Enabling and disabling controls in all standards - AWS Security Hub

Enabling and disabling controls in all standards

AWS Security Hub generates findings for enabled controls, and considers all enabled controls when calculating security scores. You can choose to enable and disable controls across all security standards or configure the enablement status differently in different standards. We recommend the former option, in which the enablement status of a control is aligned across all of your enabled standards. This section explains how to enable and disable controls across standards. To enable or disable a control in one or more specific standards, see Enabling and disabling controls in specific standards.

If you have set an aggregation Region, the Security Hub console displays controls from all linked Regions. If a control is available in a linked Region but not in the aggregation Region, you can't enable or disable that control from the aggregation Region.

Note

The instructions for enabling and disabling controls vary based on whether or not you use central configuration. This section describes the differences. Central configuration is available to users who integrate Security Hub and AWS Organizations. We recommend using central configuration to simplify the process of enabling and disabling controls in multi-account, multi-Region environments.

Enabling controls

When you enable a control in a standard, Security Hub starts to run security checks for the control and generate control findings.

Security Hub includes the control status in the calculation of the overall security score and standard security scores. If you turn on consolidated control findings, you receive a single finding for a security check even if you've enabled a control in multiple standards. For more information, see Consolidated control findings.

Enabling a control in all standards across multiple accounts and Regions

To enable a security control across multiple accounts and AWS Regions, you must use central configuration.

When you use central configuration, the delegated administrator can create Security Hub configuration policies that enable specified controls across enabled standards. You can then associate the configuration policy with specific accounts and organizational units (OUs) or the root. A configuration policy takes effect in your home Region (also called an aggregation Region) and all linked Regions.

Configuration policies offer customization. For example, you can choose to enable all controls in one OU, and you can choose to enable only Amazon Elastic Compute Cloud (EC2) controls in another OU. The level of granularity depends on your intended goals for security coverage in your organization. For instructions on creating a configuration policy that enables specified controls across standards, see Creating and associating Security Hub configuration policies.

Note

The delegated administrator can create configuration policies to manage controls in all standards except the Service-Managed Standard: AWS Control Tower. Controls for this standard should be configured in the AWS Control Tower service.

If you want some accounts to configure their own controls rather than the delegated administrator, the delegated administrator can designate those accounts as self-managed. Self-managed accounts must configure controls separately in each Region.

Enabling a control in all standards in a single account and Region

If you don't use central configuration or are a self-managed account, you can't use configuration policies to centrally enable controls in multiple accounts and Regions. However, you can use the following steps to enable a control in a single account and Region.

Security Hub console
To enable a control across standards in one account and Region
  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. Choose Controls from the navigation pane.

  3. Choose the Disabled tab.

  4. Choose the option next to a control.

  5. Choose Enable Control (this option doesn't appear for a control that's already enabled).

  6. Repeat in each Region in which you want to enable the control.

Security Hub API
To enable a control across standards in one account and Region
  1. Invoke the ListStandardsControlAssociations API. Provide a security control ID.

    Example request:

    { "SecurityControlId": "IAM.1" }
  2. Invoke the BatchUpdateStandardsControlAssociations API. Provide the Amazon Resource Name (ARN) of any standards that the control isn't enabled in. To obtain standard ARNs, run DescribeStandards.

  3. Set the AssociationStatus parameter equal to ENABLED. If you follow these steps for a control that's already enabled, the API returns an HTTP status code 200 response.

    Example request:

    { "StandardsControlAssociationUpdates": [{"SecurityControlId": "IAM.1", "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "AssociationStatus": "ENABLED"}, {"SecurityControlId": "IAM.1", "StandardsArn": "arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0", "AssociationStatus": "ENABLED"}] }
  4. Repeat in each Region in which you want to enable the control.

AWS CLI
To enable a control across standards in one account and Region
  1. Run the list-standards-control-associations command. Provide a security control ID.

    aws securityhub --region us-east-1 list-standards-control-associations --security-control-id CloudTrail.1
  2. Run the batch-update-standards-control-associations command. Provide the Amazon Resource Name (ARN) of any standards that the control isn't enabled in. To obtain standard ARNs, run the describe-standards command.

  3. Set the AssociationStatus parameter equal to ENABLED. If you follow these steps for a control that's already enabled, the command returns an HTTP status code 200 response.

    aws securityhub --region us-east-1 batch-update-standards-control-associations --standards-control-association-updates '[{"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "AssociationStatus": "ENABLED"}, {"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws:securityhub:::standards/cis-aws-foundations-benchmark/v/1.4.0", "AssociationStatus": "ENABLED"}]'
  4. Repeat in each Region in which you want to enable the control.

Automatically enabling new controls in enabled standards

Security Hub regularly releases new security controls and adds them to one or more standards. You can choose whether to automatically enable new controls in your enabled standards.

Note

We recommend using central configuration to automatically enable new controls. If your configuration policy includes a list of controls to disable (programmatically, this reflects the DisabledSecurityControlIdentifiers parameter), Security Hub automatically enables all other controls across standards, including newly released controls. If your policy includes a list of controls to enable (this reflects the EnabledSecurityControlIdentifiers parameter), Security Hub automatically disables all other controls across standards, including newly released ones. For more information, see How Security Hub configuration policies work.

Choose your preferred access method, and follow the steps to automatically enable new controls in enabled standards. The following instructions apply only if you don't use central configuration.

Security Hub console
To automatically enable new controls
  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. In the navigation pane, choose Settings, and then choose the General tab.

  3. Under Controls, choose Edit.

  4. Turn on Auto-enable new controls in enabled standards.

  5. Choose Save.

Security Hub API
To automatically enable new controls
  1. Invoke the UpdateSecurityHubConfiguration API.

  2. To automatically enable new controls for enabled standards, set AutoEnableControls to true. If you don't want to automatically enable new controls, set AutoEnableControls to false.

AWS CLI
To automatically enable new controls
  1. Run the update-security-hub-configuration command.

  2. To automatically enable new controls for enabled standards, specify --auto-enable-controls. If you don't want to automatically enable new controls, specify --no-auto-enable-controls.

    aws securityhub update-security-hub-configuration --auto-enable-controls | --no-auto-enable-controls

    Example command

    aws securityhub update-security-hub-configuration --auto-enable-controls

Disabling controls

When you disable a control in all standards, the following occurs:

  • Security checks for the control are no longer performed.

  • No additional findings are generated for that control.

  • Existing findings are archived automatically after 3-5 days (note that this is best effort).

  • Any related AWS Config rules that Security Hub created are removed.

Instead of disabling a control in all standards, you can just disable it in one or more specific standards. If you do this, Security Hub doesn't run security checks for the control for the standards you disabled it in, so it doesn't affect the security score for those standards. However, Security Hub retains the AWS Config rule and continues running security checks for the control if it is enabled in other standards. This can affect your summary security score. For instructions on configuring controls in specific standards, see Enabling and disabling controls in specific standards.

To reduce finding noise, it can be useful to disable controls that aren't relevant to your environment. For recommendations of which controls to disable, see Security Hub controls that you might want to disable.

When you disable a standard, all of the controls that apply to the standard are disabled (however, those controls might remain enabled in other standards). For information about disabling a standard, see Enabling and disabling security standards.

When you disable a standard, Security Hub doesn't track which controls were disabled. If you subsequently enable the standard again, all of the controls that apply to it are automatically enabled. In addition, disabling a control is a one-time action. Suppose you disable a control, and then you enable a standard that was previously disabled. If the standard includes that control, it will be enabled in that standard. When you enable a standard in Security Hub, all of the controls that apply to that standard are automatically enabled.

Disabling a control in all standards across multiple accounts and Regions

To disable a security control across multiple accounts and AWS Regions, you must use central configuration.

When you use central configuration, the delegated administrator can create Security Hub configuration policies that disable specified controls across enabled standards. You can then associate the configuration policy with specific accounts, OUs, or the root. A configuration policy takes effect in your home Region (also called an aggregation Region) and all linked Regions.

Configuration policies offer customization. For example, you can choose to disable all AWS CloudTrail controls in one OU, and you can choose to disable all IAM controls in another OU. The level of granularity depends on your intended goals for security coverage in your organization. For instructions on creating a configuration policy that disables specified controls across standards, see Creating and associating Security Hub configuration policies.

Note

The delegated administrator can create configuration policies to manage controls in all standards except the Service-Managed Standard: AWS Control Tower. Controls for this standard should be configured in the AWS Control Tower service.

If you want some accounts to configure their own controls rather than the delegated administrator, the delegated administrator can designate those accounts as self-managed. Self-managed accounts must configure controls separately in each Region.

Disabling a control in all standards in a single account and Region

If you don't use central configuration or are a self-managed account, you can't use configuration policies to centrally disable controls in multiple accounts and Regions. However, you can use the following steps to disable a control in a single account and Region.

Security Hub console
To disable a control across standards in one account and Region
  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. Choose Controls from the navigation pane.

  3. Choose the option next to a control.

  4. Choose Disable Control (this option doesn't appear for a control that's already disabled).

  5. Select a reason for disabling the control, and confirm by choosing Disable.

  6. Repeat in each Region in which you want to disable the control.

Security Hub API
To disable a control across standards in one account and Region
  1. Invoke the ListStandardsControlAssociations API. Provide a security control ID.

    Example request:

    { "SecurityControlId": "IAM.1" }
  2. Invoke the BatchUpdateStandardsControlAssociations API. Provide the ARN of any standards that the control is enabled in. To obtain standard ARNs, run DescribeStandards.

  3. Set the AssociationStatus parameter equal to DISABLED. If you follow these steps for a control that's already disabled, the API returns an HTTP status code 200 response.

    Example request:

    { "StandardsControlAssociationUpdates": [{"SecurityControlId": "IAM.1", "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}, {"SecurityControlId": "IAM.1", "StandardsArn": "arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}}] }
  4. Repeat in each Region in which you want to disable the control.

AWS CLI
To disable a control across standards in one account and Region
  1. Run the list-standards-control-associations command. Provide a security control ID.

    aws securityhub --region us-east-1 list-standards-control-associations --security-control-id CloudTrail.1
  2. Run the batch-update-standards-control-associations command. Provide the ARN of any standards that the control is enabled in. To obtain standard ARNs, run the describe-standards command.

  3. Set the AssociationStatus parameter equal to DISABLED. If you follow these steps for a control that's already disabled, the command returns an HTTP status code 200 response.

    aws securityhub --region us-east-1 batch-update-standards-control-associations --standards-control-association-updates '[{"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}, {"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws:securityhub:::standards/cis-aws-foundations-benchmark/v/1.4.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}]'
  4. Repeat in each Region in which you want to disable the control.