Enabling and disabling security standards

You can enable or disable each security standard that's available in Security Hub.

Before you enable any security standards, make sure that you have enabled AWS Config and configured resource recording. Otherwise, Security Hub may not be able to generate findings for the controls that apply to a standard. For more information, see Configuring AWS Config.

Note

The instructions for enabling and disabling standards vary based on whether or not you use central configuration. This section describes the differences. Central configuration is available to users who integrate Security Hub and AWS Organizations. We recommend using central configuration to simplify the process of enabling and disabling standards in multi-account, multi-Region environments.

Enabling a security standard

When you enable a security standard, all of the controls that apply to the standard are automatically enabled in it. Security Hub also starts generating findings for controls that apply to the standard.

You can choose which controls to enable and disable in each standard. Disabling a control stops findings for the control from being generated, and the control is ignored when calculating security scores.

When you enable Security Hub, Security Hub calculates the initial security score for a standard within 30 minutes after your first visit to the Summary page or Security standards page on the Security Hub console. It can take up to 24 hours for first-time security scores to be generated in the China Regions and AWS GovCloud (US) Region. Scores are only generated for standards that are enabled when you visit those pages. In addition, AWS Config resource recording must be configured for scores to appear. After first-time score generation, Security Hub updates the security score every 24 hours. Security Hub displays a timestamp to indicate when a security score was last updated. To view a list of standards that are currently enabled in your account, invoke the GetEnabledStandards API.

Enabling a standard across multiple accounts and Regions

To enable a security standard across multiple accounts and AWS Regions, you must use central configuration.

When you use central configuration, the delegated administrator can create Security Hub configuration policies that enable one or more standards. You can then associate the configuration policy with specific accounts and organizational units (OUs) or the root. A configuration policy takes effect in your home Region (also called an aggregation Region) and all linked Regions.

Configuration policies offer customization. For example, you can choose to enable only AWS Foundational Security Best Practices (FSBP) in one OU, and you can choose to enable FSBP and Center for Internet Security (CIS) AWS Foundations Benchmark v1.4.0 in another OU. For instructions on creating a configuration policy that enables specified standards, see Creating and associating Security Hub configuration policies

If you use central configuration, Security Hub doesn't automatically enable any standards in new or existing accounts. Instead, when creating a configuration policy, the delegated administrator defines which standards to enable in different accounts. Security Hub offers a recommended configuration policy in which only FSBP is enabled. For more information, see Types of configuration policies.

Note

The delegated administrator can create configuration policies to enable any standard except Service-Managed Standard: AWS Control Tower. You can enable this standard only in the AWS Control Tower service. If you use central configuration, you can enable and disable controls in this standard for a centrally managed account only in AWS Control Tower.

If you want some accounts to configure their own standards rather than the delegated administrator, the delegated administrator can designate those accounts as self-managed. Self-managed accounts must configure standards separately in each Region.

Enabling a standard in a single account and Region

If you don't use central configuration or if you are a self-managed account, you can't use configuration policies to centrally enable standards in multiple accounts and Regions. However, you can use the following steps to enable a standard in a single account and Region.

Security Hub console

To enable a standard in one account and Region

1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

2. Confirm that you are using Security Hub in the Region in which you want to enable the standard.

3. In the Security Hub navigation pane, choose Security standards.

4. For the standard you want to enable, choose Enable. This also enables all controls within that standard.

5. Repeat in each Region in which you want to enable the standard.

Security Hub API

To enable a standard in one account and Region

1. Invoke the BatchEnableStandards API.

2. Provide the Amazon Resource Name (ARN) of the standard that you want to enable. To obtain the standard ARN, invoke the DescribeStandards API.

3. Repeat in each Region in which you want to enable the standard.

AWS CLI

To enable a standard in one account and Region

1. Run the batch-enable-standards command.

2. Provide the Amazon Resource Name (ARN) of the standard that you want to enable. To obtain the standard ARN, run the describe-standards command.

   aws securityhub batch-enable-standards --standards-subscription-requests '{"StandardsArn": "standard ARN"}'

   Example

   aws securityhub batch-enable-standards --standards-subscription-requests '{"StandardsArn":"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"}'

3. Repeat in each Region in which you want to enable the standard.

Automatically enabling default security standards

If you don't use central configuration, Security Hub automatically enables default security standards in new accounts when they join your organization. All controls that are part of the default standards are also automatically enabled. Currently, the default security standards that are automatically enabled are AWS Foundational Security Best Practices (FSBP) and Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0. You can turn off automatically enabled standards if you prefer to manually enable standards in new accounts.

If you use central configuration, you can create a configuration policy that enables the default standards and associate this policy with the root. All of your organization accounts and OUs will inherit this configuration policy unless they are associated with a different policy or are self-managed.

Turn off automatically enabled standards

The following steps apply only if you integrate with AWS Organizations but don't use central configuration. If you don't use the Organizations integration, you can turn off a default standard when you first enable Security Hub, or you can follow the steps for disabling a standard.

Security Hub console

To turn off automatically enabled standards

1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

   Sign in using the credentials of the administrator account.

2. In the Security Hub navigation pane, under Settings, choose Configuration.

3. In the Accounts section, turn off Auto-enable default standards.

Security Hub API

To turn off automatically enabled standards

1. Invoke the UpdateOrganizationConfiguration API from the Security Hub administrator account.

2. To turn off automatically enabled standards in new member accounts, set AutoEnableStandards equal to NONE.

AWS CLI

To turn off automatically enabled standards

1. Run the update-organization-configuration command.

2. Include the auto-enable-standards parameter to turn off automatically enabled standards in new member accounts.

   aws securityhub update-organization-configuration --auto-enable-standards

Disabling a security standard

When you disable a security standard in Security Hub, the following occurs:

• All of the controls that apply to the standard are also disabled unless they are associated with another standard.

• Checks for the disabled controls are no longer performed, and no additional findings are generated for the disabled controls.

• Existing findings for disabled controls are archived automatically after approximately 3–5 days.

• The AWS Config rules that Security Hub created for the disabled controls are removed.

  This normally occurs within a few minutes after you disable the standard, but might take longer. If the first request to delete the AWS Config rules fails, then Security Hub retries every 12 hours. However, if you disabled Security Hub or you don't have any other standards enabled, then Security Hub can't retry the request, meaning that it can't delete the AWS Config rules. If this occurs, and you need to delete AWS Config rules, contact AWS Support.

Disabling a standard across multiple accounts and Regions

To disable a security standard across multiple accounts and Regions, you must use central configuration.

When you use central configuration, the delegated administrator can create configuration policies that disable one or more standards. You can associate a configuration policy with specific accounts and OUs or the root. A configuration policy takes effect in your home Region (also called an aggregation Region) and all linked Regions.

Configuration policies offer customization. For example, you can choose to disable Payment Card Industry Data Security Standard (PCI DSS) in one OU, and you can choose to disable both PCI DSS and National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5 in another OU. For instructions on creating a configuration policy that disables specified standards, see Creating and associating Security Hub configuration policies.

Note

The delegated administrator can create configuration policies to disable any standard except the Service-Managed Standard: AWS Control Tower. You can disable this standard only in the AWS Control Tower service. If you use central configuration, you can enable and disable controls in this standard for a centrally managed account only in AWS Control Tower.

If you want some accounts to configure their own standards rather than the delegated administrator, the delegated administrator can designate those accounts as self-managed. Self-managed accounts must configure standards separately in each Region.

Disabling a standard in a single account and Region

If you don't use central configuration or are a self-managed account, you can't use configuration policies to centrally disable standards in multiple accounts and Regions. However, you can use the following steps to disable a standard in a single account and Region.

Security Hub console

To disable a standard in one account and Region

1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

2. Confirm that you are using Security Hub in the Region in which you want to disable the standard.

3. In the Security Hub navigation pane, choose Security standards.

4. For the standard you want to disable, choose Disable.

5. Repeat in each Region in which you want to disable the standard.

Security Hub API

To disable a standard in one account and Region

1. Invoke the BatchDisableStandards API.

2. For each standard you want to disable, provide the standard subscription ARN. To get the subscription ARNs for your enabled standards, invoke the GetEnabledStandards API.

3. Repeat in each Region in which you want to disable the standard.

AWS CLI

To disable a standard in one account and Region

1. Run the batch-disable-standards command.

2. For each standard you want to disable, provide the standard subscription ARN. To get the subscription ARNs for your enabled standards, run the get-enabled-standards command.

   aws securityhub batch-disable-standards --standards-subscription-arns "standard subscription ARN"

   Example

   aws securityhub batch-disable-standards --standards-subscription-arns "arn:aws:securityhub:us-west-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0"

3. Repeat in each Region in which you want to disable the standard.