1 Answer
- Newest
- Most votes
- Most comments
5
To avoid drift, always enable and remove controls for the Service-Managed Standard by means of the AWS Control Tower service, either in the console or by calling the AWS Control Tower APIs, EnableControl and DisableControl. When you change the enablement status of a control in AWS Control Tower, the change also is reflected in Security Hub.
https://docs.aws.amazon.com/controltower/latest/userguide/security-hub-controls.html
answered a year ago
Relevant content
- asked 10 days ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Thanks for pointing me at this, but I'm finding it difficult to follow this note as there is now way in the ControlTower console to disable it, however I can disable from SecurityHub.
To summary what I wanted to achieve is to
That that mean any controls related to SecurityHub in ControlTower should not be used?
EDIT: I attached two more screenshots from ControlTower and SecurityHub where then GuardDuty control appears .
Ok, I've also found the GuardDuty control is available from "AWS Foundational Security Best Practices" standard in SecurityHub so I could avoid the interference with ControlTower completely. Still, I would be interested to know how do you normally deal with running both ControlTower and SecurityHub.
To disable control from Control Tower, Click on the name of the control (in your 1st screenshot), then go to "OUs Enabled" select the OU and click "Disable Control".
If there are any further questions feel free to ask. If this answer above is satisfactory to you please mark it as accepted. Thanks!
I found answer to my concern here: https://docs.aws.amazon.com/securityhub/latest/userguide/service-managed-standards.html
I realise the other document answers it too but for some reason I found it very unclear and ambiguous given no previous experience with ControlHub.
Anyway thanks for your help Vardan.