# Security Hub CSPM controls for Amazon Service Catalog
<a name="servicecatalog-controls"></a>

This Amazon Security Hub CSPM control evaluates the Amazon Service Catalog service and resources. The control might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support).

## [ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only
<a name="servicecatalog-1"></a>

**Related requirements:** NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-6, NIST.800-53.r5 CM-8, NIST.800-53.r5 SC-7

**Category:** Protect > Secure access management

**Severity:** Medium

**Resource type:** `AWS::ServiceCatalog::Portfolio`

**Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/service-catalog-shared-within-organization.html](https://docs.amazonaws.cn/config/latest/developerguide/service-catalog-shared-within-organization.html)

**Schedule type:** Change triggered

**Parameters:** None

This control checks whether Amazon Service Catalog shares portfolios within an organization when the integration with Amazon Organizations is enabled. The control fails if portfolios aren't shared within an organization.

Portfolio sharing only within Organizations helps ensure that a portfolio isn't shared with incorrect Amazon Web Services accounts. To share a Service Catalog portfolio with an account in an organization, Security Hub CSPM recommends using `ORGANIZATION_MEMBER_ACCOUNT` instead of `ACCOUNT`. This simplifies administration by governing the access granted to the account across the organization. If you have a business need to share Service Catalog portfolios with an external account, you can [automatically suppress the findings](automation-rules.md) from this control or [disable it](disable-controls-overview.md).

### Remediation
<a name="servicecatalog-1-remediation"></a>

To enable portfolio sharing with Amazon Organizations, see [Sharing with Amazon Organizations](https://docs.amazonaws.cn/servicecatalog/latest/adminguide/catalogs_portfolios_sharing_how-to-share.html#portfolio-sharing-organizations) in the *Amazon Service Catalog Administrator Guide*.