How to apply a Control Tower control that is in a Service-Managed Standard to multiple accounts/regions

Question

Hello,

I have enabled a control via Control Tower "[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports" for a specific OU. I know how to manually change the parameters on it for one account and region e.g to authorize more than port 80 and 443, but how to do a similar change for multiple accounts/regions?

I tried to follow the instructions here: "To customize control parameters in multiple accounts and Regions" https://docs.aws.amazon.com/securityhub/latest/userguide/custom-control-parameters.html#customize-control-parameters

But since the control is from a Service-Managed Standard from Control Tower (https://docs.aws.amazon.com/securityhub/latest/userguide/service-managed-standard-aws-control-tower.html) I don't see a way to select it as part of the custom policy in the instructions above.

![Enter image description here](/media/postImages/original/IM_-XEgdWPSHSLeWH_Z_zQ_Q)

Anyone come across this or have some guidance?

Thanks.

Answer

Hey! I would say it depends on what you want to get out of the Security Hub integration. You CAN use "central configuration" which will enable you to deploy controls across multiple accounts easier. However, you can ONLY deploy controls through Control Tower.  They will be part of the stndard and collected in the dashboard, but you can't enable or disable controls in Security Hub.

Or you can keep "central configuration" off. You would need to deploy in each account, but than you can enable "auto-enrollment" which will deploy standard controls in new ac accounts. If you choose this method you can use Security Hub to enable controls, and use various other features provided through "central configuration".

NOTE: The documentation says:
Central configuration can't be used ***TO MANAGE*** Service-Managed Standard: AWS Control Tower. ***If you use central configuration***, you can use ***ONLY*** the AWS Control Tower service to*** enable and disable ***controls in this standard for a centrally managed account.

![Enter image description here](/media/postImages/original/IMm2_uESnwTmOGNGUwBZ8MOw)

https://docs.aws.amazon.com/securityhub/latest/userguide/service-managed-standard-aws-control-tower.html#aws-control-tower-standard-managing-controls

How to apply a Control Tower control that is in a Service-Managed Standard to multiple accounts/regions

관련 콘텐츠