AWS Management account - Security

I can answer some of this for you. I will post my replies under your questions - so that way anyone reading this in the future can easily get this information.

All my replies are in bold.

1.-I see that AWS Config was enabled in all member accounts but no in Management account. Is there any reason by that?

AWS Config gets enabled so it can track changes among your accounts. Control Tower does not apply itself to the management account but there are some solutions that I will talk about lower down.

2.-I am going to enable Security Hub for all Organization, but as AWS Config is not enabled in Management Account, so I understand that I will not be able to add it to Security hub?. Is Security Hub only for member accounts or it includes to Management account?

You can enable Security Hub. You will have to do that manually though. Once you enable Config using the link below it should not be a problem to setup. (The link I am talking about is the link for the SRA Management Account on Github - just read my next answer.)

3.-I have enabled AWS Control Tower Controls (Guardrails) to the different OUs, but I understand Management account is not included there. So, how could I enable security controls for Management Account?

So, Control Tower Controls does not cover the management account. Although, you can follow the Secure Reference Architecture for securing down the management account. That can be found right here!

I should also note that nothing should be done in the management account other than management of the landing zones and the Control Tower deployment. No access should be handed out to that account unless they have permission to make the changes needed inside that account and normal activity and API activity can be monitored using CloudTrail which I link to lower down.

Control Tower management accounts are not designed to have custom changes on them due to the fact you may change a permission and then mess up the entire landing zone architecture - like if changes or updates cannot be pushed out anymore, or the change locked people out of doing what the accounts should allow. This would be a bad, bad thing and it would take a long time to figure out if you did not connect the dots.

I suggest reading this: Best practices for AWS Control Tower administrators - Guidance for Creating and Modifying AWS Control Tower Resources

You can monitor API calls and logging in the management account just like you would for any other AWS account. Check out this link for more details.

4.-I have enabled Conformance packs for all account, but again AWS Config is not enabled in Management Account, so I understand that I will not be able to add Conformance packs to Management Account?

Correct, you will have to do this on your own and you will have to make sure you are not changing any permissions that would be needed to operate Control Tower out of that account. You really should not be doing anything in the management account that should require those packs, but after you enable config, you can enable them. However, you do so at your own risk, and that goes against AWS best practices.

5.-I am thinking to enable GuardDuty, but I understand Management account will not cover by this service?

You can add the account to Guard Duty - but even if you could not, you should. GuardDuty is a fantastic service and will help you a ton in making sure your accounts are being locked down. I would advise you to use it even if it was not possible to turn it on inside the management account - the benefits are substantially better and outweigh the cost.

We have a blog about how to deploy GuardDuty in a situation just like yours.

6.-Finally, which security controls can be implemented in Management Account, using AWS Services?

I would suggest reading this - which I posted from our SRA which talks about how to secure your management account!