Viewing and managing security controls
A control is a safeguard within a security standard that helps an organization protect the confidentiality, integrity, and availability of its information. In Security Hub, a control is related to a specific AWS resource.
Consolidated controls view
The Controls page of the Security Hub console displays all of the controls available in the current AWS Region (you can view controls in the context of a standard by visiting the Security standards page and choosing an enabled standard). Security Hub assigns controls a consistent security control ID, title, and description across standards. Controls IDs include the relevant AWS service and a unique number (for example, CodeBuild.3).
The following information is available on the Controls page of the Security Hub console
-
An overall security score based on the proportion of passed controls compared to the total number of enabled controls with data
-
Breakdown of control statuses across all supported Security Hub controls
-
The number of total passed and failed security checks.
-
The number of failed security checks for controls of varying severity, and links to view more details about those failed checks.
-
A list of Security Hub controls, with filters to view specific subsets of controls.
From the Controls page, you can choose a control to view its details and take action on the findings generated by the control. From this page, you can also enable or disable a security control in your current AWS account and AWS Region. Enablement and disablement actions from the Controls page apply across standards. For more information, see Configuring controls across standards.
For administrator accounts, the Controls page reflects the status of controls across the member accounts. If a control check fails in at least one member account, the control status is Failed. If you have set an aggregation Region, the Controls page reflects the status of controls across all linked Regions. If a control check fails in at least one linked Region, the control status is Failed.
Consolidated controls view causes changes to control finding fields in the AWS Security Finding Format (ASFF) that may affect workflows. For more information, see Consolidated controls view – ASFF changes.
Overall security score for controls
The Controls page displays an overall security score from 0–100 percent. The overall security score is calculated based on the proportion of passed controls compared to the total number of enabled controls with data.
Note
To view the overall security score for controls, you must add permission to call
BatchGetControlEvaluations
to the
IAM role that you use to access Security Hub. This permission isn't required to view
security scores for specific standards.
When you enable Security Hub, Security Hub calculates the initial security score within 30 minutes
after your first visit to the Summary page or Security
standards page on the Security Hub console. It can take up to 24 hours for
first-time security scores to be generated in the China Regions and
AWS GovCloud (US) Region. Scores are only generated for standards that are enabled when you
visit those pages. To view a list of standards that are currently enabled, use the
GetEnabledStandards
API operation. In addition, AWS Config
resource recording must be configured for scores to appear. The overall security score
is the average of the standard security
scores. For more information about how Security Hub calculates security scores, see .
After first-time score generation, Security Hub updates security scores every 24 hours. Security Hub displays a timestamp to indicate when a security score was last updated.
If you have set an aggregation Region, the overall security score reflects control findings across linked Regions.
Topics
- List of control categories in Security Hub
- Configuring controls across standards
- Configuring controls in specific standards
- Enabling new controls in enabled standards automatically
- Modifying control parameters in Security Hub
- Viewing details of a control
- Filtering and sorting controls in Security Hub
- Suggested controls to disable in Security Hub
- Viewing and managing control findings