in the AWS Control Tower console. When you enable the first control, if you haven’t already enabled Security Hub, AWS Control Tower also enables Security Hub for you.

After you create this standard, you can view the Security Hub detective controls alongside other AWS Control Tower controls, in the AWS Control Tower console and in Security Hub.

Control behavior

  • No controls are enabled automatically when you create this standard in AWS Control Tower.

  • The Security Hub controls are active at the OU level only, not for all AWS Control Tower OUs (if not enabled for all), and not for individual accounts.

  • When Security Hub adds new controls, the new controls are not added to the Security Hub Service-Managed Standard: AWS Control Tower automatically.

Enable or remove controls for the Service-Managed Standard

To avoid drift, always enable and remove controls for the Service-Managed Standard by means of the AWS Control Tower service, either in the console or by calling the AWS Control Tower APIs, EnableControl and DisableControl. When you change the enablement status of a control in AWS Control Tower, the change also is reflected in Security Hub.

If you deactivate a Service-Managed Standard control by means of the Security Hub console, the AWS Control Tower member account enters a state of control drift. In this situation, AWS Control Tower is not receiving the Security Hub findings for the control that you deactivated. You must resolve this drift before AWS Control Tower can apply the control successfully to your registered organizational units and member accounts.

You can delete this standard in the AWS Control Tower console by deactivating all controls in the standard. This deletes the standard for all managed accounts and governed Regions in AWS Control Tower. Deleting the standard does not deactivate Security Hub for your account.

The control named [SH.S3.4] S3 buckets should have server-side encryption enabled is deprecated, effective July 18, 2023. It was removed from the controls library on August 18, 2023. For more information, see AWS Control Tower deprecates two controls.

Security Hub score and findings

Based on control status, Security Hub calculates a security score for the Service-Managed Standard: AWS Control Tower. This security score and the control findings are available only in Security Hub. These items aren't available in AWS Control Tower.

Note

When you create Service-Managed Standard: AWS Control Tower and enable controls for it, Security Hub may take up to 18 hours to generate findings for controls that use the same underlying AWS Config service-linked rule as controls from other enabled Security Hub standards. For more information, see Schedule for running security checks in the AWS Security Hub User Guide.

Security Hub control drift reporting

When reporting drift for controls that are part of the AWS Security Hub Service-Managed Standard, AWS Control Tower receives a daily status update from Security Hub. If no update is received, AWS Control Tower verifies whether drift has occurred. If so, AWS Control Tower reports drift. If a control shows drift, AWS Control Tower sends an Amazon SNS notification to the AWS Control Tower security-aggregate-notification channel. You must subscribe to this SNS notification to receive information about which specific account is affected by Security Hub control drift. For more information about Security Hub control drift in AWS Control Tower, see Security Hub control drift.

Although controls are active in every governed Region, AWS Control Tower sends the AWS Security Hub Finding events to the AWS Control Tower home Region only.

Remediate drift

When drift is reported, you can remediate the situation by choosing Re-register OU on the Organizations page in the AWS Control Tower console, or by deactivating and re-activating the control that's in a drifted state, either by means of the console, or through the AWS Control Tower API.

You can enable and manage some Security Hub controls from AWS Control Tower, with the Security Hub Service-managed Standard: AWS Control Tower.

Unsupported Regions

It is important to know that some Security Hub controls do not operate in certain AWS Regions where AWS Control Tower is available, because those Regions do not support the required underlying functionality. As a result, when you deploy an Security Hub control through AWS Control Tower, the control may not be operating in all Regions that you govern with AWS Control Tower. For more information about the Security Hub controls that cannot be deployed in certain Regions, see the Security Hub controls reference documentation.

The following AWS Regions do not support controls that are part of the Security Hub Service-managed Standard: AWS Control Tower

  • Asia Pacific (Hong Kong) Region, ap-east-1

  • Asia Pacific (Jakarta) Region, ap-southeast-3

  • Asia Pacific (Osaka) Region, ap-northeast-3

  • Europe (Milan) Region, eu-south-1

  • Africa (Cape Town) Region, af-south-1

  • Middle East (Bahrain) Region, me-south-1

  • Israel (Tel Aviv), il-central-1

  • Middle East (UAE) Region, me-central-1

  • Europe (Spain) Region, eu-south-2

  • Asia Pacific (Hyderabad) Region, ap-south-2

  • Europe (Zurich) Region, eu-central-2

  • Asia Pacific (Melbourne) Region ap-southeast-4

You can view the Regions for each control in the AWS Control Tower console.

Certain AWS Security Hub Service-Managed Standard: AWS Control Tower controls have specific, unsupported Regions

  • SH.DocumentDB.3—eu-north-1 us-west-1

  • SH.DynamoDB.3—ap-northeast-2, ca-central-1, eu-north-1

  • SH.EC2.23—ap-south-1

  • SH.EKS.1—us-west-1

  • SH.ElastiCache.3—ap-northeast-2, ap-south-1, ca-central-1, eu-north-1, eu-west-2, eu-west-3, us-east-1

  • SH.ElastiCache.4—ap-northeast-2, ap-south-1, ca-central-1, eu-north-1, eu-west-2, eu-west-3, us-east-1

  • SH.ElastiCache.5—ap-northeast-2, ap-south-1, ca-central-1, eu-north-1, eu-west-2, eu-west-3, us-east-1

  • SH.ElastiCache.6—ap-northeast-2, ap-south-1, ca-central-1, eu-north-1, eu-west-2, eu-west-3, us-east-1

  • SH.RDS.12—sa-east-1

  • SH.RDS.15—sa-east-1