Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Security Hub controls for Amazon Web Services accounts

These Security Hub controls evaluate Amazon Web Services accounts.

These controls may not be available in all Amazon Web Services Regions. For more information, see Availability of controls by Region.

[Account.1] Security contact information should be provided for an Amazon Web Services account

Related requirements: NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2)

Category: Identify > Resource Configuration

Severity: Medium

Resource type: AWS::::Account

Amazon Config rule: security-account-information-provided

Schedule type: Periodic

Parameters: None

This control checks if an Amazon Web Services (Amazon) account has security contact information. The control fails if security contact information is not provided for the account.

Alternate security contacts allow Amazon to contact another person about issues with your account in case you're unavailable. Notifications can be from Amazon Web Services Support, or other Amazon Web Services service teams about security-related topics associated with your Amazon Web Services account usage.

Remediation

To add an alternate contact as a security contact to your Amazon Web Services account, see Update the alternate contacts for your Amazon Web Services account in the Amazon Account Management Reference Guide.

[Account.2] Amazon Web Services accounts should be part of an Amazon Organizations organization

Category: Protect > Secure access management > Access control

Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2

Severity: High

Resource type: AWS::::Account

Amazon Config rule: account-part-of-organizations

Schedule type: Periodic

Parameters: None

This control checks if an Amazon Web Services account is part of an organization managed through Amazon Organizations. The control fails if the account is not part of an organization.

Organizations helps you centrally manage your environment as you scale your workloads on Amazon. You can use multiple Amazon Web Services accounts to isolate workloads that have specific security requirements, or to comply with frameworks such as HIPAA or PCI. By creating an organization, you can administer multiple accounts as a single unit and centrally manage their access to Amazon Web Services services, resources, and Regions.

Remediation

To create a new organization and automatically add Amazon Web Services accounts to it, see Creating an organization in the Amazon Organizations User Guide. To add accounts to an existing organization, see Inviting an Amazon Web Services account to join your organization in the Amazon Organizations User Guide.