Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Security Hub controls for Service Catalog

These Amazon Security Hub controls evaluate the Amazon Service Catalog service and resources.

These controls may not be available in all Amazon Web Services Regions. For more information, see Availability of controls by Region.

[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only

Related requirements: NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-6, NIST.800-53.r5 CM-8, NIST.800-53.r5 SC-7

Category: Protect > Secure access management

Severity: High

Resource type: AWS::ServiceCatalog::Portfolio

Amazon Config rule: service-catalog-shared-within-organization

Schedule type: Change triggered

Parameters: None

This control checks whether Amazon Service Catalog shares portfolios within an organization when the integration with Amazon Organizations is enabled. The control fails if portfolios aren't shared within an organization.

Portfolio sharing only within Organizations helps ensure that a portfolio isn't shared with incorrect Amazon Web Services accounts. To share a Service Catalog portfolio with an account in an organization, Security Hub recommends using ORGANIZATION_MEMBER_ACCOUNT instead of ACCOUNT. This simplifies administration by governing the access granted to the account across the organization. If you have a business need to share Service Catalog portfolios with an external account, you can automatically suppress the findings from this control or disable it.

Remediation

To enable portfolio sharing with Organizations, see Sharing with Amazon Organizations in the Service Catalog Administrator Guide