Viewing and managing security controls - AWS Security Hub
Consolidated controls viewOverall security score for controls

Viewing and managing security controls

A control is a safeguard within a security standard that helps an organization protect the confidentiality, integrity, and availability of its information. In Security Hub, a control is related to a specific AWS resource.

Consolidated controls view

The Controls page of the Security Hub console displays all of the controls available in the current AWS Region (you can view controls in the context of a standard by visiting the Security standards page and choosing an enabled standard). Security Hub assigns controls a consistent security control ID, title, and description across standards. Controls IDs include the relevant AWS service and a unique number (for example, CodeBuild.3).

The following information is available on the Controls page of the Security Hub console:

  • An overall security score based on the proportion of passed controls compared to the total number of enabled controls with data

  • The percentage of failed security checks across all enabled controls

  • The number of passed and failed security checks for controls of varying severity

  • A list of controls divided into different tabs based on enablement status. Available controls that don't apply to any of your enabled standards appear in the Disabled column. Unprocessed controls, such as those that are unavailable in your current Region, appear in the No data column. The number of controls in the All column is equal to the sum of the controls in the Failed, Unknown, Passed, Disabled, and No data columns.

From the Controls page, you can choose a control to view its details and take action on the findings generated by the control. From this page, you can also enable or disable a security control in your current AWS account and AWS Region. Enablement and disablement actions from the Controls page apply across standards. For more information, see Enabling and disabling controls in all standards.

For administrator accounts, the Controls page reflects the status of controls across the member accounts. If a control check fails in at least one member account, the control appears in the Failed tab of the Controls page. If you have set an aggregation Region, the Controls page reflects the status of controls across all linked Regions. If a control check fails in at least one linked Region, the control appears in the Failed tab of the Controls page.

Consolidated controls view causes changes to control finding fields in the AWS Security Finding Format (ASFF) that may affect workflows. For more information, see Consolidated controls view – ASFF changes.

Overall security score for controls

The Controls page displays an overall security score from 0–100 percent. The overall security score is calculated based on the proportion of passed controls compared to the total number of enabled controls with data.

Note

To view the overall security score for controls, you must add permission to call BatchGetControlEvaluations to the IAM role that you use to access Security Hub. This permission isn't required to view security scores for specific standards.

When you enable Security Hub, Security Hub calculates the initial security score within 30 minutes after your first visit to the Summary page or Security standards page on the Security Hub console. It can take up to 24 hours for first-time security scores to be generated in the China Regions and AWS GovCloud (US) Region. Scores are only generated for standards that are enabled when you visit those pages. To view a list of standards that are currently enabled, use the GetEnabledStandards API operation. In addition, AWS Config resource recording must be configured for scores to appear. The overall security score is the average of the standard security scores.

After first-time score generation, Security Hub updates security scores every 24 hours. Security Hub displays a timestamp to indicate when a security score was last updated.

If you have set an aggregation Region, the overall security score reflects control findings across linked Regions.

Topics