Understanding security controls in Security Hub - AWS Security Hub

Understanding security controls in Security Hub

A security control is a safeguard within a security standard that helps an organization protect the confidentiality, integrity, and availability of its information. In Security Hub, a control is related to a specific AWS resource.

When you enable a control in one or more standards, Security Hub begins running security checks on it. The security checks result in Security Hub findings. When you disable a control, Security Hub stops running security checks on it, and findings are no longer generated.

You can enable or disable controls individually for a single account and AWS Region. To save time and reduce configuration drift in multi-account environments, we recommend using central configuration to enable or disable controls. With central configuration, the delegated Security Hub administrator can create policies that specify how a control should be configured across multiple accounts and Regions. For more information about enabling and disabling controls, see Enabling controls in Security Hub.

Consolidated controls view

The Controls page of the Security Hub console displays all of the controls available in the current AWS Region (you can view controls in the context of a standard by visiting the Security standards page and choosing an enabled standard). Security Hub assigns controls a consistent security control ID, title, and description across standards. Controls IDs include the relevant AWS service and a unique number (for example, CodeBuild.3).

The following information is available on the Controls page of the Security Hub console:

  • An overall security score based on the proportion of passed controls compared to the total number of enabled controls with data

  • Breakdown of control statuses across all supported Security Hub controls

  • The number of total passed and failed security checks.

  • The number of failed security checks for controls of varying severity, and links to view more details about those failed checks.

  • A list of Security Hub controls, with filters to view specific subsets of controls.

From the Controls page, you can choose a control to view its details and take action on the findings generated by the control. From this page, you can also enable or disable a security control in your current AWS account and AWS Region. Enablement and disablement actions from the Controls page apply across standards. For more information, see Enabling controls in Security Hub.

For administrator accounts, the Controls page reflects the status of controls across the member accounts. If a control check fails in at least one member account, the control status is Failed. If you have set an aggregation Region, the Controls page reflects the status of controls across all linked Regions. If a control check fails in at least one linked Region, the control status is Failed.

Consolidated controls view causes changes to control finding fields in the AWS Security Finding Format (ASFF) that may affect workflows. For more information, see Consolidated controls view – ASFF changes.

Summary security score for controls

The Controls page displays a summary security score from 0–100 percent. The summary security score is calculated based on the proportion of passed controls compared to the total number of enabled controls with data across standards.

Note

To view the overall security score for controls, you must add permission to call BatchGetControlEvaluations to the IAM role that you use to access Security Hub. This permission isn't required to view security scores for specific standards.

When you enable Security Hub, Security Hub calculates the initial security score within 30 minutes after your first visit to the Summary page or Security standards page on the Security Hub console. It can take up to 24 hours for first-time security scores to be generated in the China Regions and AWS GovCloud (US) Region.

In addition to the overall security score, Security Hub calculates a standard security score for each enabled standard within 30 minutes after your first visit to the Summary page or Security standards page. To view a list of standards that are currently enabled, use the GetEnabledStandards API operation.

AWS Config must be enabled with resource recording for scores to appear. For more information about how Security Hub calculates security scores, see Calculating security scores.

After first-time score generation, Security Hub updates security scores every 24 hours. Security Hub displays a timestamp to indicate when a security score was last updated.

If you have set an aggregation Region, the overall security score reflects control findings across linked Regions.