Back to All Checks
High ServiceCatalog Regional

Service Catalog portfolios should be shared within an AWS organization only

NIST 800-53

Description

This control checks whether AWS Service Catalog shares portfolios within an organization when the integration with AWS Organizations is enabled. The control fails if portfolios aren't shared within an organization. Portfolio sharing only within Organizations helps ensure that a portfolio isn't shared with incorrect AWS accounts. To share a Service Catalog portfolio with an account in an organization, Security Hub recommends using ORGANIZATION_MEMBER_ACCOUNT instead of ACCOUNT. This simplifies administration by governing the access granted to the account across the organization.

Remediation

Ensure Service Catalog portfolios are shared only within the AWS organization.

Steps

  1. Open the AWS Service Catalog console.
  2. Navigate to 'Portfolios' in the left navigation pane.
  3. Select the portfolio that needs remediation.
  4. Go to the 'Sharing' tab.
  5. Review all shares and remove any shares that use type 'ACCOUNT' (external accounts).
  6. Ensure all shares use 'ORGANIZATION_MEMBER_ACCOUNT' or organization-level sharing.
  7. Save the changes.

Compliance

NIST 800-53
Start Your Free Security Check