Is it safe to use SecurityHub enrolled by Control Tower

Thanks for pointing me at this, but I'm finding it difficult to follow this note as there is now way in the ControlTower console to disable it, however I can disable from SecurityHub.

To summary what I wanted to achieve is to

• continue working with ControlTower with or without the integration with SecurityHub
• continue working with SecurityHub with that "GuardDuty" check enabled
• enable CIS Frameworks checks in SecurityHub
• avoid drift in ControlTower

That that mean any controls related to SecurityHub in ControlTower should not be used?

EDIT: I attached two more screenshots from ControlTower and SecurityHub where then GuardDuty control appears .

Ok, I've also found the GuardDuty control is available from "AWS Foundational Security Best Practices" standard in SecurityHub so I could avoid the interference with ControlTower completely. Still, I would be interested to know how do you normally deal with running both ControlTower and SecurityHub.

To disable control from Control Tower, Click on the name of the control (in your 1st screenshot), then go to "OUs Enabled" select the OU and click "Disable Control".

If there are any further questions feel free to ask. If this answer above is satisfactory to you please mark it as accepted. Thanks!

I found answer to my concern here: https://docs.aws.amazon.com/securityhub/latest/userguide/service-managed-standards.html

Enabling and disabling controls – We recommend enabling and disabling controls in the managing service (eg. ControlTower) to avoid drift.

I realise the other document answers it too but for some reason I found it very unclear and ambiguous given no previous experience with ControlHub.

Anyway thanks for your help Vardan.