Disabling a security standard in Security Hub - Amazon Security Hub
Disabling a standard in multiple accounts and Amazon Web Services RegionsDisabling a standard in a single account and Amazon Web Services Region
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Disabling a security standard in Security Hub

When you disable a security standard in Amazon Security Hub, the following occurs:

  • All the controls that apply to the standard are disabled, unless they're associated with another standard that's currently enabled.

  • Security checks for the disabled controls are no longer performed, and no additional findings are generated for the disabled controls.

  • Existing findings for the disabled controls are archived automatically after approximately 3‐5 days.

  • Amazon Config rules that Security Hub created for the disabled controls are deleted.

Deletion of the appropriate Amazon Config rules typically occurs within a few minutes of disabling a standard. However, it might take longer. If the first request fails to delete the rules, Security Hub tries again every 12 hours. However, if you disabled Security Hub or don't have any other standards enabled, Security Hub can't try again, which means that it can't delete the rules. If this occurs and you need to delete the rules, contact Amazon Web Services Support.

Disabling a standard in multiple accounts and Amazon Web Services Regions

To disable a security standard across multiple accounts and Amazon Web Services Regions, use central configuration. With central configuration, the delegated Security Hub administrator can create Security Hub configuration policies that disable one or more standards. The administrator can then associate a configuration policy with individual accounts, organizational units (OUs), or the root. A configuration policy affects the home Region, also referred to as an aggregation Region, and all linked Regions.

Configuration policies offer customization options. For example, you might choose to disable the Payment Card Industry Data Security Standard (PCI DSS) in one OU. For another OU, you might choose to disable both the PCI DSS and the National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5 standard. For information about creating a configuration policy that enables or disables individual standards that you specify, see Creating and associating configuration policies.

Note

The Security Hub administrator can use configuration policies to disable any standard except the Amazon Control Tower service-managed standard. To disable this standard, the administrator must use Amazon Control Tower directly. They must also use Amazon Control Tower to disable or enable individual controls in this standard for a centrally managed account.

If you want some accounts to configure or disable standards for their own accounts, the Security Hub administrator can designate those accounts as self-managed accounts. Self-managed accounts must disable standards separately in each Region.

Disabling a standard in a single account and Amazon Web Services Region

If you don't use central configuration or you have a self-managed account, you can't use configuration policies to centrally disable security standards in multiple accounts or Amazon Web Services Regions. However, you can disable a standard in a single account and Region. You can do this by using the Security Hub console or the Security Hub API.

Security Hub console

Follow these steps to disable a standard in one account and Region by using the Security Hub console.

To disable a standard in one account and Region

  1. Open the Amazon Security Hub console at https://console.amazonaws.cn/securityhub/.

  2. By using the Amazon Web Services Region selector in the upper-right corner of the page, choose the Region in which you want to disable the standard.

  3. In the navigation pane, choose Security standards.

  4. In the section for the standard that you want to disable, choose Disable standard.

To disable the standard in additional Regions, repeat the preceding steps in each additional Region.

Security Hub API

To disable a standard programmatically in a single account and Region, use the BatchDisableStandards operation. Or, if you're using the Amazon Command Line Interface (Amazon CLI), run the batch-disable-standards command.

In your request, use the StandardsSubscriptionArns parameter to specify the Amazon Resource Name (ARN) of the standard that you want to disable. If you're using the Amazon CLI, use the standards-subscription-arns parameter to specify the ARN. Also specify the Region that your request applies to. For example, the following command disables the Amazon Foundational Security Best Practices v1.0.0 (FSBP) standard for an account (123456789012):

$ aws securityhub batch-disable-standards \
--standards-subscription-arns "arn:aws:securityhub:us-east-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0" \
--region us-east-1

Where arn:aws:securityhub:us-east-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0 is the ARN of the FSBP standard for the account in the US East (N. Virginia) Region, and us-east-1 is the Region in which to disable it.

To obtain the ARN for a standard, you can use the GetEnabledStandards operation. This operation retrieves information about the standards that are currently enabled in your account. If you're using the Amazon CLI, you can run the get-enabled-standards command to retrieve this information.

After you disable a standard, Security Hub begins performing tasks to disable the standard in the account and the specified Region. This includes disabling all the controls that apply to the standard. To monitor the status of these tasks, you can check the status of the standard for the account and Region.