Service-Managed Standard: AWS Control Tower - AWS Security Hub

Service-Managed Standard: AWS Control Tower

What is Service-Managed Standard: AWS Control Tower?

If you use AWS Control Tower and create this standard, you can configure the proactive controls of AWS Control Tower alongside the detective controls of Security Hub in the AWS Control Tower console.

Proactive controls help ensure that your AWS accounts maintain compliance because they flag actions that may lead to policy violations or misconfigurations. Detective controls detect noncompliance of resources (for example, misconfigurations) within your AWS accounts. By enabling proactive and detective controls for your AWS environment, you can enhance your security posture at different stages of development.

Tip

Service-managed standards differ from standards that AWS Security Hub manages. For example, you must create and delete a service-managed standard in the managing service. However, you may configure controls for the standard in both the managing service and Security Hub. For more information about service-managed standards, see Service-managed standards.

In the Security Hub console and API, you can view Service-Managed Standard: AWS Control Tower alongside other Security Hub standards.

Creating the standard

This standard is available only if you create the standard in the AWS Control Tower console. AWS Control Tower creates the standard for you when you enable the first Security Hub control in the AWS Control Tower console. Security Hub controls are identified in the AWS Control Tower console as SH.ControlID (for example, SH.CodeBuild.1). You're asked to confirm the control's enablement and the creation of the standard. At this time, if you haven’t already enabled Security Hub, AWS Control Tower also enables Security Hub for you.

If you haven't set up AWS Control Tower, you aren't able to view or access this standard in the Security Hub console, Security Hub API, or AWS CLI. Even if you have set up AWS Control Tower, you aren't able to access this standard in the Security Hub console, Security Hub API, or AWS CLI without first creating the standard in the AWS Control Tower console.

This standard is only available in the AWS Regions where AWS Control Tower is available, including AWS GovCloud (US).

Enabling and disabling controls in the standard

After you've created the standard in the AWS Control Tower console, you can view the standard and its available controls in both services.

After you first create the standard, it doesn't have any controls that are automatically enabled. In addition, when Security Hub adds new controls, they aren't automatically enabled for Service-Managed Standard: AWS Control Tower. You should enable and disable controls for the standard in the AWS Control Tower console. When you change the enablement status of a control in AWS Control Tower, the change is also reflected in Security Hub. However, enablement and disablement actions taken in Security Hub won't be reflected in AWS Control Tower.

When you enable or disable controls in AWS Control Tower, the action applies across accounts and Regions. If you enable and disable controls in Security Hub (not recommended for this standard), the action applies only to the current account and Region.

Viewing control status

You can view control status only in the Security Hub console, Security Hub API, and AWS CLI. Security Hub calculates control status based on the workflow and compliance status of the control findings. For more information about control status, see Determining the overall status of a control from its findings.

A control that you disable in AWS Control Tower has a control status of Disabled in Security Hub unless you explicitly enable that control in Security Hub.

Based on control statuses, Security Hub calculates a security score for Service-Managed Standard: AWS Control Tower. This score is only available in Security Hub. In addition, you can only view control findings in Security Hub. The control status, standard security score, and control findings aren't available in AWS Control Tower.

Note

When you enable controls for Service-Managed Standard: AWS Control Tower, Security Hub may take up to 18 hours to generate findings for controls that use an existing AWS Config service-linked rule. You may have existing service-linked rules if you've enabled other standards and controls in Security Hub. For more information, see Schedule for running security checks.

Deleting the standard

You can delete this standard in the AWS Control Tower console by disabling all controls in the standard. This deletes the standard for all managed accounts and governed Regions in AWS Control Tower. Deleting the standard in AWS Control Tower removes it from the Standards page of the Security Hub console, and it's no longer accessible by the Security Hub API or AWS CLI.

Note

Disabling all controls from the standard in Security Hub doesn't disable or delete the standard.

Disabling the Security Hub service removes Service-Managed Standard: AWS Control Tower and any other standards that you’ve enabled.

Finding field format for Service-Managed Standard: AWS Control Tower

When you create Service-Managed Standard: AWS Control Tower and enable controls for it, you'll start to receive control findings in Security Hub. Security Hub reports control findings in the AWS Security Finding Format (ASFF). These are the ASFF values for this standard's Amazon Resource Name (ARN) and GeneratorId:

  • Standard ARNarn:aws:us-east-1:securityhub:::standards/service-managed-aws-control-tower/v/1.0.0

  • GeneratorIdservice-managed-aws-control-tower/v/1.0.0/CodeBuild.1

For a sample finding for Service-Managed Standard: AWS Control Tower, see Sample control findings.

Controls that apply to Service-Managed Standard: AWS Control Tower

Service-Managed Standard: AWS Control Tower supports a subset of controls that are part of the AWS Foundational Security Best Practices (FSBP) standard. Choose a control from the following table to view information about it, including remediation steps for failed findings.

The following list shows available controls for Service-Managed Standard: AWS Control Tower. Regional limits on controls match Regional limits on the corollary controls in the FSBP standard. This list shows standard-agnostic security control IDs. In the AWS Control Tower console, control IDs are formatted as SH.ControlID (for example SH.CodeBuild.1). In Security Hub, if consolidated control findings is turned off in your account, the ProductFields.ControlId field uses the standard-based control ID. The standard-based control ID is formatted as CT.ControlId (for example, CT.CodeBuild.1).

For more information about this standard, see Security Hub controls in the AWS Control Tower User Guide.