AWS Control Tower - Security notifications

Question

Hi Team.

I have implemented Control Tower, Controls (Guardrails) and Conformance Packs for all accounts. After that, I received many sns notifications from email audit account.
I understand that I will receive notifications for non-compliance, right?.
I would like to know, how often controls and conformance packs are evaluated to estimate approximately how many notifications I will receive per day or hours.

Apart from that, I will implement Security Hub and GuardDuty, so I understand that I will receive sns audit notifications too?

What score is recommended for Conformance packs,  Security Hub in terms of security?

Thank you

Answer

Hi there,
Controls and conformance packs are evaluated continuously and can generate notifications whenever a resource is created, modified or deleted that causes a compliance change. The frequency depends on how dynamic your environment is.

For a stable environment, you may only get a few notifications per month. But during active development or infrastructure changes, it could be hundreds per day.

There is no specific conformance score or target for Security Hub. It's meant to show you compliance trends and areas that need attention. A higher score is better, but the goal is to understand and remediate your risks. Ultimately the score to achieve will be dependant on your own risk appetite and regulations.

I hope that helps

AWS Control Tower - Security notifications

Relevant content