# Service-managed standards in Security Hub CSPM
<a name="service-managed-standards"></a>

A service-managed standard is a security standard that another AWS service manages but that you can view in Security Hub CSPM. For example, [Service-Managed Standard: AWS Control Tower](service-managed-standard-aws-control-tower.md) is a service-managed standard that AWS Control Tower manages. A service-managed standard differs from a security standard that AWS Security Hub CSPM manages in the following ways:
+ **Standard creation and deletion** – You create and delete a service-managed standard with the managing service's console or API, or with the AWS CLI. Until you create the standard in the managing service in one of those ways, the standard doesn't appear in the Security Hub CSPM console and isn't accessible by the Security Hub CSPM API or AWS CLI.
+ **No automatic enablement of controls** – When you create a service-managed standard, Security Hub CSPM and the managing service don't automatically enable the controls that apply to the standard. In addition, when Security Hub CSPM releases new controls for the standard, they're not automatically enabled. This is a departure from standards that Security Hub CSPM manages. For more information about the usual way of configuring controls in Security Hub CSPM, see [Understanding security controls in Security Hub CSPM](controls-view-manage.md).
+ **Enabling and disabling controls** – We recommend enabling and disabling controls in the managing service to avoid drift.
+ **Availability of controls** – The managing service chooses which controls are available as part of the service-managed standard. Available controls may include all, or a subset of, the existing Security Hub CSPM controls.

After the managing service creates the service-managed standard and makes controls available for it, you can access your control findings, control statuses, and standard security score in the Security Hub CSPM console, Security Hub CSPM API, or AWS CLI. Some or all of this information may also be available in the managing service.

Select a service-managed standard from the following list to view more details about it.

**Topics**
+ [Service-Managed Standard: AWS Control Tower](service-managed-standard-aws-control-tower.md)

# Service-Managed Standard: AWS Control Tower
<a name="service-managed-standard-aws-control-tower"></a>

This section provides information about Service-Managed Standard: AWS Control Tower.

## What is Service-Managed Standard: AWS Control Tower?
<a name="aws-control-tower-standard-summary"></a>

Service-Managed Standard: AWS Control Tower is a service-managed standard which AWS Control Tower manages that supports a subset of Security Hub controls. This standard is designed for users of AWS Security Hub CSPM and AWS Control Tower. It lets you configure the detective controls of Security Hub CSPM from the AWS Control Tower service.

Detective controls detect noncompliance of resources (for example, misconfigurations) within your AWS accounts.

**Tip**  
Service-managed standards differ from standards that AWS Security Hub CSPM manages. For example, you must create and delete a service-managed standard in the managing service. For more information, see [Service-managed standards in Security Hub CSPM](service-managed-standards.md).

When you enable a Security Hub CSPM control through AWS Control Tower, Control Tower also enables Security Hub CSPM for you in those specific accounts and Regions, if not already enabled. In the Security Hub CSPM console and API, you can view Service-Managed Standard: AWS Control Tower alongside other Security Hub CSPM standards, once the standard is enabled from AWS Control Tower.

For more information about this standard, see [Security Hub CSPM controls](https://docs.aws.amazon.com/controltower/latest/userguide/security-hub-controls.html) in the *AWS Control Tower User Guide*.

## Creating the standard
<a name="aws-control-tower-standard-creation"></a>

This standard is available in Security Hub CSPM only if you enable Security Hub CSPM controls from AWS Control Tower. AWS Control Tower creates the standard when you first enable an applicable control by using one of the following methods:
+ AWS Control Tower console
+ AWS Control Tower API (call the [https://docs.aws.amazon.com/controltower/latest/APIReference/API_EnableControl.html](https://docs.aws.amazon.com/controltower/latest/APIReference/API_EnableControl.html) API)
+ AWS CLI (run the [https://docs.aws.amazon.com/cli/latest/reference/controltower/enable-control.html](https://docs.aws.amazon.com/cli/latest/reference/controltower/enable-control.html) command)

When you enable a Security Hub CSPM control through AWS Control Tower, if you haven’t already enabled Security Hub CSPM, AWS Control Tower also enables Security Hub CSPM for you in those specific accounts and Regions.

To identify an Security Hub CSPM control by control ID in Control Catalog, you can use the field `Implementation.Identifier` in AWS Control Tower. This field maps to Security Hub CSPM control ID and can be used to filter for a specific control ID. To retrieve control metadata for a specific Security Hub CSPM control (say, "CodeBuild.1") in AWS Control Tower, you can use the [https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ListControls.html](https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ListControls.html) API:

`aws controlcatalog list-controls --filter '{"Implementations":{"Identifiers":["CodeBuild.1"],"Types":["AWS::SecurityHub::SecurityControl"]}}'` 

You can't view or access this standard in the Security Hub CSPM console, Security Hub CSPM API, or AWS CLI without first setting up AWS Control Tower and enabling Security Hub CSPM controls from AWS Control Tower using one of the preceding methods.

This standard is only available in the [AWS Regions where AWS Control Tower is available](https://docs.aws.amazon.com/controltower/latest/userguide/region-how.html).

## Enabling and disabling controls in the standard
<a name="aws-control-tower-standard-managing-controls"></a>

After you've enabled Security Hub CSPM controls through AWS Control Tower and the Service-Managed Standard: AWS Control Tower standard has been created, you can view the standard and its available controls in Security Hub CSPM.

When Security Hub CSPM adds new controls to the Service-Managed Standard: AWS Control Tower standard, they aren't automatically enabled for customers who have the standard enabled. You should enable and disable controls for the standard from AWS Control Tower by using one of the following methods:
+ AWS Control Tower console
+ AWS Control Tower API (call the [https://docs.aws.amazon.com/controltower/latest/APIReference/API_EnableControl.html](https://docs.aws.amazon.com/controltower/latest/APIReference/API_EnableControl.html) and [https://docs.aws.amazon.com/controltower/latest/APIReference/API_DisableControl.html](https://docs.aws.amazon.com/controltower/latest/APIReference/API_DisableControl.html) APIs)
+ AWS CLI (run the [https://docs.aws.amazon.com/cli/latest/reference/controltower/enable-control.html](https://docs.aws.amazon.com/cli/latest/reference/controltower/enable-control.html) and [https://docs.aws.amazon.com/cli/latest/reference/controltower/disable-control.html](https://docs.aws.amazon.com/cli/latest/reference/controltower/disable-control.html) commands)

When you change the enablement status of a control in AWS Control Tower, the change is also reflected in Security Hub CSPM.

However, disabling a control in Security Hub CSPM that's enabled in AWS Control Tower results in control drift. The control status in AWS Control Tower shows as `Drifted`. You can resolve this drift by using the [ResetEnabledControl](https://docs.aws.amazon.com/controltower/latest/APIReference/API_ResetEnabledControl.html) API to reset the control which is in drift, or by selecting [Re-register OU](https://docs.aws.amazon.com/controltower/latest/userguide/drift.html#resolving-drift) in the AWS Control Tower console, or by disabling and re-enabling the control in AWS Control Tower using one of the preceding methods.

Completing enablement and disablement actions in AWS Control Tower helps you avoid control drift.

When you enable or disable controls in AWS Control Tower, the action applies across accounts and Regions governed by AWS Control Tower. If you enable and disable controls in Security Hub CSPM (not recommended for this standard), the action applies only to the current account and region.

**Note**  
[Central configuration](central-configuration-intro.md) can't be used to manage Service-Managed Standard: AWS Control Tower. You can use *only* the AWS Control Tower service to enable and disable controls in this standard.

## Viewing enablement status and control status
<a name="aws-control-tower-standard-control-status"></a>

You can view the enablement status of a control by using one of the following methods:
+ Security Hub CSPM console, Security Hub CSPM API, or AWS CLI
+ AWS Control Tower console
+ AWS Control Tower API to see a list of enabled controls (call the [https://docs.aws.amazon.com/controltower/latest/APIReference/API_ListEnabledControls.html](https://docs.aws.amazon.com/controltower/latest/APIReference/API_ListEnabledControls.html) API)
+ AWS CLI to see a list of enabled controls (run the [https://docs.aws.amazon.com/cli/latest/reference/controltower/list-enabled-controls.html](https://docs.aws.amazon.com/cli/latest/reference/controltower/list-enabled-controls.html) command)

A control that you disable in AWS Control Tower has an enablement status of `Disabled` in Security Hub CSPM unless you explicitly enable that control in Security Hub CSPM.

Security Hub CSPM calculates control status based on the workflow status and compliance status of the control findings. For more information about enablement status and control status, see [Reviewing the details of controls in Security Hub CSPM](securityhub-standards-control-details.md).

Based on control statuses, Security Hub CSPM calculates a [security score](standards-security-score.md) for Service-Managed Standard: AWS Control Tower. This score is only available in Security Hub CSPM. In addition, you can only view [control findings](controls-findings-create-update.md) in Security Hub CSPM. The standard security score and control findings aren't available in AWS Control Tower.

**Note**  
When you enable controls for Service-Managed Standard: AWS Control Tower, Security Hub CSPM may take up to 18 hours to generate findings for controls that use an existing AWS Config service-linked rule. You may have existing service-linked rules if you've enabled other standards and controls in Security Hub CSPM. For more information, see [Schedule for running security checks](securityhub-standards-schedule.md).

## Deleting the standard
<a name="aws-control-tower-standard-deletion"></a>

You can delete this service managed standard in AWS Control Tower by disabling all applicable controls using one of the following methods:
+ AWS Control Tower console
+ AWS Control Tower API (call the [https://docs.aws.amazon.com/controltower/latest/APIReference/API_DisableControl.html](https://docs.aws.amazon.com/controltower/latest/APIReference/API_DisableControl.html) API)
+ AWS CLI (run the [https://docs.aws.amazon.com/cli/latest/reference/controltower/disable-control.html](https://docs.aws.amazon.com/cli/latest/reference/controltower/disable-control.html) command)

Disabling all controls deletes the standard in all managed accounts and governed Regions in AWS Control Tower. Deleting the standard in AWS Control Tower removes it from the **Standards** page of the Security Hub CSPM console, and you can no longer access it by using the Security Hub CSPM API or AWS CLI.

**Note**  
 Disabling all controls from the standard in Security Hub CSPM doesn't disable or delete the standard. 

Disabling the Security Hub CSPM service removes Service-Managed Standard: AWS Control Tower and any other standards that you’ve enabled.

## Finding field format for Service-Managed Standard: AWS Control Tower
<a name="aws-control-tower-standard-finding-fields"></a>

When you create Service-Managed Standard: AWS Control Tower and enable controls for it, you'll start to receive control findings in Security Hub CSPM. Security Hub CSPM reports control findings in the [AWS Security Finding Format (ASFF)](securityhub-findings-format.md). These are the ASFF values for this standard's Amazon Resource Name (ARN) and `GeneratorId`:
+ **Standard ARN** – `arn:aws:us-east-1:securityhub:::standards/service-managed-aws-control-tower/v/1.0.0`
+ **GeneratorId** – `service-managed-aws-control-tower/v/1.0.0/CodeBuild.1`

For a sample finding for Service-Managed Standard: AWS Control Tower, see [Samples of control findings](sample-control-findings.md).

## Controls that apply to Service-Managed Standard: AWS Control Tower
<a name="aws-control-tower-standard-controls"></a>

Service-Managed Standard: AWS Control Tower supports a subset of controls that are part of the AWS Foundational Security Best Practices (FSBP) standard. Choose a control to view information about it, including remediation steps for failed findings.

To see what Security Hub CSPM controls are supported by AWS Control Tower, you can use one of the following methods:
+ AWS Control Catalog console where you can filter for `“Control owner = AWS Security Hub”`
+ AWS Control Catalog API (call the [https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ListControls.html](https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ListControls.html) API) with filter for `Implementations` to check for `Types` is `AWS::SecurityHub::SecurityControl`
+ AWS CLI (run the [https://docs.aws.amazon.com/cli/latest/reference/controlcatalog/list-controls.html](https://docs.aws.amazon.com/cli/latest/reference/controlcatalog/list-controls.html) command) with filter for `Implementations`. Example CLI command:

  `aws controlcatalog list-controls --filter '{"Implementations":{"Types":["AWS::SecurityHub::SecurityControl"]}}'`

Regional limits on Security Hub CSPM controls when enabled through Control Tower standard may not match Regional limits on the underlying controls.

In Security Hub CSPM, if [consolidated control findings](controls-findings-create-update.md#consolidated-control-findings) is turned off in your account, the `ProductFields.ControlId` field in the generated findings uses the standard-based control ID. The standard-based control ID is formatted as **CT.*ControlId*** (for example, **CT.CodeBuild.1**).

For more information about this standard, see [Security Hub CSPM controls](https://docs.aws.amazon.com/controltower/latest/userguide/security-hub-controls.html) in the *AWS Control Tower User Guide*.