Enabling new controls automatically - AWS Security Hub

Enabling new controls automatically

AWS Security Hub regularly adds new controls to standards. When you first enable Security Hub, it automatically enables new controls as they are added. This only applies to enabled standards. Security Hub does not enable new controls when they are added to a standard that you disabled.

You can choose whether to automatically enable new controls. If you do not automatically enable new controls, then you must enable them manually. See Disabling and enabling individual controls.

Choosing whether to automatically enable new controls (console)

The General tab of the Settings page includes a setting to control whether to automatically enable new controls.

To choose whether to enable new controls for enabled standards

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. In the navigation pane, choose Settings, and then choose the General tab.

  3. Under Auto-enable new controls, choose Edit.

  4. Toggle Auto-enable new controls in standards I have enabled.

  5. Choose Save.

Choosing whether to automatically enable new controls (Security Hub API, AWS CLI)

To configure whether to automatically enable new controls, you can use an API call or the AWS Command Line Interface.

To configure whether to automatically enable new controls (Security Hub API, AWS CLI)

  • Security Hub – Use the UpdateSecurityHubConfiguration operation. To automatically enable controls, set AutoEnableControls to true. To not automatically enable controls, set AutoEnableControls to false.

  • AWS CLI – At the command line, run the update-security-hub-configuration command. To automatically enable new controls, specify --auto-enable-controls. To not enable new controls, specify --no-auto-enable-controls.

    aws securityhub update-security-hub-configuration --auto-enable-controls | --no-auto-enable-controls

    Example

    aws securityhub update-security-hub-configuration --auto-enable-controls