Enabling new controls in enabled standards automatically - AWS Security Hub

Enabling new controls in enabled standards automatically

AWS Security Hub regularly releases new controls and adds them to one or more standards. You can choose whether to automatically enable new controls in your enabled standards.

Note

If you use central configuration and include a list of specific controls to disable in your configuration policy (programmatically, this reflects the DisabledSecurityControlIdentifiers parameter, Security Hub automatically enables all other controls across standards, including newly released controls. For more information, see How Security Hub configuration policies work.

We recommend using Security Hub central configuration to automatically enable new security controls. You can create configuration policies that include a list of controls to be disabled across standards. All other controls, including newly released ones, are enabled by default. Alternatively, you can create policies that include a list of controls to be enabled across standards. All other controls, including newly released ones, are disabled by default. For more information, see Central configuration in Security Hub.

Security Hub doesn't enable new controls when they are added to a standard that you haven't enabled.

The following instructions apply only if you don't use central configuration.

Choose your preferred access method, and follow the steps to automatically enable new controls in enabled standards.

Security Hub console
To automatically enable new controls
  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. In the navigation pane, choose Settings, and then choose the General tab.

  3. Under Controls, choose Edit.

  4. Turn on Auto-enable new controls in enabled standards.

  5. Choose Save.

Security Hub API
To automatically enable new controls
  1. Run UpdateSecurityHubConfiguration.

  2. To automatically enable new controls for enabled standards, set AutoEnableControls to true. If you don't want to automatically enable new controls, set AutoEnableControls to false.

AWS CLI
To automatically enable new controls
  1. Run the update-security-hub-configuration command.

  2. To automatically enable new controls for enabled standards, specify --auto-enable-controls. If you don't want to automatically enable new controls, specify --no-auto-enable-controls.

    aws securityhub update-security-hub-configuration --auto-enable-controls | --no-auto-enable-controls

    Example command

    aws securityhub update-security-hub-configuration --auto-enable-controls

If you don't automatically enable new controls, then you must enable them manually. For instructions, see Enabling and disabling controls in all standards.