SecurityHub

In SecurityHub, installing this customization will enable Security Hub in all Control Tower managed accounts, with the Audit account as the default Security Hub Master.

This is done by deploying a SecurityHub enabler lambda function in the master account. It runs periodically and checks each Control Tower managed account/region to ensure they have been invited into the master SecurityHub account and that SecurityHub is enabled. Control Tower Lifecycle events also trigger it to ensure minimal delay between new accounts being created and Security Hub being enabled in them.

AWS Control Tower helps in setting up and configuring AWS accounts for multi-account security.