Disabling and enabling individual controls - AWS Security Hub

Disabling and enabling individual controls

When you enable a standard, all of the controls for that standard are enabled by default. You can then disable and enable specific controls within an enabled standard.

When you disable a control, the following occurs:

  • The check for the control is no longer performed.

  • No additional findings are generated for that control.

  • The related AWS Config rules that Security Hub created are removed.

It can be useful to turn off security checks for controls that are not relevant to your environment. For example, you might use a single Amazon S3 bucket to log your CloudTrail logs. If so, you can turn off controls related to CloudTrail logging in all accounts and Regions except for the account and Region where the centralized S3 bucket is located. Disabling irrelevant controls reduces the number of irrelevant findings. It also removes the failed check from the readiness score for the associated standard.

Remember that Security Hub is Regional. When you disable or enable a control, it is disabled only in the current Region or in the Region that you specify in an API request.

Also, when you disable an entire standard, Security Hub does not track which controls were disabled. If you subsequently enable the standard again, all of the controls are enabled. For more information, see Disabling or enabling a security standard.

Disabling a control (console)

From the Security Hub console, you can disable controls from the control list on the standard details page or from the control details page.

To disable a control (console)

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. Confirm that you are using Security Hub in the Region in which you want to disable the control.

  3. In the Security Hub navigation pane, choose Security standards.

  4. For the standard that you want to disable a control for, choose View results.

  5. Do one of the following:

    • In the control list, choose the control to disable. Then choose Disable.

    • Choose the control title. Then on the control details page, choose Disable.

  6. Enter a reason why you are disabling the control. This can help others in your organization understand why the control is disabled.

  7. Choose Disable.

Disabling a control (Security Hub API, AWS CLI)

To disable a control, you can use an API call or the AWS Command Line Interface.

To disable a control (Security Hub API, AWS CLI)

  • Security Hub API – Use the UpdateStandardsControl operation. To identify the control to disable, you provide the control ARN. To retrieve the ARNs for the controls in a standard, use the DescribeStandardsControls operation.

  • AWS CLI – At the command line, run the update-standards-control command.

    aws securityhub update-standards-control --standards-control-arn <control ARN> --control-status "DISABLED" --disabled-reason <description of reason to disable>

    Example

    aws securityhub update-standards-control --standards-control-arn "arn:aws:securityhub:us-east-1:123456789012:control/aws-foundational-security-best-practices/v/1.0.0/ACM.1" --control-status "DISABLED" --disabled-reason "Not applicable for my service"

Enabling a control (console)

On the standard details page, the disabled controls are displayed on the Disabled tab.

You can enable a control from the controls list on the Disabled tab, or from the control details page.

To enable a disabled control (console)

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. Confirm that you are using Security Hub in the Region in which you want to disable the control.

  3. In the Security Hub navigation pane, choose Security standards.

  4. For the standard that you want to enable the control for, choose View results.

  5. To display the list of disabled controls, choose Disabled.

  6. Do one of the following:

    • In the control list on the Disabled tab, choose the control to enable. Then choose Enable.

    • Choose a control title. Then on the control details page, choose Enable.

Enabling a control (Security Hub API, AWS CLI)

To enable a control, you can use an API call or the AWS Command Line Interface.

To enable a control (Security Hub API, AWS CLI)

  • Security Hub API – Use the UpdateStandardsControl operation. To identify the control to enable, you provide the control ARN. To retrieve the ARNs for the controls in a standard, use the DescribeStandardsControls operation.

  • AWS CLI – At the command line, run the update-standards-control command.

    aws securityhub update-standards-control--standards-control-arn <control ARN> --control-status "ENABLED"

    Example

    aws securityhub update-standards-control --standards-control-arn "arn:aws:securityhub:us-east-1:123456789012:control/aws-foundational-security-best-practices/v/1.0.0/ACM.1" --control-status "ENABLED"