Service-managed standards - AWS Security Hub

Service-managed standards

A service-managed standard is a security standard that another AWS service manages. For example, Service-Managed Standard: AWS Control Tower is a service-managed standard that AWS Control Tower manages. A service-managed standard differs from a security standard that AWS Security Hub manages in the following ways:

  • Standard creation and deletion – You create and delete a service-managed standard with the managing service's console or API, or with the AWS CLI. Until you create the standard in the managing service in one of those ways, the standard doesn't appear in the Security Hub console and isn't accessible by the Security Hub API or AWS CLI.

  • No automatic enablement of controls – When you create a service-managed standard, Security Hub and the managing service don't automatically enable the controls that apply to the standard. In addition, when Security Hub releases new controls for the standard, they're not automatically enabled. This is a departure from standards that Security Hub manages. For more information about the usual way of configuring controls in Security Hub, see Viewing and managing security controls.

  • Availability of controls – The managing service chooses which controls are available as part of the service-managed standard. Available controls may include all, or a subset of, the existing Security Hub controls.

After the managing service creates the service-managed standard and makes controls available for it, you may view your standard security score, control findings, and control statuses in the Security Hub console, Security Hub API, or AWS CLI. You may also enable and disable individual controls for the service-managed standard in Security Hub. Some or all of this information and functionality may also be available through the managing service.