Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
When you enable a standard in Amazon Security Hub, all of the controls that apply to it are
automatically enabled in that standard (the exception to this is service-managed standards).
You can then disable and re-enable specific controls in the standard. However, we recommend aligning
the enablement status of a control across all of your enabled standards.
If you use Security Hub central configuration, the delegated administrator can enable and
and disable controls for organization accounts across all enabled standards. We recommend this approach so that a control's enablement
status is aligned across standards. However, the delegated administrator can designate accounts as self-managed, which gives them
the ability to enable and disable controls in specific standards. For more information, see How central configuration works.
The details page for a standard contains the list of applicable controls for the standard,
and information about which controls are currently enabled in and disabled in that
standard.
On the standards details page, you can also enable and disable controls in a specific
standard. You must enable and disable controls separately in each Amazon Web Services account and
Amazon Web Services Region. When you enable or disable a control, it only impacts the current account and
Region.
You can enable and disable controls in each Region by using the Security Hub console, Security Hub API,
or Amazon CLI. If you have set an aggregation Region, you see controls from all linked Regions.
If a control is available in a linked Region but not in the aggregation Region, you cannot
enable or disable that control from the aggregation Region. For multi-account and
multi-Region control disablement scripts, see Disabling
Security Hub controls in a multi-account environment.
Enabling a control in a specific
standard
To enable a control in a standard, you must first enable at least one standard to
which the control applies. For more information about enabling a standard, see Enabling and disabling security
standards. When you enable a control in
a standard, Amazon Security Hub starts to generate findings for that control. Security Hub includes
the control status in the
calculation of the overall security score and standard security scores. Even if you enable a control in
multiple standards, you'll receive a single finding per security check across standards
if you turn on consolidated control findings. For more information, see Consolidated control findings.
To enable a control in a standard, the control must be available in your current
Region. For more information, see Availability of controls by Region.
Follow these steps to enable a Security Hub control in a specific
standard. In lieu of the following steps, you can also use the UpdateStandardsControl
API action to enable controls in a
specific standard. For instructions on enabling a control in all
standards, see Enabling a control in all
standards in a single account and Region.
- Security Hub console
-
To enable a control in a specific standard
Open the Amazon Security Hub console at https://console.amazonaws.cn/securityhub/.
-
Choose Security standards from the navigation
pane.
-
Choose View results for the relevant
standard.
-
Select a control.
-
Choose Enable Control (this option doesn't
appear for a control that's already enabled). Confirm by choosing
Enable.
- Security Hub API
-
To enable a control in a specific standard
-
Run ListSecurityControlDefinitions
,
and provide a standard ARN to get a list of available controls for a
specific standard. To obtain a standard ARN, run DescribeStandards
. This API returns
standard-agnostic security control IDs, not standard-specific
control IDs.
Example request:
{
"StandardsArn": "arn:aws-cn:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0
"
}
-
Run ListStandardsControlAssociations
,
and provide a specific control ID to return the current enablement
status of a control in each standard.
Example request:
{
"SecurityControlId": "IAM.1
"
}
-
Run BatchUpdateStandardsControlAssociations
.
Provide the ARN of the standard that you want to enable the control
in.
-
Set the AssociationStatus
parameter equal to
ENABLED
.
Example request:
{
"StandardsControlAssociationUpdates": [{"SecurityControlId": "IAM.1
", "StandardsArn": "arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0
", "AssociationStatus": "ENABLED"}]
}
- Amazon CLI
-
To enable a control in a specific standard
-
Run the list-security-control-definitions
command, and provide a standard ARN to get a list of available
controls for a specific standard. To obtain a standard ARN, run
describe-standards
. This command returns
standard-agnostic security control IDs, not standard-specific
control IDs.
aws securityhub --region us-east-1
list-security-control-definitions --standards-arn "arn:aws-cn:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0
"
-
Run the list-standards-control-associations
command, and provide a specific control ID to return the current
enablement status of a control in each standard.
aws securityhub --region us-east-1
list-standards-control-associations --security-control-id CloudTrail.1
-
Run the batch-update-standards-control-associations
command. Provide the ARN of the standard that you want to enable the
control in.
-
Set the AssociationStatus
parameter equal to
ENABLED
.
aws securityhub --region us-east-1
batch-update-standards-control-associations --standards-control-association-updates '[{"SecurityControlId": "CloudTrail.1
", "StandardsArn": "arn:aws-cn:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0
", "AssociationStatus": "ENABLED"}]'
Disabling a control in a specific
standard
When you disable a control in a standard, Security Hub stops generating findings for the
control. The control status is no longer used in calculating the security score for the
standard.
One way to disable a control is by disabling all standards that the control applies
to. When you disable a standard, all of the controls that apply to the standard are
disabled (however, those controls may still remain enabled in other standards). For
information about disabling a standard, see Enabling and disabling security
standards.
When you disable a control by disabling a standard that it applies to, the following
occurs:
-
Security checks for the control are no longer performed for that standard.
This means the control status won't affect the standard security score (Security Hub
will continue running security checks for the control if it is enabled in other
standards).
-
No additional findings are generated for that control.
-
Existing findings are archived automatically after 3-5 days (note that this is
best effort and not guaranteed).
-
The related Amazon Config rules that Security Hub created are removed.
When you disable a standard, Security Hub does not track which controls were disabled. If you
subsequently enable the standard again, all of the controls that apply to it are
automatically enabled. In addition, disabling a control is a one-time action. Suppose
you disable a control, and then you enable a standard which was previously disabled. If
the standard includes that control, it will be enabled in that standard. When you enable
a standard in Security Hub, all of the controls that apply to that standard are automatically
enabled.
Instead of disabling a control by disabling a standard that it applies to, you can
just disable the control in one or more specific standards.
To reduce finding noise, it can be useful to disable controls that aren't relevant to
your environment. For recommendations of which controls to disable, see Security Hub controls that you might want to disable.
Follow these steps to disable a control in specific standards. In
lieu of the following steps, you can also use the UpdateStandardsControl
API action to disable controls in a
specific standard. For instructions on disabling a control in all standards, see Enabling and disabling
controls in all standards.
- Security Hub console
-
To disable a control in a specific standard
Open the Amazon Security Hub console at https://console.amazonaws.cn/securityhub/.
-
Choose Security standards from the navigation
pane. Choose View results for the relevant
standard.
-
Select a control.
-
Choose Disable Control (this option doesn't
appear for a control that's already disabled).
-
Provide a reason for disabling the control, and confirm by
choosing Disable.
- Security Hub API
-
To disable a control in a specific standard
-
Run ListSecurityControlDefinitions
,
and provide a standard ARN to get a list of available controls for a
specific standard. To obtain a standard ARN, run DescribeStandards
. This API returns
standard-agnostic security control IDs, not standard-specific
control IDs.
Example request:
{
"StandardsArn": "arn:aws-cn:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0
"
}
-
Run ListStandardsControlAssociations
,
and provide a specific control ID to return the current enablement
status of a control in each standard.
Example request:
{
"SecurityControlId": "IAM.1
"
}
-
Run BatchUpdateStandardsControlAssociations
.
Provide the ARN of the standard in which you want to disable the
control.
-
Set the AssociationStatus
parameter equal to
DISABLED
. If you follow these steps for a control
that's already disabled, the API returns an HTTP status code 200
response.
Example request:
{
"StandardsControlAssociationUpdates": [{"SecurityControlId": "IAM.1
", "StandardsArn": "arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0
", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment
"}]
}
- Amazon CLI
-
To disable a control in a specific standard
-
Run the list-security-control-definitions
command, and provide a standard ARN to get a list of available
controls for a specific standard. To obtain a standard ARN, run
describe-standards
. This command returns
standard-agnostic security control IDs, not standard-specific
control IDs.
aws securityhub --region us-east-1
list-security-control-definitions --standards-arn "arn:aws-cn:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0
"
-
Run the list-standards-control-associations
command, and provide a specific control ID to return the current
enablement status of a control in each standard.
aws securityhub --region us-east-1
list-standards-control-associations --security-control-id CloudTrail.1
-
Run the batch-update-standards-control-associations
command. Provide the ARN of the standard in which you want to
disable the control.
-
Set the AssociationStatus
parameter equal to
DISABLED
. If you follow these steps for a control
that's already enabled, the command returns an HTTP status code 200
response.
aws securityhub --region us-east-1
batch-update-standards-control-associations --standards-control-association-updates '[{"SecurityControlId": "CloudTrail.1
", "StandardsArn": "arn:aws-cn:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0
", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment
"}]'