Error about AWS Config in Master Account after setting up Control Tower and SecurityHub

Question

Hello, in our Test Org. we installed Control Tower like described in (https://www.youtube.com/watch?v=CwRy0t8nfgM) after that we set up IAM Access Analyzer, GuardDuty and SecurityHub like described in (https://youtu.be/hhvs4ZHGdIg). In SecurityHub i get the message AWS Config is not active in the Masteraccount of the Org.. Does this conflict with CT when i activate it, if not why the set up templates and files from git dont activate it on installation?

Links followed for the set up:

ControlTower
 
* [https://docs.aws.amazon.com/controltower/latest/userguide/existing-orgs.html]()

SecurityHub etc.	
* [https://aws.amazon.com/de/blogs/mt/enabling-aws-identity-and-access-analyzer-on-aws-control-tower-accounts/]()
* [https://aws.amazon.com/de/blogs/mt/automating-amazon-guardduty-deployment-in-aws-control-tower/]()
* [https://aws.amazon.com/de/blogs/mt/automating-aws-security-hub-alerts-with-aws-control-tower-lifecycle-events/]()
* [ https://github.com/aws-samples/aws-service-catalog-reference-architectures/tree/master/security/guardduty]()
* [https://github.com/aws-samples/aws-control-tower-securityhub-enabler/releases/tag/v2.2]()

Answer

By default config recording is not turned on in the Master Account (root). A quick glance at the link you provided highlights some of them are prior to organization features which have been introduced for SecurityHub and IAM Access Analyzer. This feature will allow you to delegate these services to another account as noted in the here for SecurityHub and here for IAM Access Analyzer.

So one option is to enable Config on the Master Account although it is better to delegate these services to an account outside of the Master Account. If you delegate these services and also enable organizations for SecurityHub any new account vended via Control Tower will be added.

So one option is to enable Config on the Master Account although it is better to delegate these services to an account outside of the Master Account. If you delegate these services and also **enable** organizations for SecurityHub any new account vended via Control Tower will be added.

Error about AWS Config in Master Account after setting up Control Tower and SecurityHub

관련 콘텐츠