Posted On: Jun 12, 2023

We are excited to announce the addition of 10 new AWS Security Hub detective controls to the AWS Control Tower controls library. These new controls target services such as Amazon APIGateway, AWS CodeBuild, Amazon Elastic Compute Cloud, Amazon Elastic Load Balancer, Amazon Redshift, Amazon SageMaker, and AWS WAF. These new controls help you meet control objectives, such as establish logging and monitoring, limiting network access and encrypting data at rest, enhancing your governance posture. 

With this addition, AWS Control Tower now supports over 170 detective controls from AWS Security Hub, providing off-the-shelf AWS-managed controls to help you scale your business using new AWS workloads and services. Detective controls can be combined with AWS Control Tower’s proactive controls that block non-compliant resources before they are provisioned and preventive controls that disallow actions that lead to policy violations. The combination of preventive, proactive, and detective controls helps you monitor whether your multi-account AWS environment is secure and managed in accordance with best practices, such as the AWS Foundational Security Best Practices standard.

AWS Control Tower’s new AWS Security Hub detective controls are available in all AWS Regions where AWS Control Tower is available. For a full list of AWS regions where AWS Control Tower is available, see AWS Region Table. You can start deploying the AWS Control Tower controls from the console or using AWS Control Tower control APIs.