Viewing the list of controls for a standard - AWS Security Hub

Viewing the list of controls for a standard

The Security standards page provides access to the supported security standards in AWS Security Hub.

For each enabled standard, you can view and filter the list of controls.

From the controls list, you can perform the following actions:

Displaying the controls for an enabled standard (console)

From the Security standards page, you can display the list of controls that are associated with that standard.

To display the list of controls for an enabled standard

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. In the Security Hub navigation pane, choose Security standards.

  3. For the standard to display the controls for, choose View results.

For each control, the controls page provides the following information:

Filtering the list of controls

By default, the list of controls includes all of the controls for the selected standard. You can filter the list based on the control identifier, description, related requirements, status, or severity.

To filter the list of controls

  1. To filter based on text in the identifier, description, or a related requirement, begin typing the text in the search box.

    The list is updated automatically to only include controls that contain the matching text.

  2. To filter based on the control status, from the menu next to the search box, choose the status to include.

    For enabled controls, you can show all enabled controls or only show enabled controls that have a specific overall status (Passed, Failed, or Unknown).

    You can also choose to only display disabled standards.

  3. To filter based on the control severity, from the severity menu, choose the severity to include.

Viewing the controls for an enabled standard (Security Hub API, AWS CLI)

To display information about the controls for an enabled standard, you can use an API call or the AWS Command Line Interface.

To display the controls for an enabled standard (Security Hub API, AWS CLI)

  • Security Hub API – Use the DescribeStandardsControls operation. To identify the standard to display the controls for, you provide the ARN of your subscription to the control. To get the subscription ARNs for your enabled standards, use the GetEnabledStandards operation.

  • AWS CLI – At the command line, run the describe-standards-controls command.

    aws securityhub describe-standards-controls --standards-subscription-arn <subscription ARN>

    Example

    aws securityhub describe-standards-controls --standards-subscription-arn "arn:aws:securityhub:us-east-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0"