AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-12-10 · Documentation low

File: securityhub/latest/userguide/service-managed-standard-aws-control-tower.md

Summary

Updated documentation for Service-Managed Standard: AWS Control Tower to clarify it is managed by AWS Control Tower, focuses exclusively on detective controls, and provides methods to discover supported controls dynamically instead of listing them statically. Added details about enabling Security Hub CSPM via Control Tower, drift resolution methods, and regional availability.

Security assessment

The changes enhance documentation about security features (detective controls) but show no evidence of addressing a specific vulnerability. Updates include procedural improvements for control management and drift resolution, which are operational enhancements rather than vulnerability fixes. The removal of the static control list reduces maintenance overhead but doesn't indicate a security flaw.

Diff

diff --git a/securityhub/latest/userguide/service-managed-standard-aws-control-tower.md b/securityhub/latest/userguide/service-managed-standard-aws-control-tower.md
index f2ccd0123..d66bc33a3 100644
--- a//securityhub/latest/userguide/service-managed-standard-aws-control-tower.md
+++ b//securityhub/latest/userguide/service-managed-standard-aws-control-tower.md
@@ -13 +13 @@ This section provides information about Service-Managed Standard: AWS Control To
-This standard is designed for users of AWS Security Hub CSPM and AWS Control Tower. It lets you configure the proactive controls of AWS Control Tower alongside the detective controls of Security Hub CSPM in the AWS Control Tower service.
+Service-Managed Standard: AWS Control Tower is a service-managed standard which AWS Control Tower manages that supports a subset of Security Hub controls. This standard is designed for users of AWS Security Hub CSPM and AWS Control Tower. It lets you configure the detective controls of Security Hub CSPM from the AWS Control Tower service.
@@ -15 +15 @@ This standard is designed for users of AWS Security Hub CSPM and AWS Control Tow
-Proactive controls help ensure that your AWS accounts maintain compliance because they flag actions that may lead to policy violations or misconfigurations. Detective controls detect noncompliance of resources (for example, misconfigurations) within your AWS accounts. By enabling proactive and detective controls for your AWS environment, you can enhance your security posture at different stages of development.
+Detective controls detect noncompliance of resources (for example, misconfigurations) within your AWS accounts.
@@ -21 +21,3 @@ Service-managed standards differ from standards that AWS Security Hub CSPM manag
-In the Security Hub CSPM console and API, you can view Service-Managed Standard: AWS Control Tower alongside other Security Hub CSPM standards.
+When you enable a Security Hub CSPM control through AWS Control Tower, Control Tower also enables Security Hub CSPM for you in those specific accounts and Regions, if not already enabled. In the Security Hub CSPM console and API, you can view Service-Managed Standard: AWS Control Tower alongside other Security Hub CSPM standards, once the standard is enabled from AWS Control Tower.
+
+For more information about this standard, see [Security Hub CSPM controls](https://docs.aws.amazon.com/controltower/latest/userguide/security-hub-controls.html) in the _AWS Control Tower User Guide_.
@@ -25 +27 @@ In the Security Hub CSPM console and API, you can view Service-Managed Standard:
-This standard is available only if you create the standard in AWS Control Tower. AWS Control Tower creates the standard when you first enable an applicable control by using one of the following methods:
+This standard is available in Security Hub CSPM only if you enable Security Hub CSPM controls from AWS Control Tower. AWS Control Tower creates the standard when you first enable an applicable control by using one of the following methods:
@@ -36 +38 @@ This standard is available only if you create the standard in AWS Control Tower.
-Security Hub CSPM controls are identified in the AWS Control Tower console as **SH.`ControlID`** (for example, **SH.CodeBuild.1**).
+When you enable a Security Hub CSPM control through AWS Control Tower, if you haven’t already enabled Security Hub CSPM, AWS Control Tower also enables Security Hub CSPM for you in those specific accounts and Regions.
@@ -38 +40 @@ Security Hub CSPM controls are identified in the AWS Control Tower console as **
-When you create the standard, if you haven’t already enabled Security Hub CSPM, AWS Control Tower also enables Security Hub CSPM for you.
+To identify an Security Hub CSPM control by control ID in Control Catalog, you can use the field `Implementation.Identifier` in AWS Control Tower. This field maps to Security Hub CSPM control ID and can be used to filter for a specific control ID. To retrieve control metadata for a specific Security Hub CSPM control (say, "CodeBuild.1") in AWS Control Tower, you can use the [`ListControls`](https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ListControls.html) API:
@@ -40 +42 @@ When you create the standard, if you haven’t already enabled Security Hub CSPM
-If you haven't set up AWS Control Tower, you can't view or access this standard in the Security Hub CSPM console, Security Hub CSPM API, or AWS CLI. Even if you have set up AWS Control Tower, you can't view or access this standard in Security Hub CSPM without first creating the standard in AWS Control Tower using one of the preceding methods.
+`aws controlcatalog list-controls --filter '{"Implementations":{"Identifiers":["CodeBuild.1"],"Types":["AWS::SecurityHub::SecurityControl"]}}'`
@@ -42 +44,3 @@ If you haven't set up AWS Control Tower, you can't view or access this standard
-This standard is only available in the [AWS Regions where AWS Control Tower is available](https://docs.aws.amazon.com/controltower/latest/userguide/region-how.html), including AWS GovCloud (US).
+You can't view or access this standard in the Security Hub CSPM console, Security Hub CSPM API, or AWS CLI without first setting up AWS Control Tower and enabling Security Hub CSPM controls from AWS Control Tower using one of the preceding methods.
+
+This standard is only available in the [AWS Regions where AWS Control Tower is available](https://docs.aws.amazon.com/controltower/latest/userguide/region-how.html).
@@ -46 +50 @@ This standard is only available in the [AWS Regions where AWS Control Tower is a
-After you've created the standard in the AWS Control Tower console, you can view the standard and its available controls in both services.
+After you've enabled Security Hub CSPM controls through AWS Control Tower and the Service-Managed Standard: AWS Control Tower standard has been created, you can view the standard and its available controls in Security Hub CSPM.
@@ -48 +52 @@ After you've created the standard in the AWS Control Tower console, you can view
-After you first create the standard, it doesn't have any controls that are automatically enabled. In addition, when Security Hub CSPM adds new controls, they aren't automatically enabled for Service-Managed Standard: AWS Control Tower. You should enable and disable controls for the standard in AWS Control Tower by using one of the following methods:
+When Security Hub CSPM adds new controls to the Service-Managed Standard: AWS Control Tower standard, they aren't automatically enabled for customers who have the standard enabled. You should enable and disable controls for the standard from AWS Control Tower by using one of the following methods:
@@ -61 +65 @@ When you change the enablement status of a control in AWS Control Tower, the cha
-However, disabling a control in Security Hub CSPM that's enabled in AWS Control Tower results in control drift. The control status in AWS Control Tower shows as `Drifted`. You can resolve this drift by selecting [Re-register OU](https://docs.aws.amazon.com/controltower/latest/userguide/drift.html#resolving-drift) in the AWS Control Tower console, or by disabling and re-enabling the control in AWS Control Tower using one of the preceding methods.
+However, disabling a control in Security Hub CSPM that's enabled in AWS Control Tower results in control drift. The control status in AWS Control Tower shows as `Drifted`. You can resolve this drift by using the [ResetEnabledControl](https://docs.aws.amazon.com/controltower/latest/APIReference/API_ResetEnabledControl.html) API to reset the control which is in drift, or by selecting [Re-register OU](https://docs.aws.amazon.com/controltower/latest/userguide/drift.html#resolving-drift) in the AWS Control Tower console, or by disabling and re-enabling the control in AWS Control Tower using one of the preceding methods.
@@ -65 +69 @@ Completing enablement and disablement actions in AWS Control Tower helps you avo
-When you enable or disable controls in AWS Control Tower, the action applies across accounts and Regions. If you enable and disable controls in Security Hub CSPM (not recommended for this standard), the action applies only to the current account and Region.
+When you enable or disable controls in AWS Control Tower, the action applies across accounts and Regions governed by AWS Control Tower. If you enable and disable controls in Security Hub CSPM (not recommended for this standard), the action applies only to the current account and region.
@@ -69 +73 @@ When you enable or disable controls in AWS Control Tower, the action applies acr
-[Central configuration](./central-configuration-intro.html) can't be used to manage Service-Managed Standard: AWS Control Tower. If you use central configuration, you can use _only_ the AWS Control Tower service to enable and disable controls in this standard for a centrally managed account.
+[Central configuration](./central-configuration-intro.html) can't be used to manage Service-Managed Standard: AWS Control Tower. You can use _only_ the AWS Control Tower service to enable and disable controls in this standard.
@@ -98 +102 @@ When you enable controls for Service-Managed Standard: AWS Control Tower, Securi
-You can delete this standard in AWS Control Tower by disabling all applicable controls using one of the following methods:
+You can delete this service managed standard in AWS Control Tower by disabling all applicable controls using one of the following methods:
@@ -134,381 +138 @@ Service-Managed Standard: AWS Control Tower supports a subset of controls that a
-The following list shows available controls for Service-Managed Standard: AWS Control Tower. Regional limits on controls match Regional limits on the corollary controls in the FSBP standard. This list shows standard-agnostic security control IDs. In the AWS Control Tower console, control IDs are formatted as **SH.`ControlID`** (for example **SH.CodeBuild.1**). In Security Hub CSPM, if [consolidated control findings](./controls-findings-create-update.html#consolidated-control-findings) is turned off in your account, the `ProductFields.ControlId` field uses the standard-based control ID. The standard-based control ID is formatted as **CT.`ControlId`** (for example, **CT.CodeBuild.1**).
-
-  * [[Account.1] Security contact information should be provided for an AWS account](./account-controls.html#account-1)
-
-  * [[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period](./acm-controls.html#acm-1)
-
-  * [[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits](./acm-controls.html#acm-2)
-
-  * [[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled](./apigateway-controls.html#apigateway-1)
-
-  * [[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication](./apigateway-controls.html#apigateway-2)
-
-  * [[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled](./apigateway-controls.html#apigateway-3)
-
-  * [[APIGateway.4] API Gateway should be associated with a WAF Web ACL](./apigateway-controls.html#apigateway-4)
-
-  * [[APIGateway.5] API Gateway REST API cache data should be encrypted at rest](./apigateway-controls.html#apigateway-5)
-
-  * [[APIGateway.8] API Gateway routes should specify an authorization type](./apigateway-controls.html#apigateway-8)
-
-  * [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](./apigateway-controls.html#apigateway-9)
-
-  * [[AppSync.5] AWS AppSync GraphQL APIs should not be authenticated with API keys](./appsync-controls.html#appsync-5)
-
-  * [[AutoScaling.1] Amazon EC2 Auto Scaling groups associated with a load balancer should use ELB health checks](./autoscaling-controls.html#autoscaling-1)
-
-  * [[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones](./autoscaling-controls.html#autoscaling-2)
-
-  * [[AutoScaling.3] Amazon EC2 Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)](./autoscaling-controls.html#autoscaling-3)
-
-  * [[Autoscaling.5] Amazon EC2 instances launched using Amazon EC2 Auto Scaling group launch configurations should not have Public IP addresses](./autoscaling-controls.html#autoscaling-5)
-
-  * [[AutoScaling.6] Amazon EC2 Auto Scaling groups should use multiple instance types in multiple Availability Zones](./autoscaling-controls.html#autoscaling-6)
-
-  * [[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates](./autoscaling-controls.html#autoscaling-9)
-
-  * [[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events](./cloudtrail-controls.html#cloudtrail-1)
-
-  * [[CloudTrail.2] CloudTrail should have encryption at-rest enabled](./cloudtrail-controls.html#cloudtrail-2)
-
-  * [[CloudTrail.4] CloudTrail log file validation should be enabled](./cloudtrail-controls.html#cloudtrail-4)
-
-  * [[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs](./cloudtrail-controls.html#cloudtrail-5)
-
-  * [[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible](./cloudtrail-controls.html#cloudtrail-6)
-
-  * [[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials](./codebuild-controls.html#codebuild-1)
-
-  * [[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials](./codebuild-controls.html#codebuild-2)
-
-  * [[CodeBuild.3] CodeBuild S3 logs should be encrypted](./codebuild-controls.html#codebuild-3)
-
-  * [[CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration](./codebuild-controls.html#codebuild-4)
-
-  * [[DMS.1] Database Migration Service replication instances should not be public](./dms-controls.html#dms-1)
-
-  * [[DMS.9] DMS endpoints should use SSL](./dms-controls.html#dms-9)
-
-  * [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](./documentdb-controls.html#documentdb-1)
-
-  * [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](./documentdb-controls.html#documentdb-2)
-
-  * [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](./documentdb-controls.html#documentdb-3)
-
-  * [[DynamoDB.1] DynamoDB tables should automatically scale capacity with demand](./dynamodb-controls.html#dynamodb-1)
-
-  * [[DynamoDB.2] DynamoDB tables should have point-in-time recovery enabled](./dynamodb-controls.html#dynamodb-2)
-
-  * [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](./dynamodb-controls.html#dynamodb-3)
-
-  * [[EC2.1] Amazon EBS snapshots should not be publicly restorable](./ec2-controls.html#ec2-1)
-
-  * [[EC2.2] VPC default security groups should not allow inbound or outbound traffic](./ec2-controls.html#ec2-2)
-
-  * [[EC2.3] Attached Amazon EBS volumes should be encrypted at-rest](./ec2-controls.html#ec2-3)
-
-  * [[EC2.4] Stopped EC2 instances should be removed after a specified time period](./ec2-controls.html#ec2-4)
-
-  * [[EC2.6] VPC flow logging should be enabled in all VPCs](./ec2-controls.html#ec2-6)
-
-  * [[EC2.7] EBS default encryption should be enabled](./ec2-controls.html#ec2-7)
-
-  * [[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)](./ec2-controls.html#ec2-8)
-
-  * [[EC2.9] Amazon EC2 instances should not have a public IPv4 address](./ec2-controls.html#ec2-9)
-
-  * [[EC2.10] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service](./ec2-controls.html#ec2-10)
-
-  * [[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses](./ec2-controls.html#ec2-15)
-
-  * [[EC2.16] Unused Network Access Control Lists should be removed](./ec2-controls.html#ec2-16)
-
-  * [[EC2.17] Amazon EC2 instances should not use multiple ENIs](./ec2-controls.html#ec2-17)
-
-  * [[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports](./ec2-controls.html#ec2-18)
-
-  * [[EC2.19] Security groups should not allow unrestricted access to ports with high risk](./ec2-controls.html#ec2-19)
-
-  * [[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up](./ec2-controls.html#ec2-20)
-
-  * [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](./ec2-controls.html#ec2-21)
-
-  * [[EC2.22] Unused Amazon EC2 security groups should be removed](./ec2-controls.html#ec2-22)
-
-  * [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests](./ec2-controls.html#ec2-23)
-
-  * [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](./ec2-controls.html#ec2-25)
-
-  * [[ECR.1] ECR private repositories should have image scanning configured](./ecr-controls.html#ecr-1)
-
-  * [[ECR.2] ECR private repositories should have tag immutability configured](./ecr-controls.html#ecr-2)
-
-  * [[ECR.3] ECR repositories should have at least one lifecycle policy configured](./ecr-controls.html#ecr-3)
-
-  * [[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions](./ecs-controls.html#ecs-1)
-
-  * [[ECS.2] ECS services should not have public IP addresses assigned to them automatically](./ecs-controls.html#ecs-2)
-
-  * [[ECS.3] ECS task definitions should not share the host's process namespace](./ecs-controls.html#ecs-3)
-
-  * [[ECS.4] ECS containers should run as non-privileged](./ecs-controls.html#ecs-4)
-
-  * [[ECS.5] ECS containers should be limited to read-only access to root filesystems](./ecs-controls.html#ecs-5)
-
-  * [[ECS.8] Secrets should not be passed as container environment variables](./ecs-controls.html#ecs-8)
-
-  * [[ECS.10] ECS Fargate services should run on the latest Fargate platform version](./ecs-controls.html#ecs-10)
-
-  * [[ECS.12] ECS clusters should use Container Insights](./ecs-controls.html#ecs-12)
-
-  * [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS](./efs-controls.html#efs-1)
-
-  * [[EFS.2] Amazon EFS volumes should be in backup plans](./efs-controls.html#efs-2)
-
-  * [[EFS.3] EFS access points should enforce a root directory](./efs-controls.html#efs-3)
-
-  * [[EFS.4] EFS access points should enforce a user identity](./efs-controls.html#efs-4)
-
-  * [[EKS.1] EKS cluster endpoints should not be publicly accessible](./eks-controls.html#eks-1)
-
-  * [[EKS.2] EKS clusters should run on a supported Kubernetes version](./eks-controls.html#eks-2)
-
-  * [[ElastiCache.3] ElastiCache replication groups should have automatic failover enabled](./elasticache-controls.html#elasticache-3)
-
-  * [[ElastiCache.4] ElastiCache replication groups should be encrypted at rest](./elasticache-controls.html#elasticache-4)
-
-  * [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](./elasticache-controls.html#elasticache-5)
-
-  * [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](./elasticache-controls.html#elasticache-6)