Enabling a control in all standards Disabling a control in all standards

Enabling and disabling controls in all standards

When you enable a standard in AWS Security Hub, all of the controls that apply to it are automatically enabled for that standard (the exception to this is service-managed standards). You can then disable and re-enable specific controls.

You must enable and disable controls separately in each AWS account and AWS Region. When you enable or disable a control, it only impacts the current account and Region.

Note

You can enable and disable controls in each Region by using the Security Hub console, Security Hub API, or AWS CLI. If you have set an aggregation Region, you see controls from all linked Regions. If a control is available in a linked Region but not in the aggregation Region, you cannot enable or disable that control from the aggregation Region. For multi-account and multi-Region control disablement scripts, refer to Disabling Security Hub controls in a multi-account environment.

Enabling a control in all standards

When you enable a control in a standard, Security Hub starts to run security checks for the control and generate findings for the control. Security Hub also includes the control status in the calculation of the overall security score and standard security scores. If you turn on consolidated control findings, you'll receive a single finding for a security check even if you've enabled the related control in multiple standards. For more information, see see Consolidated control findings.

Follow these steps to enable a Security Hub control in all of your enabled standards. For instructions on enabling a control in a specific standard, see Enabling a control in a specific standard.

Security Hub console

Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.
Choose Controls from the navigation pane.
Choose the Disabled tab.
Choose the option next to a control.
Choose Enable Control (this option doesn't appear for a control that's already enabled).

Security Hub API

Run ListStandardsControlAssociations, providing a specific control ID to return the current enablement status of the control in each standard. Provide standard-agnostic security control IDs, not standard-specific control IDs.

Example request:
```
{
    "SecurityControlId": "IAM.1"
}
```
Run BatchUpdateStandardsControlAssociations. Provide the Amazon Resource Name (ARN) of any standards that the control isn't enabled in. To obtain standard ARNs, run DescribeStandards.

Set the AssociationStatus parameter equal to ENABLED. If you follow these steps for a control that's already enabled, the API returns an HTTP status code 200 response.

Example request:


{
    "StandardsControlAssociationUpdates": [{"SecurityControlId": "IAM.1", "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "AssociationStatus": "ENABLED"}, {"SecurityControlId": "IAM.1", "StandardsArn": "arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0", "AssociationStatus": "ENABLED"}]
}

AWS CLI

Run the list-standards-control-associations command, providing a specific control ID to return the current enablement status of the control in each standard. Provide standard-agnostic security control IDs, not standard-specific control IDs.
```
aws securityhub  --region us-east-1 list-standards-control-associations --security-control-id CloudTrail.1
```
Run the batch-update-standards-control-associations command. Provide the Amazon Resource Name (ARN) of any standards that the control isn't enabled in. To obtain standard ARNs, run the describe-standards command.

Set the AssociationStatus parameter equal to ENABLED. If you follow these steps for a control that's already enabled, the command returns an HTTP status code 200 response.


aws securityhub  --region us-east-1 batch-update-standards-control-associations --standards-control-association-updates '[{"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "AssociationStatus": "ENABLED"}, {"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws:securityhub:::standards/cis-aws-foundations-benchmark/v/1.4.0", "AssociationStatus": "ENABLED"}]'

Disabling a control in all standards

One way to disable a control is by disabling all standards that the control applies to. When you disable a standard, all of the controls that apply to the standard are disabled (however, those controls may still remain enabled in other standards). For information about disabling a standard, see Enabling and disabling security standards.

When you disable a control by disabling all standards it applies to, the following occurs:

Security checks for the control are no longer performed.
No additional findings are generated for that control.
Existing findings are archived automatically after 3-5 days (note that this is best effort and not guaranteed).
The related AWS Config rules that Security Hub created are removed.

When you disable a standard, Security Hub does not track which controls were disabled. If you subsequently enable the standard again, all of the controls that apply to it are automatically enabled. In addition, disabling a control is a one-time action. Suppose you disable a control, and then you enable a standard which was previously disabled. If the standard includes that control, it will be enabled in that standard. When you enable a standard in Security Hub, all of the controls that apply to that standard are automatically enabled.

Instead of disabling a control by disabling all standards it applies to, you can just disable the control in one or more specific standards. If you do this, Security Hub won't run security checks for the control for the standards you disabled it in, so it won't affect the security score for those standards. However, Security Hub will continue running security checks for the control if it is enabled in other standards.

To reduce finding noise, it can be useful to disable controls that aren't relevant to your environment. For recommendations of which controls to disable, see Security Hub controls that you might want to disable.

Follow these steps to disable a Security Hub control in all standards. To disable a control in a specific standard, see Disabling a control in a specific standard.

Security Hub console

Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.
Choose Controls from the navigation pane.
Choose the option next to a control.
Choose Disable Control (this option doesn't appear for a control that's already disabled).
Select a reason for disabling the control, and confirm by choosing Disable.

Security Hub API

Run ListStandardsControlAssociations, providing a specific control ID to return the current enablement status of the control in each standard. Provide standard-agnostic security control IDs, not standard-specific control IDs.

Example request:
```
{
    "SecurityControlId": "IAM.1"
}
```
Run BatchUpdateStandardsControlAssociations. Provide the ARN of any standards that the control is enabled in. To obtain standard ARNs, run DescribeStandards.

Set the AssociationStatus parameter equal to DISABLED. If you follow these steps for a control that's already disabled, the API returns an HTTP status code 200 response.

Example request:


{
    "StandardsControlAssociationUpdates": [{"SecurityControlId": "IAM.1", "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}, {"SecurityControlId": "IAM.1", "StandardsArn": "arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}}]
}

AWS CLI

Run the list-standards-control-associations command , providing a specific control ID to return the current enablement status of the control in each standard. Provide standard-agnostic security control IDs, not standard-specific control IDs.
```
aws securityhub  --region us-east-1 list-standards-control-associations --security-control-id CloudTrail.1
```
Run batch-update-standards-control-associations. Provide the ARN of any standards that the control is enabled in. To obtain standard ARNs, run the describe-standards command.

Set the AssociationStatus parameter equal to DISABLED. If you follow these steps for a control that's already disabled, the command returns an HTTP status code 200 response.


aws securityhub  --region us-east-1 batch-update-standards-control-associations --standards-control-association-updates '[{"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}, {"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws:securityhub:::standards/cis-aws-foundations-benchmark/v/1.4.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}]'

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Control categories

Enabling new controls in enabled standards automatically