Security Hub controls that you might want to disable - AWS Security Hub

Security Hub controls that you might want to disable

We recommend disabling some Security Hub controls to reduce finding noise.

Controls that deal with global resources

To save on the cost of AWS Config, you can disable recording of global resources in all but one AWS Region. After you do this, AWS Security Hub will still run security checks in all Regions where controls are enabled and will charge you based on the number of checks per account per Region. Accordingly, to save on the cost of Security Hub, disable the following controls that deal with global resources in all Regions except the Region that records global resources.

If you disable these controls and disable recording of global resources in particular Regions, you should also disable [Config.1] AWS Config should be enabled in those Regions. This is because Config.1 requires recording of global resources in order to pass.

Controls that deal with CloudTrail logging

This control deals with using AWS Key Management Service (AWS KMS) to encrypt AWS CloudTrail trail logs. If you log these trails in a centralized logging account, you only need to enable this control in the account and Region where centralized logging takes place.

Controls that deal with CloudWatch alarms

If you prefer to use Amazon GuardDuty for anomaly detection instead of Amazon CloudWatch alarms, you can disable these controls, which focus on CloudWatch alarms.