Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Control Tower and Security Hub

0

In a large environment that is highly secure, how do you deal with Control Tower and Security Hub for the Security OU accounts. ( audit and log archive) In many environments Risk teams require compliance to a particular framework (NIST 800.53 or others) in ALL accounts and not just the workloads. The problem is Control Tower does not manage and cant turn on controls in the management or Security OU by design. So my thought was to centralize Security Hub for the org and delegate to the audit account. This means Control Tower cant manage any SH controls because it cant create the standard in a given account since it enables each account individually.

I have engaged support and the are pushing towards letting Control Tower manage and enable Security Hub manually in each account that it cant. This is problematic because you must enable the entire standard and no option to limit controls, so lots of noise and no central management. How do others manage this in secure environments? I want to hear how others deal with this.

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
AWS Security HubSecurity, Identity, & ComplianceAWS Control Tower
Language
English
asked a year ago886 views
2 Answers
0
Accepted Answer

Hello,

For environments where Security Hub compliance is required across ALL accounts (including management and security accounts), AWS Support confirms:

Key Issue:

  • Control Tower does not enable AWS Config in the management account by default
  • Control Tower creates Config rules and enables Security Hub individually in member accounts
  • Management account is intended only for account/billing management, not for security/compliance resources

Two Supported Solutions:

  1. Using Control Tower:
  • Enable NIST framework through Control Tower (Categories > Frameworks)
  • Deploy controls in batches of 100 (due to Control Tower limits)
  • Manually setup Security Hub in management account
  1. Using Customization for Control Tower (CfCT):

Important: Security Hub central configuration should NOT be used with Control Tower as they are incompatible and work against best practices.

AWS
answered a year ago
  • User-4258384
    a year ago

    Thank you for your response. I had heard a similar response as I discussed with colleagues but it just seemed counter-intuitive to have to turn on Security Hub in each of these accounts (management, audit, and logarchive) individually. I am already using CfCT for bootstrap but have the landing zone in terraform. I can use either for this purpose. I don't want to do anything against practice hence why I was going to lengths to get definitive answers. I am having a call with the aws Control Tower team next week and no doubt I will hear the same answer.

    Regards, Andy

0

I’d like to expand on my previous comment after speaking with the AWS Control Tower team. The solution really depends on your specific use case.

In highly secure environments where Control Tower's native controls are not sufficient, it is absolutely valid to manage AWS Security Hub centrally and independently of Control Tower, as I previously described. There is no technical conflict as long as you have no intention of using Control Tower to enable and manage Security Hub controls.

By default, Control Tower enables a standard in Security Hub that includes only a subset of the AWS Foundational Security Best Practices. In environments that require strict adherence to frameworks like NIST 800-53, this is often inadequate. Furthermore, Control Tower does not currently offer the flexibility to automate or suppress findings at scale within Security Hub, nor can you enable Security Hub controls in the Security OU through Control Tower. These limitations can make it impractical for certain organizations with more advanced compliance needs. As a result, managing the NIST standard directly within Security Hub—outside of Control Tower—is often the more viable approach.

A few caveats to be aware of:

  • Once you choose to manage Security Hub independently, you won’t be able to re-enable its controls through Control Tower. That said, this is generally acceptable if you’ve made an intentional decision to operate outside the Control Tower framework for any non-mandatory controls.

  • If you are using the Landing Zone Accelerator, it will attempt to manage Security Hub through Control Tower by default. However, this can be overridden by implementing your own custom stacks.

AWS Support does not typically provide detailed guidance on this topic, other than what I was told by them initially and what the answer was here. I understand why but sometimes you need to dig deeper. I had to speak directly with someone on the Control Tower team to gain deeper insights. Ultimately, the answer is not straightforward—it really depends on the environment and specific compliance or security posture required. The main point in all this is that it is fine to use Security Hub independently in an environment with Control Tower as long as you are aware of the tradeoffs.

Side Note: There are also recurring issues with Control Tower not fully complying with certain frameworks in the resources it provisions, particularly in the Security and Management accounts. For example, the default S3 buckets or SNS topics may lack customer-managed keys (CMKs), which often raises concerns with internal risk and security teams. While there are compensating controls in place, these gaps can be frustrating to explain and justify.

I hope this helps others who are navigating similar questions. It's been a bit of a journey to uncover these details, especially since much of this information isn’t well-documented. As always, you learn the most by building, experimenting, and observing how different architectural patterns behave in real-world environments. As a consultant, I get to see a wide range of use cases and approaches, which helps shape this perspective.

Best regards, Andy

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content