Enabling and disabling controls in specific standards - Amazon Security Hub
Enabling a control in a specific standardDisabling a control in a specific standard
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Enabling and disabling controls in specific standards

When you enable a standard in Amazon Security Hub, all of the controls that apply to it are automatically enabled in that standard (the exception to this is service-managed standards). You can then disable and re-enable specific controls in the standard. However, we recommend aligning the enablement status of a control across all of your enabled standards.

Note

If you use Security Hub central configuration, the delegated administrator can enable and and disable controls for organization accounts across all enabled standards. We recommend this approach so that a control's enablement status is aligned across standards. However, the delegated administrator can designate accounts as self-managed, which gives them the ability to enable and disable controls in specific standards. For more information, see How central configuration works.

The details page for a standard contains the list of applicable controls for the standard, and information about which controls are currently enabled in and disabled in that standard.

On the standards details page, you can also enable and disable controls in a specific standard. You must enable and disable controls separately in each Amazon Web Services account and Amazon Web Services Region. When you enable or disable a control, it only impacts the current account and Region.

You can enable and disable controls in each Region by using the Security Hub console, Security Hub API, or Amazon CLI. If you have set an aggregation Region, you see controls from all linked Regions. If a control is available in a linked Region but not in the aggregation Region, you cannot enable or disable that control from the aggregation Region. For multi-account and multi-Region control disablement scripts, see Disabling Security Hub controls in a multi-account environment.

Enabling a control in a specific standard

To enable a control in a standard, you must first enable at least one standard to which the control applies. For more information about enabling a standard, see Enabling and disabling security standards. When you enable a control in a standard, Amazon Security Hub starts to generate findings for that control. Security Hub includes the control status in the calculation of the overall security score and standard security scores. Even if you enable a control in multiple standards, you'll receive a single finding per security check across standards if you turn on consolidated control findings. For more information, see Consolidated control findings.

To enable a control in a standard, the control must be available in your current Region. For more information, see Availability of controls by Region.

Follow these steps to enable a Security Hub control in a specific standard. In lieu of the following steps, you can also use the UpdateStandardsControl API action to enable controls in a specific standard. For instructions on enabling a control in all standards, see Enabling a control in all standards in a single account and Region.

Security Hub console
To enable a control in a specific standard

  1. Open the Amazon Security Hub console at https://console.amazonaws.cn/securityhub/.

  2. Choose Security standards from the navigation pane.

  3. Choose View results for the relevant standard.

  4. Select a control.

  5. Choose Enable Control (this option doesn't appear for a control that's already enabled). Confirm by choosing Enable.

Security Hub API
To enable a control in a specific standard

  1. Run ListSecurityControlDefinitions, and provide a standard ARN to get a list of available controls for a specific standard. To obtain a standard ARN, run DescribeStandards. This API returns standard-agnostic security control IDs, not standard-specific control IDs.

    Example request:

    {
    "StandardsArn": "arn:aws-cn:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0"
}

  2. Run ListStandardsControlAssociations, and provide a specific control ID to return the current enablement status of a control in each standard.

    Example request:

    {
    "SecurityControlId": "IAM.1"
}

  3. Run BatchUpdateStandardsControlAssociations. Provide the ARN of the standard that you want to enable the control in.

  4. Set the AssociationStatus parameter equal to ENABLED.

    Example request:

    {
    "StandardsControlAssociationUpdates": [{"SecurityControlId": "IAM.1", "StandardsArn": "arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "AssociationStatus": "ENABLED"}]
}
Amazon CLI
To enable a control in a specific standard

  1. Run the list-security-control-definitions command, and provide a standard ARN to get a list of available controls for a specific standard. To obtain a standard ARN, run describe-standards. This command returns standard-agnostic security control IDs, not standard-specific control IDs.

    aws securityhub --region us-east-1 list-security-control-definitions --standards-arn "arn:aws-cn:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"

  2. Run the list-standards-control-associations command, and provide a specific control ID to return the current enablement status of a control in each standard.

    aws securityhub  --region us-east-1 list-standards-control-associations --security-control-id CloudTrail.1

  3. Run the batch-update-standards-control-associations command. Provide the ARN of the standard that you want to enable the control in.

  4. Set the AssociationStatus parameter equal to ENABLED.

    aws securityhub  --region us-east-1 batch-update-standards-control-associations --standards-control-association-updates '[{"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws-cn:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0", "AssociationStatus": "ENABLED"}]'

Disabling a control in a specific standard

When you disable a control in a standard, Security Hub stops generating findings for the control. The control status is no longer used in calculating the security score for the standard.

One way to disable a control is by disabling all standards that the control applies to. When you disable a standard, all of the controls that apply to the standard are disabled (however, those controls may still remain enabled in other standards). For information about disabling a standard, see Enabling and disabling security standards.

When you disable a control by disabling a standard that it applies to, the following occurs:

  • Security checks for the control are no longer performed for that standard. This means the control status won't affect the standard security score (Security Hub will continue running security checks for the control if it is enabled in other standards).

  • No additional findings are generated for that control.

  • Existing findings are archived automatically after 3-5 days (note that this is best effort and not guaranteed).

  • The related Amazon Config rules that Security Hub created are removed.

When you disable a standard, Security Hub does not track which controls were disabled. If you subsequently enable the standard again, all of the controls that apply to it are automatically enabled. In addition, disabling a control is a one-time action. Suppose you disable a control, and then you enable a standard which was previously disabled. If the standard includes that control, it will be enabled in that standard. When you enable a standard in Security Hub, all of the controls that apply to that standard are automatically enabled.

Instead of disabling a control by disabling a standard that it applies to, you can just disable the control in one or more specific standards.

To reduce finding noise, it can be useful to disable controls that aren't relevant to your environment. For recommendations of which controls to disable, see Security Hub controls that you might want to disable.

Follow these steps to disable a control in specific standards. In lieu of the following steps, you can also use the UpdateStandardsControl API action to disable controls in a specific standard. For instructions on disabling a control in all standards, see Enabling and disabling controls in all standards.

Security Hub console
To disable a control in a specific standard

  1. Open the Amazon Security Hub console at https://console.amazonaws.cn/securityhub/.

  2. Choose Security standards from the navigation pane. Choose View results for the relevant standard.

  3. Select a control.

  4. Choose Disable Control (this option doesn't appear for a control that's already disabled).

  5. Provide a reason for disabling the control, and confirm by choosing Disable.

Security Hub API
To disable a control in a specific standard

  1. Run ListSecurityControlDefinitions, and provide a standard ARN to get a list of available controls for a specific standard. To obtain a standard ARN, run DescribeStandards. This API returns standard-agnostic security control IDs, not standard-specific control IDs.

    Example request:

    {
    "StandardsArn": "arn:aws-cn:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0"
}

  2. Run ListStandardsControlAssociations, and provide a specific control ID to return the current enablement status of a control in each standard.

    Example request:

    {
    "SecurityControlId": "IAM.1"
}

  3. Run BatchUpdateStandardsControlAssociations. Provide the ARN of the standard in which you want to disable the control.

  4. Set the AssociationStatus parameter equal to DISABLED. If you follow these steps for a control that's already disabled, the API returns an HTTP status code 200 response.

    Example request:

    {
    "StandardsControlAssociationUpdates": [{"SecurityControlId": "IAM.1", "StandardsArn": "arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "AssociationStatus": "DISABLED",  "UpdatedReason": "Not applicable to environment"}]
}
Amazon CLI
To disable a control in a specific standard

  1. Run the list-security-control-definitions command, and provide a standard ARN to get a list of available controls for a specific standard. To obtain a standard ARN, run describe-standards. This command returns standard-agnostic security control IDs, not standard-specific control IDs.

    aws securityhub --region us-east-1 list-security-control-definitions --standards-arn "arn:aws-cn:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"

  2. Run the list-standards-control-associations command, and provide a specific control ID to return the current enablement status of a control in each standard.

    aws securityhub  --region us-east-1 list-standards-control-associations --security-control-id CloudTrail.1

  3. Run the batch-update-standards-control-associations command. Provide the ARN of the standard in which you want to disable the control.

  4. Set the AssociationStatus parameter equal to DISABLED. If you follow these steps for a control that's already enabled, the command returns an HTTP status code 200 response.

    aws securityhub  --region us-east-1 batch-update-standards-control-associations --standards-control-association-updates '[{"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws-cn:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}]'