Displaying the details page for an enabled standard (console)Understanding the standard security score Viewing the controls in enabled standards Downloading the controls list for a standard

Viewing details of a standard

On the AWS Security Hub console, the details page for a standard includes the following information:

The standard security score
Visual summary of the control statuses for the controls that apply to the standard.
Visual summary of security checks for the controls that are enabled in the standard. If you integrate with AWS Organizations, controls that are enabled in at least one organization account are considered enabled.
A list of controls that apply to the standard. You can filter and sort the controls as needed.

You can also use the Security Hub API and AWS CLI to retrieve details for a standard. The following sections explain how to get details for a standard.

Displaying the details page for an enabled standard (console)

From the Security standards page, you can display the details page for an enabled standard.

If you are signed in to the administrator account, you can view details for any standard that is enabled in at least one member account.

Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.
In the Security Hub navigation pane, choose Security standards.
For the standard that you want to display the details for, choose View results.

Understanding the standard security score

At the top of the standard details page is the security score for the standard. The score is the percentage of passed controls relative to the number of enabled controls (that have data) for the standard.

Security Hub typically calculates the initial security score within 30 minutes after your first visit to the Summary page or Security standards page on the Security Hub console. Scores are only generated for standards that are enabled when you visit those pages. To view a list of standards that are currently enabled, use the GetEnabledStandards API operation. In addition, AWS Config resource recording must be configured for scores to appear. After first-time score generation, Security Hub updates the security score every 24 hours. Security Hub displays a timestamp to indicate when a security score was last updated. For more information about how scores are calculated, see Calculating security scores.

Note

It can take up to 24 hours for first-time security scores to be generated in the China Regions and AWS GovCloud (US) Region.

Next to the score is a chart that summarizes security checks for controls that are enabled in the standard. The chart shows the number of passed and failed security checks. You can also choose a specific severity level to view the failed security checks for controls of the chosen severity level

For administrator accounts, the standard score and chart are aggregated across the administrator account and all member accounts.

All of the data on the Security standards details pages is specific to the current Region unless you have set an aggregation Region. If you have set an aggregation Region, the security scores apply across Regions and include findings in all linked Regions. The compliance status of controls on the standards details pages also reflect findings from linked Regions, and the number of security checks includes findings from linked Regions.

Viewing the controls in enabled standards

When you visit the details page for a standard, you can view a list of security controls that apply to the standard.

For each control, the table displays the following information:

The control ID and title
The status of the control. For more information, see Evaluating compliance status and control status in Security Hub.
The severity assigned to the control
The number of failed checks out of the total number of checks. If applicable, the Failed checks column also lists the number of findings with a status of Unknown.
Whether the control supports custom parameters.

Security Hub updates the control statuses and security check count every 24 hours. A timestamp at the top of the page indicates when the control statuses and security check count were most recently updated. For more information, see Evaluating compliance status and control status in Security Hub.

For administrator accounts, the control statuses and number of security checks are aggregated across the administrator account and all member accounts. The count of enabled controls includes controls that are enabled in the standard in the administrator account or at least one member account. The count of disabled controls includes controls that are disabled in the standard in the administrator account and all member accounts.

By default, the table lists all enabled controls in the standard. Those with a Failed control status are shown at the top, sorted in order of decreasing severity.

You can filter the list of all controls in the standard. Using the Filter by options next to the table, you can choose to view only enabled or only disabled controls in the standard. If you view only enabled controls, you can further filter the list by control status. This lets you focus on controls with a specific control status.

In addition to the Filter by options, you can sort the controls lists by entering filters in the Filter controls search box. For example, you can filter by control ID or title.

Choose your preferred access method, and follow the steps to display the available controls for an enabled standard.

Security Hub console

Viewing the controls in enabled standards

Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.
Choose Security standards in the navigation pane.
Choose View results for a standard. The bottom of the page lists all of the controls that apply to the standard. Filter and sort the list as needed.

Security Hub API, AWS CLI

Viewing the controls in enabled standards

Use the ListSecurityControlDefinitions operation of the Security Hub API. If you use the AWS CLI, run the list-security-control-definitions command.

Provide the Amazon Resource Name (ARN) of the standard that you want to view controls for. To obtain standard ARNs, use the DescribeStandards operation or the describe-standards command. If you don't provide a standard ARN, Security Hub returns all security control IDs.
Use the ListStandardsControlAssociations operation of the Security Hub API, or the list-standards-control-associations command. This operation tells you which standards a control is enabled in.

Identify the control by providing the security control ID or ARN. Pagination parameters are optional.

The following example tells you which standards the Config.1 control is enabled in. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.


$ aws securityhub list-standards-control-associations --region us-east-1 --security-control-id Config.1

Downloading the controls list for a standard

You can download the current page of the controls list to a .csv file.

If you filter the controls list, then the downloaded file includes only the controls that match the filter settings.

To download the current page of the controls list, choose Download.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Automatically enabled standards

Controls