Enabling a security standard in Security Hub
When you enable a security standard in AWS Security Hub, all of the controls that apply to the standard are automatically enabled in it. Security Hub also starts running security checks and generating findings for controls that apply to the standard.
Before you enable any security standards, you should turn on resource recording in AWS Config for all resources that are used by controls that apply to the standard. Otherwise, Security Hub may not be able to generate findings for the controls that apply to a standard. For more information, see Configuring AWS Config for Security Hub.
You can choose which controls to enable and disable in each standard. Disabling a control stops findings for the control from being generated, and the control is ignored when calculating security scores.
When you enable Security Hub, Security Hub calculates the initial security score for a standard within 30 minutes after your first visit to the Summary page or Security standards page on the Security Hub console. It can take up to 24 hours for first-time security scores to be generated in the China Regions and AWS GovCloud (US) Region. Scores are only generated for standards that are enabled when you visit those pages. In addition, AWS Config resource recording must be configured for scores to appear. After first-time score generation, Security Hub updates the security score every 24 hours. Security Hub displays a timestamp to indicate when a security score was last updated. To view a list of standards that are currently enabled in your account, invoke the GetEnabledStandards API.
The instructions for enabling a standard vary based on whether or not you use central configuration. You can use central configuration if you integrate Security Hub and AWS Organizations. We recommend using central configuration if you want to enable standards in multi-account, multi-Region environments. If you don't use central configuration, you must individually enable each standard in each account and each Region.
Enabling a standard in multiple accounts and Regions
To enable a security standard across multiple accounts and AWS Regions, you must use central configuration.
When you use central configuration, the delegated administrator can create Security Hub configuration policies that enable one or more standards. You can then associate the configuration policy with specific accounts and organizational units (OUs) or the root. A configuration policy takes effect in your home Region (also called an aggregation Region) and all linked Regions.
Configuration policies offer customization. For example, you can choose to enable only AWS Foundational Security Best Practices (FSBP) in one OU, and you can choose to enable FSBP and Center for Internet Security (CIS) AWS Foundations Benchmark v1.4.0 in another OU. For instructions on creating a configuration policy that enables specified standards, see Creating and associating configuration policies
If you use central configuration, Security Hub doesn't automatically enable any standards in new or existing accounts. Instead, when creating a configuration policy, the delegated administrator defines which standards to enable in different accounts. Security Hub offers a recommended configuration policy in which only FSBP is enabled. For more information, see Types of configuration policies.
Note
The delegated administrator can create configuration policies to enable any standard except Service-Managed Standard: AWS Control Tower. You can enable this standard only in the AWS Control Tower service. If you use central configuration, you can enable and disable controls in this standard for a centrally managed account only in AWS Control Tower.
If you want some accounts to configure their own standards rather than the delegated administrator, the delegated administrator can designate those accounts as self-managed. Self-managed accounts must configure standards separately in each Region.
Enabling a standard in a single account and Region
If you don't use central configuration or if you are a self-managed account, you can't use configuration policies to centrally enable standards in multiple accounts and Regions. However, you can use the following steps to enable a standard in a single account and Region.