When two become one

Security Hub now integrates with Control Tower

Welcome to Unlimited Leave. This is the weekly newsletter that uses our own principles to take extended holiday breaks from AWS Cloud Management. You should too.

This week's topics

  • What's next for this newsletter

  • Security Hub and Control Tower joined in a holy union

  • Disable Organization Security Hub Checks Globally

  • Work with me 'in' AWS

What's next for this newsletter

Some (roughly 10%) of you have answered a poll I ran for a few weeks. The poll asked - What do you want to get out of this newsletter?

The results are in:

šŸŸ©šŸŸ©šŸŸ©šŸŸ©šŸŸ©šŸŸ© šŸ“ŗ Short tutorials and/or resources on how to implement practical solutions (think Git repos and Loom videos) (28)ā¬œļøā¬œļøā¬œļøā¬œļøā¬œļøā¬œļø šŸ—žļø Another location to get syndicated Service and Feature announcements (4)šŸŸØšŸŸØšŸŸØšŸŸØšŸŸØšŸŸØ šŸ“° Long form explanatory articles and walk-throughs (potentially with supporting video) (27)

If you still want to put in your $0.02, please go back a couple of weeks and provide your feedback.

Moving forward

The results show a coin flip between short tutorials or resources and long-form content.

Since I launched this newsletter the month leading up to re:Invent, that has been the topic of focus. After the beginning of the year expect to see a slightly modified format sharing more actionable resources mixed with more detailed content.

Next week I plan to run a new poll requesting information on how you would like to consume and/or receive the resources provided.

This will help me determine where to store the content and resources, how they should be gated/collected, as well as how to properly socialize and syndicate the content.

Security Hub Integrates with Control Tower

AWS Security Hub is a security and compliance management tool that provides a central dashboard for visibility and governance across your AWS environment. It aggregates, organizes, and prioritizes security alerts and findings from multiple AWS services, as well as third-party security solutions.

AWS Control Tower is a fully managed service that helps organizations set up and govern their multi-account AWS environments. It provides a central landing zone with pre-defined controls and best practices to help organizations establish a secure and compliant AWS environment. It also provides a central dashboard for visibility and governance across accounts.

Recently, AWS announced that Security Hub now integrates with AWS Control Tower. This integration provides a unified view of your security and compliance status across your AWS environment, including your Control Tower accounts.

With the integration, you can:

  • View the security and compliance status of your Control Tower accounts in Security Hub, alongside your other AWS accounts.

  • Use Security Hub to monitor the compliance status of your Control Tower accounts and receive notifications when compliance standards are not met.

  • Use Security Hub to assess the security posture of your Control Tower accounts and receive recommendations for improving security.

  • Use Security Hub to track the progress of security remediation actions across your Control Tower accounts.

To set up the integration, you need to do the following:

  1. Enable Security Hub in your Control Tower master account and all member accounts.

  2. Enable the AWS Config service in your Control Tower master account and all member accounts.

  3. Create an AWS Config rule in your Control Tower master account to collect compliance data from your member accounts.

  4. In Security Hub, create a new member account organization and select your Control Tower master account as the master account.

With the integration of AWS Security Hub and AWS Control Tower, you can now manage the security and compliance of your multi-account AWS environment in a more comprehensive and efficient way. You can gain a unified view of your security and compliance status, monitor compliance standards, assess security posture, and track remediation actions across your Control Tower accounts. This can help you improve the security and compliance of your AWS environment and reduce the risk of security incidents.

Disable Organization Security Hub Checks Globally

These resources are a prime examples of the solutions that will be built, shared, and referenced in future issues after the beginning for CY23.

Managing AWS Security Hub checks across multiple AWS accounts in an organization can be difficult. Some accounts required checks to be enabled while in other accounts, many checks may not be relevant.

Before native functionality in Security Hub is released (hopefully šŸ¤ž), the following solutions provide a solution to more easily manage these situations.

When using a Delegated SH Admin account

This solution:

supplies the ability to disable checks from the delegated Security Hub administrator and have the results aggregated across all accounts unless there is an exception.

When there are multiple accounts w/o central management

This solution:

is similar to the previous one but can be used to manage checks across accounts within an organization or even across organizations. Out of the box it is designed for a single organization; however, with a minor addition can be leveraged for any number of standalone accounts or across any number of organizations.


Both of these solutions are fairly straightforward to deploy if you understand the workings of how the account `assume role` and delegated administrators work. However, there are pre-requisites that need to be met to properly deploy either solution.

Over the course of the next couple of weeks, keep an eye on this personal repository:

As I will be documenting and providing additional resources to enable the deployment of either solution.

Rest assured that once I complete this solution, AWS will likely enable native functionality of this within the AWS Console. It just takes someone implementing something externally to make it so.

Work with 'in' me AWS

During re:Invent this year, AWS announced the ability to have a unique AWS Builder ID. This obviously is a complement to the 'community leaderboard'. This ID allows you have a unified identity across AWS re:Post (formerly AWS Forums) and AWS Code Catalyst (the newly released Integrated DevOps Service).

AWS re:Post

For re:Post this is great. The former forum user account(s) were tied directly to individual AWS accounts. In order to respond as the same person in a forum, you had to be logged into that specific AWS Account to be that user. It was a mess. Now you can link your Builder ID to multiple accounts.

I'll be damned if I know where my original user is associated. I have the "founding member" badge. I'd really like to get credit for that in my new builder ID.

If you have a re:Post account or don't have one yet, go out and get registered and follow me here: https://repost.aws/community/users/USDyAPhph_QRCYVu-Ph5tH5w


Have you ever wanted to hire support for your AWS environment and have issues procuring financing to hire a consultant? You're in luck!

You can hire me and other experts through AWS IQ. Here is my profile:

AWS IQ is a service offered by Amazon Web Services (AWS) that allows users to connect with freelance experts who can help with various tasks related to AWS products and services.

These tasks can range from providing guidance on how to use a particular AWS service, to developing custom solutions using AWS technology.

Users can search for and hire experts based on their skills, experience, and availability, and then communicate with them through the AWS IQ platform to get their tasks completed.

The best thing about all of this... The payment for these services is handled through the platform (billed to your account), making it easy for users to manage their budgets and track their spending.

More accessible support

I sat on a roundtable for AWS IQ this last week at re:Invent. The team is really pushing to bring more visibility to the service and looking for ways to get the word out. So this is me helping push it along.

Documentation and Solutions support

If you pay attention, there are direct links to re:Post and IQ at the bottom of nearly every AWS Doc or Reference Architecture page.

AWS Support Console

From within the AWS Console, under the support menu, both options are presented following the link to the Support Page.

While from inside the support console there are references to 're:Post' and the ability to get 'Expert Help' expect that in the future, the closure of support tickets to reference using an AWS IQ Expert to continue looking at your issue.

AWS Support cannot work on resources in your account(s). This will likely be an avenue in the future to solicit support from experts.

The key differentiator here is that AWS IQ Experts are NOT AWS employees. They are individuals (or members of firms) that have achieved AWS Solutions Architect Associate or higher certification. Like yours truly.

NOTE: AWS charges a 2.5% fee to the expert for services rendered via AWS IQ.


  • Expert charges $100 for service

  • Customer Pays $100 in their AWS Account bill or consolidate Organization Bill

  • Expert receives $97.50 for services rendered

Contact me

If any of these solutions seem like something you are interested in deploying or you have questions about the direction to go with your Architecture contact me. Even if you don't yet have AWS Organization, only have a single organization, or are not exactly sure what you have, I'm willing to take a look. Reach out via:

Help us grow

Have team members worried about working over the holidays on their poorly configured AWS Architectures?

Forward them this email or tell them to subscribe šŸ‘‡

Review past issues HERE
Disclaimer: The resources and topics shared within this newsletter are for informational use only. Any resources deployed or tools implemented are done so at your own risk. Do your own research and testing prior to the implementation of any resource or service deployed for any workload.