Service-Managed Standard: AWS Control Tower - AWS Security Hub

Service-Managed Standard: AWS Control Tower

This section provides information about Service-Managed Standard: AWS Control Tower.

What is Service-Managed Standard: AWS Control Tower?

This standard is designed for users of AWS Security Hub and AWS Control Tower. It lets you configure the proactive controls of AWS Control Tower alongside the detective controls of Security Hub in the AWS Control Tower service.

Proactive controls help ensure that your AWS accounts maintain compliance because they flag actions that may lead to policy violations or misconfigurations. Detective controls detect noncompliance of resources (for example, misconfigurations) within your AWS accounts. By enabling proactive and detective controls for your AWS environment, you can enhance your security posture at different stages of development.

Tip

Service-managed standards differ from standards that AWS Security Hub manages. For example, you must create and delete a service-managed standard in the managing service. For more information, see Service-managed standards.

In the Security Hub console and API, you can view Service-Managed Standard: AWS Control Tower alongside other Security Hub standards.

Creating the standard

This standard is available only if you create the standard in AWS Control Tower. AWS Control Tower creates the standard when you first enable an applicable control by using one of the following methods:

Security Hub controls are identified in the AWS Control Tower console as SH.ControlID (for example, SH.CodeBuild.1).

When you create the standard, if you haven’t already enabled Security Hub, AWS Control Tower also enables Security Hub for you.

If you haven't set up AWS Control Tower, you can't view or access this standard in the Security Hub console, Security Hub API, or AWS CLI. Even if you have set up AWS Control Tower, you can't view or access this standard in Security Hub without first creating the standard in AWS Control Tower using one of the preceding methods.

This standard is only available in the AWS Regions where AWS Control Tower is available, including AWS GovCloud (US).

Enabling and disabling controls in the standard

After you've created the standard in the AWS Control Tower console, you can view the standard and its available controls in both services.

After you first create the standard, it doesn't have any controls that are automatically enabled. In addition, when Security Hub adds new controls, they aren't automatically enabled for Service-Managed Standard: AWS Control Tower. You should enable and disable controls for the standard in AWS Control Tower by using one of the following methods:

When you change the enablement status of a control in AWS Control Tower, the change is also reflected in Security Hub.

However, disabling a control in Security Hub that's enabled in AWS Control Tower results in control drift. The control status in AWS Control Tower shows as Drifted. You can resolve this drift by selecting Re-register OU in the AWS Control Tower console, or by disabling and re-enabling the control in AWS Control Tower using one of the preceding methods.

Completing enablement and disablement actions in AWS Control Tower helps you avoid control drift.

When you enable or disable controls in AWS Control Tower, the action applies across accounts and Regions. If you enable and disable controls in Security Hub (not recommended for this standard), the action applies only to the current account and Region.

Note

Central configuration can't be used to manage Service-Managed Standard: AWS Control Tower. If you use central configuration, you can use only the AWS Control Tower service to enable and disable controls in this standard for a centrally managed account.

Viewing enablement status and control status

You can view the enablement status of a control by using one of the following methods:

  • Security Hub console, Security Hub API, or AWS CLI

  • AWS Control Tower console

  • AWS Control Tower API to see a list of enabled controls (call the ListEnabledControls API)

  • AWS CLI to see a list of enabled controls (run the list-enabled-controls command)

A control that you disable in AWS Control Tower has an enablement status of Disabled in Security Hub unless you explicitly enable that control in Security Hub.

Security Hub calculates control status based on the workflow status and compliance status of the control findings. For more information about enablement status and control status, see Viewing details for a control.

Based on control statuses, Security Hub calculates a security score for Service-Managed Standard: AWS Control Tower. This score is only available in Security Hub. In addition, you can only view control findings in Security Hub. The standard security score and control findings aren't available in AWS Control Tower.

Note

When you enable controls for Service-Managed Standard: AWS Control Tower, Security Hub may take up to 18 hours to generate findings for controls that use an existing AWS Config service-linked rule. You may have existing service-linked rules if you've enabled other standards and controls in Security Hub. For more information, see Schedule for running security checks.

Deleting the standard

You can delete this standard in AWS Control Tower by disabling all applicable controls using one of the following methods:

Disabling all controls deletes the standard in all managed accounts and governed Regions in AWS Control Tower. Deleting the standard in AWS Control Tower removes it from the Standards page of the Security Hub console, and you can no longer access it by using the Security Hub API or AWS CLI.

Note

Disabling all controls from the standard in Security Hub doesn't disable or delete the standard.

Disabling the Security Hub service removes Service-Managed Standard: AWS Control Tower and any other standards that you’ve enabled.

Finding field format for Service-Managed Standard: AWS Control Tower

When you create Service-Managed Standard: AWS Control Tower and enable controls for it, you'll start to receive control findings in Security Hub. Security Hub reports control findings in the AWS Security Finding Format (ASFF). These are the ASFF values for this standard's Amazon Resource Name (ARN) and GeneratorId:

  • Standard ARNarn:aws:us-east-1:securityhub:::standards/service-managed-aws-control-tower/v/1.0.0

  • GeneratorIdservice-managed-aws-control-tower/v/1.0.0/CodeBuild.1

For a sample finding for Service-Managed Standard: AWS Control Tower, see Sample control findings.

Controls that apply to Service-Managed Standard: AWS Control Tower

Service-Managed Standard: AWS Control Tower supports a subset of controls that are part of the AWS Foundational Security Best Practices (FSBP) standard. Choose a control from the following table to view information about it, including remediation steps for failed findings.

The following list shows available controls for Service-Managed Standard: AWS Control Tower. Regional limits on controls match Regional limits on the corollary controls in the FSBP standard. This list shows standard-agnostic security control IDs. In the AWS Control Tower console, control IDs are formatted as SH.ControlID (for example SH.CodeBuild.1). In Security Hub, if consolidated control findings is turned off in your account, the ProductFields.ControlId field uses the standard-based control ID. The standard-based control ID is formatted as CT.ControlId (for example, CT.CodeBuild.1).

For more information about this standard, see Security Hub controls in the AWS Control Tower User Guide.