When you enable a standard in AWS Security Hub, all of the controls that apply to it are
automatically enabled in that standard (the exception to this is service-managed standards).
You can then disable and re-enable specific controls in the standard. However, we recommend aligning
the enablement status of a control across all of your enabled standards. For instructions on enabling a control
across all standards, see Enabling a control across standards.
The details page for a standard contains the list of applicable controls for the standard,
and information about which controls are currently enabled in and disabled in that
standard.
On the standards details page, you can also enable controls in specific
standards. You must enable controls in specific standards separately in each AWS account and
AWS Region. When you enable a control in specific standards, it only impacts the current account and
Region.
To enable a control in a standard, you must first enable at least one standard to
which the control applies. For instructions on enabling a standard, see Enabling a security standard in Security Hub.
When you enable a control in one or more
standards, Security Hub starts to generate findings for that control. Security Hub includes
the control status in the
calculation of the overall security score and standard security scores. Even if you enable a control in
multiple standards, you'll receive a single finding per security check across standards
if you turn on consolidated control findings. For more information, see Consolidated control findings.
To enable a control in a standard, the control must be available in your current
Region. For more information, see Availability of controls by Region.
Follow these steps to enable a Security Hub control in a specific
standard. In lieu of the following steps, you can also use the UpdateStandardsControl API action to enable controls in a
specific standard. For instructions on enabling a control in all
standards, see Cross-standard enablement in single account and Region.
- Security Hub console
-
To enable a control in a specific standard
Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.
-
Choose Security standards from the navigation
pane.
-
Choose View results for the relevant
standard.
-
Select a control.
-
Choose Enable Control (this option doesn't
appear for a control that's already enabled). Confirm by choosing
Enable.
- Security Hub API
-
To enable a control in a specific standard
-
Run ListSecurityControlDefinitionsDescribeStandards. This API returns
standard-agnostic security control IDs, not standard-specific
control IDs.
Example request:
{
"StandardsArn": "arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0"
}
-
Run ListStandardsControlAssociations
Example request:
{
"SecurityControlId": "IAM.1"
}
-
Run BatchUpdateStandardsControlAssociations
-
Set the AssociationStatus parameter equal to
ENABLED.
Example request:
{
"StandardsControlAssociationUpdates": [{"SecurityControlId": "IAM.1", "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "AssociationStatus": "ENABLED"}]
}
- AWS CLI
-
To enable a control in a specific standard
-
Run the list-security-control-definitionsdescribe-standards. This command returns
standard-agnostic security control IDs, not standard-specific
control IDs.
aws securityhub --region us-east-1"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"
-
Run the list-standards-control-associations
aws securityhub --region us-east-1CloudTrail.1
-
Run the batch-update-standards-control-associations
-
Set the AssociationStatus parameter equal to
ENABLED.
aws securityhub --region us-east-1'[{"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0", "AssociationStatus": "ENABLED"}]'
