Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Reviewing the details of a security standard

After you enable a security standard in Amazon Security Hub, you can use the console to review the details of the standard. On the console, the details page for a standard includes the following information:

To review these details, choose Security standards in the navigation pane on the console. Then, in the section for the standard, choose View results. For deeper analysis, you can filter and sort the data, and drill down to review the details of individual controls that apply to the standard.

Understanding the standard security score

On the Amazon Security Hub console, the details page for a standard displays the security score for the standard. The score is the percentage of controls that passed evaluation, relative to the total number of controls that apply to the standard, are enabled, and have evaluation data. Under the score is a chart that summarizes security checks for controls that are enabled for the standard. This includes the number of passed and failed security checks. For administrator accounts, the standard score and chart are aggregated across the administrator account and all member accounts. To review failed security checks for controls that have a specific severity, choose the severity.

When you enable a standard, Security Hub generates a preliminary security score for the standard, typically within 30 minutes of your first visit to the Summary page or the Security standards page on the Security Hub console. Scores are generated only for standards that are enabled when you visit those pages. In addition, Amazon Config resource recording must be configured for the scores to appear. In the China Regions and Amazon GovCloud (US) Regions, it can take up to 24 hours for Security Hub to generate a preliminary score. After Security Hub generates a preliminary score for a standard, it updates the score every 24 hours. For more information, see Calculating security scores.

All the data on Security standards detail pages is specific to the current Amazon Web Services Region unless you set an aggregation Region. If you set an aggregation Region, security scores apply across Regions and include findings for all linked Regions. In addition, the compliance status of controls reflects findings from linked Regions, and the number of security checks includes findings from linked Regions.

Reviewing the controls for a standard

When you use the Amazon Security Hub console to review the details of a standard that you enabled, you can review a table of security controls that apply to the standard. For each control, the table includes the following information:

Security Hub updates control statuses and the count of security checks every 24 hours. A timestamp at the top of the page indicates when Security Hub most recently updated this data.

For administrator accounts, control statuses and the number of security checks are aggregated across the administrator account and all member accounts. The count of enabled controls includes controls that are enabled for the standard in the administrator account or at least one member account. The count of disabled controls includes controls that are disabled for the standard in the administrator account and all member accounts.

You can filter the table of controls that apply to the standard. Using the Filter by options next to the table, you can choose to view only enabled or only disabled controls for the standard. If you display only enabled controls, you can further filter the table by control status. You can then focus on controls that have a specific control status. In addition to the Filter by options, you can enter filter criteria in the Filter controls box. For example, you can filter by control ID or title.

Choose your preferred access method. Then follow the steps to review the controls that apply to a standard that you enabled.

Security Hub console

To review the controls for an enabled standard

1. Open the Amazon Security Hub console at https://console.amazonaws.cn/securityhub/.

2. Choose Security standards in the navigation pane.

3. In the section for the standard, choose View results.

The table at the bottom of the page lists all the controls that apply to the standard. You can filter and sort the table. You can also download the current page of the table as a CSV file. To do this, choose Download above the table. If you filter the table, the downloaded file includes only the controls that match your current filter settings.

Security Hub API

To review the controls for an enabled standard

1. Use the ListSecurityControlDefinitions operation of the Security Hub API. If you're using the Amazon CLI, run the list-security-control-definitions command.

   Specify the Amazon Resource Name (ARN) of the standard that you want to review controls for. To obtain ARNs for standards, use the DescribeStandards operation or run the describe-standards command. If you don't specify the ARN for a standard, Security Hub returns all security control IDs.

2. Use the ListStandardsControlAssociations operation of the Security Hub API, or run the list-standards-control-associations command. This operation tells you which standards a control is enabled in.

   Identify the control by providing the security control ID or ARN. Pagination parameters are optional.

The following example tells you which standards the Config.1 control is enabled in.

$ aws securityhub list-standards-control-associations --region us-east-1 --security-control-id Config.1