Security Hub controls that you might want to disable - AWS Security Hub

Security Hub controls that you might want to disable

We recommend disabling some AWS Security Hub controls to reduce finding noise and limit costs.

Controls that deal with global resources

Some AWS services support global resources, which means that you can access the resource from any AWS Region. To save on the cost of AWS Config, you can disable recording of global resources in all but one Region. After you do this, however, Security Hub stills run security checks in all Regions where a control is enabled and charges you based on the number of checks per account per Region. Accordingly, to reduce finding noise and save on the cost of Security Hub, you should also disable controls that involve global resources in all Regions except the Region that records global resources.

If a control involves global resources but is available in only one Region, disabling it in that Region prevents you from getting any findings for the underlying resource. In this case, we recommend keeping the control enabled. When using cross-Region aggregation, the region in which the control is available should be the aggregation Region or one of the linked Regions. The following controls involve global resources but are only available in a single Region:

  • All CloudFront controls – Available only in US East (N. Virginia)

  • GlobalAccelerator.1 – Available only in US West (Oregon)

  • Route53.2 – Available only in US East (N. Virginia)

  • WAF.1, WAF.6, WAF.7, and WAF.8 – Available only in US East (N. Virginia)

Note

If you use central configuration, Security Hub automatically disables controls that involve global resources in all Regions except the home Region. Other controls that you choose to enable though a configuration policy are enabled in all Regions where they are available. To limit findings for these controls to just one Region, you can update your AWS Config recorder settings and turn off global resource recording in all Regions except the home Region. When you use central configuration, you lack coverage for a control that isn't available in the home Region and any of the linked Regions. For more information about central configuration, see How central configuration works.

If you disable recording of global resources in one or more Regions, the control [Config.1] AWS Config should be enabled generates a failed finding in those Regions. This is because Config.1 requires recording of global resources in order to pass. You can suppress findings for this control manually or through an automation rule.

For controls with a periodic schedule type, disabling them in Security Hub is required to prevent billing. Setting the AWS Config parameter includeGlobalResourceTypes to false doesn't affect periodic Security Hub controls.

The following is a list of Security Hub controls that involve global resources:

Controls that deal with CloudTrail logging

This control deals with using AWS Key Management Service (AWS KMS) to encrypt AWS CloudTrail trail logs. If you log these trails in a centralized logging account, you only need to enable this control in the account and Region where centralized logging takes place.

Note

If you use central configuration, the enablement status of a control is aligned across the home Region and linked Regions. You can't disable a control in some Regions and enable it in others. In this case, suppress findings from the following controls to reduce finding noise.

Controls that deal with CloudWatch alarms

If you prefer to use Amazon GuardDuty for anomaly detection instead of Amazon CloudWatch alarms, you can disable these controls, which focus on CloudWatch alarms.