Security Hub controls for Service Catalog
These AWS Security Hub controls evaluate the AWS Service Catalog service and resources.
These controls may not be available in all AWS Regions. For more information, see Availability of controls by Region.
[ServiceCatalog.1] Service Catalog portfolios should be shared within an AWS organization only
Related requirements: NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-6, NIST.800-53.r5 CM-8, NIST.800-53.r5 SC-7
Category: Protect > Secure access management
Severity: High
Resource type:
AWS::ServiceCatalog::Portfolio
AWS Config rule: service-catalog-shared-within-organization
Schedule type: Change triggered
Parameters: None
This control checks whether AWS Service Catalog shares portfolios within an organization when the integration with AWS Organizations is enabled. The control fails if portfolios aren't shared within an organization.
Portfolio sharing only within Organizations helps ensure that a portfolio isn't shared with incorrect AWS accounts. To share
a Service Catalog portfolio with an account in an organization, Security Hub recommends using ORGANIZATION_MEMBER_ACCOUNT
instead of
ACCOUNT
. This simplifies administration by governing the access granted to the account across the organization. If you
have a business need to share Service Catalog portfolios with an external account, you can automatically suppress the findings from this
control or disable it.
Remediation
To enable portfolio sharing with Organizations, see Sharing with AWS Organizations in the Service Catalog Administrator Guide