How to apply a Control Tower control that is in a Service-Managed Standard to multiple accounts/regions

0

Hello,

I have enabled a control via Control Tower "[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports" for a specific OU. I know how to manually change the parameters on it for one account and region e.g to authorize more than port 80 and 443, but how to do a similar change for multiple accounts/regions?

I tried to follow the instructions here: "To customize control parameters in multiple accounts and Regions" https://docs.aws.amazon.com/securityhub/latest/userguide/custom-control-parameters.html#customize-control-parameters

But since the control is from a Service-Managed Standard from Control Tower (https://docs.aws.amazon.com/securityhub/latest/userguide/service-managed-standard-aws-control-tower.html) I don't see a way to select it as part of the custom policy in the instructions above.

Enter image description here

Anyone come across this or have some guidance?

Thanks.

1 Answer
1

Hey! I would say it depends on what you want to get out of the Security Hub integration. You CAN use "central configuration" which will enable you to deploy controls across multiple accounts easier. However, you can ONLY deploy controls through Control Tower. They will be part of the stndard and collected in the dashboard, but you can't enable or disable controls in Security Hub.

Or you can keep "central configuration" off. You would need to deploy in each account, but than you can enable "auto-enrollment" which will deploy standard controls in new ac accounts. If you choose this method you can use Security Hub to enable controls, and use various other features provided through "central configuration".

NOTE: The documentation says: Central configuration can't be used TO MANAGE Service-Managed Standard: AWS Control Tower. If you use central configuration, you can use ONLY the AWS Control Tower service to*** enable and disable ***controls in this standard for a centrally managed account.

Enter image description here

https://docs.aws.amazon.com/securityhub/latest/userguide/service-managed-standard-aws-control-tower.html#aws-control-tower-standard-managing-controls

AWS
abemusa
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions