Viewing details for a control

For each AWS Security Hub control, you can display a page of useful details.

The top of the control details page provides an overview of the control, including:

Enablement status – The top of the page tells you whether the control is enabled for at least one standard in at least one member account. If you have set an aggregation Region, the control is enabled if it is enabled for at least one standard in at least one Region. If the control is disabled, you can enable it from this page. If the control is enabled, you can disable it from this page. For more information, see Enabling and disabling controls in all standards.
Control status – This status summarizes the performance of a control based on the compliance status of the control findings. Security Hub typically generates the initial control status within 30 minutes after your first visit to the Summary page or Security standards page on the Security Hub console. Statuses are only available for controls that are enabled when you visit those pages. Use the UpdateStandardsControl API operation to enable or disable a control. In addition, AWS Config resource recording must be configured for the control status to appear. After control statuses are generated for the first time, Security Hub updates the control status every 24 hours based on the findings from the previous 24 hours. On the standard details page and the control details page, Security Hub displays a timestamp to indicate when the status was last updated.

Administrator accounts see an aggregated control status across the administrator account and member accounts. If you have set an aggregation Region, the control status includes findings across all linked Regions. For more information about control status, see Compliance status and control status.

Note

It can take up to 24 hours after enabling a control for first-time control statuses to be generated in the China Regions and AWS GovCloud (US) Region.

The Standards and Requirements tab lists the standards that a control can be enabled for and the requirements related to the control from different compliance frameworks.

The bottom of the details page contains information about the active findings for the control. Control findings are generated by security checks against the control. The control finding list does not include archived findings.

The finding list uses tabs that display different subsets of the list. On most of the tabs, the finding list shows findings that have a workflow status of NEW, NOTIFIED, or RESOLVED. A separate tab displays SUPPRESSED findings.

For each finding, the list provides access to finding details such as the compliance status and related resource. You can also set the workflow status of each finding and send findings to custom actions. For more information, see Viewing and taking action on control findings.

Viewing details for a control

Choose your preferred access method, and follow these steps to view details for a control. Details apply to the current account and Region and include the following:

Title and description of the control
Link to remediation instructions for failed control findings
Severity of the control
Enablement status of the control
(On the console) A list of recent findings for the control. When using the Security Hub API or AWS CLI, use GetFindings to retrieve control findings.

Security Hub console

Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.
Choose Controls in the navigation pane.
Select a control.

Security Hub API

Run ListSecurityControlDefinitions, and provide one or more standard ARNs to get a list of control IDs for that standard. To obtain standard ARNs, run DescribeStandards. If you don't provide a standard ARN, this API returns all Security Hub control IDs. This API returns standard-agnostic security control IDs, not the standard-based control IDs that existed prior to these feature releases.

Example request:
```
{
    "StandardsArn": "arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0"
}
```
Run BatchGetSecurityControls to get details about one or more controls in the current AWS account and AWS Region.

Example request:
```
{
    "SecurityControlIds": ["Config.1", "IAM.1"]
}
```

AWS CLI

Run the list-security-control-definitions command, and provide one or more standard ARNs to get a list of control IDs. To obtain standard ARNs, run the describe-standards command. If you don't provide a standard ARN, this command returns all Security Hub control IDs. This command returns standard-agnostic security control IDs, not the standard-based control IDs that existed prior to these feature releases.
```
aws securityhub --region us-east-1 list-security-control-definitions --standards-arn "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"
```
Run the batch-get-security-controls command to get details about one or more controls in the current AWS account and AWS Region.
```
aws securityhub --region us-east-1 batch-get-security-controls --security-control-ids '["Config.1", "IAM.1"]'
```

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Controls that you might want to disable

Filtering and sorting controls