Disabling or enabling a security standard - AWS Security Hub

Disabling or enabling a security standard

You can disable or enable each security standard.

Remember that Security Hub is Regional. When you enable or disable a security standard, it is enabled or disabled only in the current Region or in the Region that you specify in an API request.

When you disable a security standard, the following occurs:

  • The checks for its controls are no longer performed.

  • No additional findings are generated for its controls.

  • The related AWS Config rules that Security Hub created are removed.

When you enable a security standard, all of the controls for that standard are enabled by default. You can then disable individual controls. See Disabling and enabling individual controls.

Disabling a security standard (console)

On the Security standards page, each enabled standard includes an option to disable the standard.

To disable a standard

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. Confirm that you are using Security Hub in the Region in which you want to disable the standard.

  3. In the Security Hub navigation pane, choose Security standards.

  4. For the standard you want to disable, choose Disable.

Disabling a security standard (Security Hub API, AWS CLI)

To disable a security standard, you can use an API call or the AWS Command Line Interface.

To disable a security standard (Security Hub API, AWS CLI)

  • Security Hub API – Use the BatchDisableStandards operation. For each standard to disable, you provide the ARN of your subscription to the standard. To get the subscription ARNs for your enabled standards, use the GetEnabledStandards operation.

  • AWS CLI – At the command line, run the batch-disable-standards command.

    aws securityhub batch-disable-standards --standards-subscription-arns <subscription ARN>

    Example

    aws securityhub batch-disable-standards --standards-subscription-arns "arn:aws:securityhub:us-west-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0"

Enabling a security standard (console)

On the Security standards page, each disabled standard includes an option to enable the standard.

To enable a security standard

  1. Make sure that you have enabled AWS Config in the master account and all of the member accounts. See AWS Config requirements for running security checks.

  2. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  3. Confirm that you are using Security Hub in the Region in which you want to disable the standard.

  4. In the Security Hub navigation pane, choose Security standards.

  5. For the standard you want to enable, choose Enable.

Enabling a security standard (Security Hub API, AWS CLI)

To enable a security standard, you can use an API call or the AWS Command Line Interface.

To enable a security standard (Security Hub API, AWS CLI)

  • Security Hub API – Use the BatchEnableStandards operation. To identify a standard to enable, you must provide the standard ARN. To obtain the standard ARN, use the DescribeStandards operation.

  • AWS CLI – At the command line, run the batch-enable-standards command.

    aws securityhub batch-enable-standards --standards-subscription-requests '{"StandardsArn": "<standard ARN>"}'

    Example

    aws securityhub batch-enable-standards --standards-subscription-requests '{"StandardsArn":"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"}'