Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Viewing details for a standard

On the Amazon Security Hub console, the details page for a standard includes the following information:

You can also use the Security Hub API and Amazon CLI to retrieve details for a standard. The following sections explain how to get details for a standard.

Displaying the details page for an enabled standard (console)

From the Security standards page, you can display the details page for an enabled standard.

If you are signed in to the administrator account, you can view details for any standard that is enabled in at least one member account.

Standard security score and security checks summary

At the top of the standard details page is the security score for the standard. The score is the percentage of passed controls relative to the number of enabled controls (that have data) for the standard.

Security Hub typically calculates the initial security score within 30 minutes after your first visit to the Summary page or Security standards page on the Security Hub console. Scores are only generated for standards that are enabled when you visit those pages. To view a list of standards that are currently enabled, use the GetEnabledStandards API operation. In addition, Amazon Config resource recording must be configured for scores to appear. After first-time score generation, Security Hub updates the security score every 24 hours. Security Hub displays a timestamp to indicate when a security score was last updated. For more information, see Determining security scores.

Next to the score is a chart that summarizes security checks for controls that are enabled for the standard. The chart shows the percentage of failed and passed security checks. When you pause on the chart, the pop-up displays the following:

For administrator accounts, the standard score and chart are aggregated across the administrator account and all member accounts.

All of the data on the Security standards details pages is specific to the current Region unless you have set an aggregation Region. If you have set an aggregation Region, the security scores apply across Regions and include findings in all linked Regions. The compliance status of controls on the standards details pages also reflect findings from linked Regions, and the number of security checks includes findings from linked Regions.

Viewing the controls in enabled standards

When you visit the details page for a standard, you can view a list of security controls that apply to the standard. This list is sorted based on the compliance status of the control and the severity assigned to each control. Security Hub updates the control statuses and security check count every 24 hours. A timestamp on each tab indicates when the control statuses and security check count were most recently updated. For more information, see Compliance status and control status.

For administrator accounts, the control compliance statuses and number of security checks are aggregated across the administrator account and all member accounts.

The All enabled tab lists all of the controls that are currently enabled in the standard. For administrator accounts, the All enabled tab includes controls that are enabled in the standard in their account or at least one member account.

On the Failed, Unknown, No data, and Passed tabs, the controls from the All enabled tab are filtered to include only enabled controls with a specific status.

The Disabled tab contains the list of controls that are disabled in the standard. For administrator accounts, the Disabled tab includes controls that are disabled in the standard in their account and all member accounts.

For each control, the tabs display the following information:

In addition to the search filter on each tab, you can sort the lists based on the following fields:

You can sort each list using any of the columns. By default, the All enabled tab is sorted so that failed controls are at the top of the list. This helps you to immediately focus on issues that require remediation.

On the remaining tabs, the controls are sorted by default in descending order by severity. In other words, critical controls are first, followed by high, then medium, then low severity controls.

Choose your preferred access method, and follow the steps to display the available controls for an enabled standard. In lieu of these instructions, you can also use the DescribeStandardsControl API operation.

Security Hub console

1. Open the Amazon Security Hub console at https://console.amazonaws.cn/securityhub/.

2. Choose Security standards in the navigation pane.

3. Choose View results for a standard. The bottom of the page lists the controls (divided by tabs) that apply to the standard.

Security Hub API

1. Run ListSecurityControlDefinitions and provide a standard Amazon Resource Name (ARN) to get a list of control IDs for that standard. To obtain standard ARNs, run DescribeStandards. If you don't provide a standard ARN, this API returns all Security Hub control IDs. This API returns standard-agnostic security control IDs, not standard-specific control IDs.

   Example request:

   {
       "StandardsArn": "arn:aws-cn:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0"
   }

2. Run ListStandardsControlAssociations to find out whether a control is enabled in each standard that you've enabled in your account.

3. Identify the control by providing SecurityControlId or SecurityControlArn. Pagination parameters are optional.

   Example request:

   {
       SecurityControlId: Config.1
       NextToken: lkeyusdlk-sdlflsnd-ladfterb
       MaxResults: 5
   }

Amazon CLI

1. Run the list-security-control-definitions command, and provide one or more standard ARNs to get a list of control IDs. To obtain standard ARNs, run the describe-standards command. If you don't provide a standard ARN, this command returns all Security Hub control IDs. This command returns standard-agnostic security control IDs, not standard-specific control IDs.

   aws securityhub --region us-east-1 list-security-control-definitions --standards-arn "arn:aws-cn:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"

2. Run the list-standards-control-associations command to find out whether a control is enabled in each standard that you've enabled in your account.

3. Identify the control by providing security-control-id or security-control-arn.

   Example command:

   aws securityhub --region us-east-1 list-standards-control-associations --security-control-id Config.1

Downloading the controls list

You can download the current page of the controls list to a .csv file.

If you filtered the controls list, then the downloaded file includes only the controls that match the filter settings.

If you chose a specific control from the list, then the downloaded file includes only that control.

To download the current page of the controls list or the currently selected control, choose Download.