Is it safe to use SecurityHub enrolled by Control Tower

1

I enabled SecurityHub by enrolling one of the GuardDuty controls in ControlTower. Now I'd like to enable some of the other SecurityHub standards but I'm worried that it's going to create a drift for ControlTower's landing zone. Do you think it is safe to enable these controls in the dashboard?

Enter image description here

Can't disable it from ControlTower:

Enter image description here

Can disable it from SecurityHub:

Enter image description here

Regards Piotr

1 Answer
5
Accepted Answer

To avoid drift, always enable and remove controls for the Service-Managed Standard by means of the AWS Control Tower service, either in the console or by calling the AWS Control Tower APIs, EnableControl and DisableControl. When you change the enablement status of a control in AWS Control Tower, the change also is reflected in Security Hub.

https://docs.aws.amazon.com/controltower/latest/userguide/security-hub-controls.html

AWS
answered a year ago
profile picture
EXPERT
reviewed 4 months ago
  • Thanks for pointing me at this, but I'm finding it difficult to follow this note as there is now way in the ControlTower console to disable it, however I can disable from SecurityHub.

    To summary what I wanted to achieve is to

    • continue working with ControlTower with or without the integration with SecurityHub
    • continue working with SecurityHub with that "GuardDuty" check enabled
    • enable CIS Frameworks checks in SecurityHub
    • avoid drift in ControlTower

    That that mean any controls related to SecurityHub in ControlTower should not be used?

    EDIT: I attached two more screenshots from ControlTower and SecurityHub where then GuardDuty control appears .

  • Ok, I've also found the GuardDuty control is available from "AWS Foundational Security Best Practices" standard in SecurityHub so I could avoid the interference with ControlTower completely. Still, I would be interested to know how do you normally deal with running both ControlTower and SecurityHub.

  • To disable control from Control Tower, Click on the name of the control (in your 1st screenshot), then go to "OUs Enabled" select the OU and click "Disable Control".

  • If there are any further questions feel free to ask. If this answer above is satisfactory to you please mark it as accepted. Thanks!

  • I found answer to my concern here: https://docs.aws.amazon.com/securityhub/latest/userguide/service-managed-standards.html

    Enabling and disabling controls – We recommend enabling and disabling controls in the managing service (eg. ControlTower) to avoid drift.

    I realise the other document answers it too but for some reason I found it very unclear and ambiguous given no previous experience with ControlHub.

    Anyway thanks for your help Vardan.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions