Disabling Security Hub - AWS Security Hub

Disabling Security Hub

Note

If you use central configuration, the AWS Security Hub delegated administrator can create configuration policies that disable Security Hub in specific accounts and organizational units (OUs) and keep it enabled in others. Configuration policies take effect in your home Region and all linked Regions. For more information, see Understanding central configuration in Security Hub.

You can use the Security Hub console, Security Hub API, or AWS CLI to disable Security Hub.

The following occurs when you disable Security Hub for an account:

  • No new findings are process for the account.

  • After 90 days, your existing findings and insights and any Security Hub configuration settings are deleted and cannot be recovered.

    If you want to save your existing findings, you must export them before you disable Security Hub. For more information, see Effect of account actions on Security Hub data.

  • Any enabled standards and controls are disabled.

You can't disable Security Hub in the following cases:

  • Your account is the designated Security Hub administrator account for an organization. If you use central configuration, you can't associate a configuration policy that disables Security Hub with the delegated administrator account. The association can succeed for other accounts, but Security Hub doesn't apply such a policy to the delegated administrator account.

  • Your account is a Security Hub administrator account by invitation, and you have member accounts that are enabled. Before you can disable Security Hub, you must disassociate all of your member accounts. See Disassociating member accounts in Security Hub.

Before you can disable Security Hub for a member account, the account must be disassociated from its administrator account. For an organization account, only the administrator account can disassociate member accounts. For more information, see Disassociating Security Hub member accounts from your organization. For manually invited accounts, either the administrator account or the member account can disassociate the member account. For more information, see Disassociating member accounts in Security Hub or Disassociating from a Security Hub administrator account. Disassociation isn't required if you use central configuration because you can create a policy that disables Security Hub in specific member accounts.

When you disable Security Hub in an account, it is disabled only in the current Region. However, if you use central configuration to disable Security Hub in specific accounts, it is disabled in the home Region and all linked Regions.

Choose your preferred method, and follow the steps to disable Security Hub.

Security Hub console
To disable Security Hub
  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. On the navigation pane, choose Settings.

  3. On the Settings page, choose General.

  4. Under Disable AWS Security Hub, choose Disable AWS Security Hub. Then choose Disable AWS Security Hub again.

Security Hub API

To disable Security Hub

Invoke the DisableSecurityHub API.

AWS CLI

To disable Security Hub

Run the disable-security-hub command.

Example command:

aws securityhub disable-security-hub