Posted On: Jun 19, 2023

Today we are excited to announce the general availability of the integration between AWS Control Tower and AWS Security Hub. You can now enable over 170 Security Hub detective controls that map to related control objectives from AWS Control Tower. AWS Control Tower now detects when you disable a control from Security Hub which results in a ‘Drifted’ control state. With this drift detection capability, it is simpler for you to monitor the deployment state of your controls and take appropriate actions to manage the security posture of your AWS Control Tower environment. 

The drift detection capability for Security Hub controls managed in AWS Control Tower is included in the new version of the AWS Control Tower Landing Zone 3.2; update your landing zone to take advantage of this feature. This version also includes updates to the Region Deny control for multiple AWS services. For a full list of allowed actions, please consult the Region deny control policy.

To use Security Hub controls within AWS Control Tower, navigate to the AWS Control Tower control library. After selecting any control that originates from Security Hub, you can enable it directly from AWS Control Tower. AWS Control Tower will enable Security Hub on your behalf, and create a new Service-Managed Standard within Security Hub. When you enable Security Hub controls from AWS Control Tower, you can manage these controls and their evaluation from AWS Control Tower. This integration is available in all Regions where AWS Control Tower is available.