Security Hub controls that you might want to disable

We recommend disabling some AWS Security Hub controls to reduce finding noise and limit costs.

Controls that deal with global resources

Some AWS services support global resources, which means that you can access the resource from any AWS Region. To save on the cost of AWS Config, you can disable recording of global resources in all but one Region. After you do this, however, Security Hub stills run security checks in all Regions where a control is enabled and charges you based on the number of checks per account per Region. Accordingly, to reduce finding noise and save on the cost of Security Hub, you should also disable controls that involve global resources in all Regions except the Region that records global resources.

Note

If you use central configuration, Security Hub automatically disables controls that involve global resources in all Regions except the home Region. Other controls are enabled in all Regions where they are available. To limit findings for these controls to just one Region, you can update your AWS Config recorder settings and turn off global resource recording in all Regions except the home Region. For more information about central configuration, see Central configuration in Security Hub.

For controls with a periodic schedule type, disabling them in Security Hub is required to prevent billing. Setting the AWS Config parameter includeGlobalResourceTypes to false doesn't affect periodic Security Hub controls.

If you disable recording of global resources in one or more Regions, the control [Config.1] AWS Config should be enabled generates a failed finding in those Regions. This is because Config.1 requires recording of global resources in order to pass. You can suppress findings for this control manually or through an automation rule.

The following is a list of Security Hub controls that involve global resources:

• [Account.1] Security contact information should be provided for an AWS account

• [Account.2] AWS accounts should be part of an AWS Organizations organization

• [CloudFront.1] CloudFront distributions should have a default root object configured

• [CloudFront.3] CloudFront distributions should require encryption in transit

• [CloudFront.4] CloudFront distributions should have origin failover configured

• [CloudFront.5] CloudFront distributions should have logging enabled

• [CloudFront.6] CloudFront distributions should have WAF enabled

• [CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates

• [CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests

• [CloudFront.9] CloudFront distributions should encrypt traffic to custom origins

• [CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins

• [CloudFront.12] CloudFront distributions should not point to non-existent S3 origins

• [CloudFront.13] CloudFront distributions should use origin access control

• [EventBridge.4] EventBridge global endpoints should have event replication enabled

• [IAM.1] IAM policies should not allow full "*" administrative privileges

• [IAM.2] IAM users should not have IAM policies attached

• [IAM.3] IAM users' access keys should be rotated every 90 days or less

• [IAM.4] IAM root user access key should not exist

• [IAM.5] MFA should be enabled for all IAM users that have a console password

• [IAM.6] Hardware MFA should be enabled for the root user

• [IAM.7] Password policies for IAM users should have strong configurations

• [IAM.8] Unused IAM user credentials should be removed

• [IAM.9] MFA should be enabled for the root user

• [IAM.10] Password policies for IAM users should have strong AWS Configurations

• [IAM.11] Ensure IAM password policy requires at least one uppercase letter

• [IAM.12] Ensure IAM password policy requires at least one lowercase letter

• [IAM.13] Ensure IAM password policy requires at least one symbol

• [IAM.14] Ensure IAM password policy requires at least one number

• [IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater

• [IAM.16] Ensure IAM password policy prevents password reuse

• [IAM.17] Ensure IAM password policy expires passwords within 90 days or less

• [IAM.18] Ensure a support role has been created to manage incidents with AWS Support

• [IAM.19] MFA should be enabled for all IAM users

• [IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services

• [IAM.22] IAM user credentials unused for 45 days should be removed

• [KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys

• [KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys

• [Route53.2] Route 53 public hosted zones should log DNS queries

• [WAF.1] AWS WAF Classic Global Web ACL logging should be enabled

• [WAF.6] AWS WAF Classic global rules should have at least one condition

• [WAF.7] AWS WAF Classic global rule groups should have at least one rule

• [WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group

• [WAF.10] AWS WAF web ACLs should have at least one rule or rule group

• [WAF.11] AWS WAF web ACL logging should be enabled

Controls that deal with CloudTrail logging

This control deals with using AWS Key Management Service (AWS KMS) to encrypt AWS CloudTrail trail logs. If you log these trails in a centralized logging account, you only need to enable this control in the account and Region where centralized logging takes place.

Note

If you use central configuration, the enablement status of a control is aligned across the home Region and linked Regions. You can't disable a control in some Regions and enable it in others. In this case, suppress findings from the following controls to reduce finding noise.

• [CloudTrail.2] CloudTrail should have encryption at-rest enabled

Controls that deal with CloudWatch alarms

If you prefer to use Amazon GuardDuty for anomaly detection instead of Amazon CloudWatch alarms, you can disable these controls, which focus on CloudWatch alarms.

• [CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user

• [CloudWatch.2] Ensure a log metric filter and alarm exist for unauthorized API calls

• [CloudWatch.3] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA

• [CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes

• [CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail AWS Configuration changes

• [CloudWatch.6] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures

• [CloudWatch.7] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys

• [CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes

• [CloudWatch.9] Ensure a log metric filter and alarm exist for AWS Config configuration changes

• [CloudWatch.10] Ensure a log metric filter and alarm exist for security group changes

• [CloudWatch.11] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)

• [CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways

• [CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes

• [CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes