Enabling and disabling controls in all standards
AWS Security Hub generates findings for enabled controls, and considers all enabled controls when calculating security scores. You can choose to enable and disable controls across all security standards or configure the enablement status differently in different standards. We recommend the former option, in which the enablement status of a control is aligned across all of your enabled standards. This section explains how to enable and disable controls across standards. To enable or disable a control in one or more specific standards, see Enabling and disabling controls in specific standards.
If you have set an aggregation Region, the Security Hub console displays controls from all linked Regions. If a control is available in a linked Region but not in the aggregation Region, you can't enable or disable that control from the aggregation Region.
Note
The instructions for enabling and disabling controls vary based on whether or not you use central configuration. This section describes the differences. Central configuration is available to users who integrate Security Hub and AWS Organizations. We recommend using central configuration to simplify the process of enabling and disabling controls in multi-account, multi-Region environments.
Enabling controls
When you enable a control in a standard, Security Hub starts to run security checks for the control and generate control findings.
Security Hub includes the control status in the calculation of the overall security score and standard security scores. If you turn on consolidated control findings, you receive a single finding for a security check even if you've enabled a control in multiple standards. For more information, see Consolidated control findings.
Enabling a control in all standards across multiple accounts and Regions
To enable a security control across multiple accounts and AWS Regions, you must use central configuration.
When you use central configuration, the delegated administrator can create Security Hub configuration policies that enable specified controls across enabled standards. You can then associate the configuration policy with specific accounts and organizational units (OUs) or the root. A configuration policy takes effect in your home Region (also called an aggregation Region) and all linked Regions.
Configuration policies offer customization. For example, you can choose to enable all controls in one OU, and you can choose to enable only Amazon Elastic Compute Cloud (EC2) controls in another OU. The level of granularity depends on your intended goals for security coverage in your organization. For instructions on creating a configuration policy that enables specified controls across standards, see Creating and associating Security Hub configuration policies.
Note
The delegated administrator can create configuration policies to manage controls in all standards except the Service-Managed Standard: AWS Control Tower. Controls for this standard should be configured in the AWS Control Tower service.
If you want some accounts to configure their own controls rather than the delegated administrator, the delegated administrator can designate those accounts as self-managed. Self-managed accounts must configure controls separately in each Region.
Enabling a control in all standards in a single account and Region
If you don't use central configuration or are a self-managed account, you can't use configuration policies to centrally enable controls in multiple accounts and Regions. However, you can use the following steps to enable a control in a single account and Region.
Automatically enabling new controls in enabled standards
Security Hub regularly releases new security controls and adds them to one or more standards. You can choose whether to automatically enable new controls in your enabled standards.
Note
We recommend using central configuration to automatically enable new controls. If your configuration policy
includes a list of controls to disable (programmatically, this
reflects the DisabledSecurityControlIdentifiers
parameter), Security Hub automatically enables all other controls across
standards, including newly released controls. If your policy
includes a list of controls to enable (this reflects the EnabledSecurityControlIdentifiers
parameter), Security Hub automatically disables all other controls
across standards, including newly released ones. For more information, see How Security Hub configuration policies work.
Choose your preferred access method, and follow the steps to automatically enable new controls in enabled standards. The following instructions apply only if you don't use central configuration.
Disabling controls
When you disable a control in all standards, the following occurs:
-
Security checks for the control are no longer performed.
-
No additional findings are generated for that control.
-
Existing findings are archived automatically after 3-5 days (note that this is best effort).
-
Any related AWS Config rules that Security Hub created are removed.
Instead of disabling a control in all standards, you can just disable it in one or more specific standards. If you do this, Security Hub doesn't run security checks for the control for the standards you disabled it in, so it doesn't affect the security score for those standards. However, Security Hub retains the AWS Config rule and continues running security checks for the control if it is enabled in other standards. This can affect your summary security score. For instructions on configuring controls in specific standards, see Enabling and disabling controls in specific standards.
To reduce finding noise, it can be useful to disable controls that aren't relevant to your environment. For recommendations of which controls to disable, see Security Hub controls that you might want to disable.
When you disable a standard, all of the controls that apply to the standard are disabled (however, those controls might remain enabled in other standards). For information about disabling a standard, see Enabling and disabling security standards.
When you disable a standard, Security Hub doesn't track which controls were disabled. If you subsequently enable the standard again, all of the controls that apply to it are automatically enabled. In addition, disabling a control is a one-time action. Suppose you disable a control, and then you enable a standard that was previously disabled. If the standard includes that control, it will be enabled in that standard. When you enable a standard in Security Hub, all of the controls that apply to that standard are automatically enabled.
Disabling a control in all standards across multiple accounts and Regions
To disable a security control across multiple accounts and AWS Regions, you must use central configuration.
When you use central configuration, the delegated administrator can create Security Hub configuration policies that disable specified controls across enabled standards. You can then associate the configuration policy with specific accounts, OUs, or the root. A configuration policy takes effect in your home Region (also called an aggregation Region) and all linked Regions.
Configuration policies offer customization. For example, you can choose to disable all AWS CloudTrail controls in one OU, and you can choose to disable all IAM controls in another OU. The level of granularity depends on your intended goals for security coverage in your organization. For instructions on creating a configuration policy that disables specified controls across standards, see Creating and associating Security Hub configuration policies.
Note
The delegated administrator can create configuration policies to manage controls in all standards except the Service-Managed Standard: AWS Control Tower. Controls for this standard should be configured in the AWS Control Tower service.
If you want some accounts to configure their own controls rather than the delegated administrator, the delegated administrator can designate those accounts as self-managed. Self-managed accounts must configure controls separately in each Region.
Disabling a control in all standards in a single account and Region
If you don't use central configuration or are a self-managed account, you can't use configuration policies to centrally disable controls in multiple accounts and Regions. However, you can use the following steps to disable a control in a single account and Region.