AWS securityhub documentation change
Summary
Updated documentation for disabling security standards with improved clarity, added details about AWS Config rule deletion, and expanded instructions for multi-account management using central configuration
Security assessment
Changes clarify security standard management processes and AWS Config rule behavior, but do not address a specific disclosed vulnerability. The updates improve documentation of existing security features rather than patching issues.
Diff
diff --git a/securityhub/latest/userguide/disable-standards.md b/securityhub/latest/userguide/disable-standards.md index b3c0bd150..86993272d 100644 --- a//securityhub/latest/userguide/disable-standards.md +++ b//securityhub/latest/userguide/disable-standards.md @@ -5 +5 @@ -Disabling a standard in multiple accounts and RegionsDisabling a standard in a single account and Region +Disabling a standard in multiple accounts and AWS RegionsDisabling a standard in a single account and AWS Region @@ -9 +9 @@ Disabling a standard in multiple accounts and RegionsDisabling a standard in a s -When you disable a security standard in Security Hub, the following occurs: +When you disable a security standard in AWS Security Hub, the following occurs: @@ -11 +11 @@ When you disable a security standard in Security Hub, the following occurs: - * All of the controls that apply to the standard are also disabled unless they are associated with another standard. + * All the controls that apply to the standard are disabled, unless they're associated with another standard that's currently enabled. @@ -13 +13 @@ When you disable a security standard in Security Hub, the following occurs: - * Checks for the disabled controls are no longer performed, and no additional findings are generated for the disabled controls. + * Security checks for the disabled controls are no longer performed, and no additional findings are generated for the disabled controls. @@ -15 +15 @@ When you disable a security standard in Security Hub, the following occurs: - * Existing findings for disabled controls are archived automatically after approximately 3–5 days. + * Existing findings for the disabled controls are archived automatically after approximately 3‐5 days. @@ -17 +17 @@ When you disable a security standard in Security Hub, the following occurs: - * The AWS Config rules that Security Hub created for the disabled controls are removed. + * AWS Config rules that Security Hub created for the disabled controls are deleted. @@ -19 +18,0 @@ When you disable a security standard in Security Hub, the following occurs: -This normally occurs within a few minutes after you disable the standard, but might take longer. If the first request to delete the AWS Config rules fails, then Security Hub retries every 12 hours. However, if you disabled Security Hub or you don't have any other standards enabled, then Security Hub can't retry the request, meaning that it can't delete the AWS Config rules. If this occurs, and you need to delete AWS Config rules, contact Support. @@ -22,0 +22 @@ This normally occurs within a few minutes after you disable the standard, but mi +Deletion of the appropriate AWS Config rules typically occurs within a few minutes of disabling a standard. However, it might take longer. If the first request fails to delete the rules, Security Hub tries again every 12 hours. However, if you disabled Security Hub or don't have any other standards enabled, Security Hub can't try again, which means that it can't delete the rules. If this occurs and you need to delete the rules, contact AWS Support. @@ -24 +24 @@ This normally occurs within a few minutes after you disable the standard, but mi -## Disabling a standard in multiple accounts and Regions +## Disabling a standard in multiple accounts and AWS Regions @@ -26 +26 @@ This normally occurs within a few minutes after you disable the standard, but mi -To disable a security standard across multiple accounts and Regions, you must use [central configuration](./central-configuration-intro.html). +To disable a security standard across multiple accounts and AWS Regions, use [central configuration](./central-configuration-intro.html). With central configuration, the delegated Security Hub administrator can create Security Hub configuration policies that disable one or more standards. The administrator can then associate a configuration policy with individual accounts, organizational units (OUs), or the root. A configuration policy affects the home Region, also referred to as an _aggregation Region_ , and all linked Regions. @@ -28,3 +28 @@ To disable a security standard across multiple accounts and Regions, you must us -When you use central configuration, the delegated administrator can create configuration policies that disable one or more standards. You can associate a configuration policy with specific accounts and OUs or the root. A configuration policy takes effect in your home Region (also called an aggregation Region) and all linked Regions. - -Configuration policies offer customization. For example, you can choose to disable Payment Card Industry Data Security Standard (PCI DSS) in one OU, and you can choose to disable both PCI DSS and National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5 in another OU. For instructions on creating a configuration policy that disables specified standards, see [Creating and associating configuration policies](./create-associate-policy.html). +Configuration policies offer customization options. For example, you might choose to disable the Payment Card Industry Data Security Standard (PCI DSS) in one OU. For another OU, you might choose to disable both the PCI DSS and the National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5 standard. For information about creating a configuration policy that enables or disables individual standards that you specify, see [Creating and associating configuration policies](./create-associate-policy.html). @@ -34 +32 @@ Configuration policies offer customization. For example, you can choose to disab -The delegated administrator can create configuration policies to disable any standard except the [Service-Managed Standard: AWS Control Tower](https://docs.aws.amazon.com/securityhub/latest/userguide/service-managed-standard-aws-control-tower.html). You can disable this standard only in the AWS Control Tower service. If you use central configuration, you can enable and disable controls in this standard for a centrally managed account only in AWS Control Tower. +The Security Hub administrator can use configuration policies to disable any standard except the [AWS Control Tower service-managed standard](./service-managed-standard-aws-control-tower.html). To disable this standard, the administrator must use AWS Control Tower directly. They must also use AWS Control Tower to disable or enable individual controls in this standard for a centrally managed account. @@ -36 +34 @@ The delegated administrator can create configuration policies to disable any sta -If you want some accounts to configure their own standards rather than the delegated administrator, the delegated administrator can designate those accounts as self-managed. Self-managed accounts must configure standards separately in each Region. +If you want some accounts to configure or disable standards for their own accounts, the Security Hub administrator can designate those accounts as _self-managed accounts_. Self-managed accounts must disable standards separately in each Region. @@ -38 +36 @@ If you want some accounts to configure their own standards rather than the deleg -## Disabling a standard in a single account and Region +## Disabling a standard in a single account and AWS Region @@ -40 +38 @@ If you want some accounts to configure their own standards rather than the deleg -If you don't use central configuration or are a self-managed account, you can't use configuration policies to centrally disable standards in multiple accounts and Regions. However, you can use the following steps to disable a standard in a single account and Region. +If you don't use central configuration or you have a self-managed account, you can't use configuration policies to centrally disable security standards in multiple accounts or AWS Regions. However, you can disable a standard in a single account and Region. You can do this by using the Security Hub console or the Security Hub API. @@ -44,0 +43,2 @@ Security Hub console +Follow these steps to disable a standard in one account and Region by using the Security Hub console. + @@ -49 +49 @@ Security Hub console - 2. Confirm that you are using Security Hub in the Region in which you want to disable the standard. + 2. By using the AWS Region selector in the upper-right corner of the page, choose the Region in which you want to disable the standard. @@ -51 +51 @@ Security Hub console - 3. In the Security Hub navigation pane, choose **Security standards**. + 3. In the navigation pane, choose **Security standards**. @@ -53 +53 @@ Security Hub console - 4. For the standard you want to disable, choose **Disable**. + 4. In the section for the standard that you want to disable, choose **Disable standard**. @@ -55 +54,0 @@ Security Hub console - 5. Repeat in each Region in which you want to disable the standard. @@ -58,0 +58 @@ Security Hub console +To disable the standard in additional Regions, repeat the preceding steps in each additional Region. @@ -63,21 +63 @@ Security Hub API -###### To disable a standard in one account and Region - - 1. Invoke the [BatchDisableStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchDisableStandards.html) API. - - 2. For each standard you want to disable, provide the standard subscription ARN. To get the subscription ARNs for your enabled standards, invoke the [GetEnabledStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetEnabledStandards.html) API. - - 3. Repeat in each Region in which you want to disable the standard. - - - - -AWS CLI - - -###### To disable a standard in one account and Region - - 1. Run the [batch-disable-standards](https://docs.aws.amazon.com/cli/latest/reference/securityhub/batch-disable-standards.html) command. - - 2. For each standard you want to disable, provide the standard subscription ARN. To get the subscription ARNs for your enabled standards, run the [get-enabled-standards](https://docs.aws.amazon.com/cli/latest/reference/securityhub/get-enabled-standards.html) command. - - aws securityhub batch-disable-standards --standards-subscription-arns "standard subscription ARN" +To disable a standard programmatically in a single account and Region, use the [BatchDisableStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchDisableStandards.html) operation. Or, if you're using the AWS Command Line Interface (AWS CLI), run the [batch-disable-standards](https://docs.aws.amazon.com/cli/latest/reference/securityhub/batch-disable-standards.html) command. @@ -85 +65 @@ AWS CLI -**Example** +In your request, use the `StandardsSubscriptionArns` parameter to specify the Amazon Resource Name (ARN) of the standard that you want to disable. If you're using the AWS CLI, use the `standards-subscription-arns` parameter to specify the ARN. Also specify the Region that your request applies to. For example, the following command disables the AWS Foundational Security Best Practices v1.0.0 (FSBP) standard for an account (`123456789012`): @@ -87 +66,0 @@ AWS CLI - aws securityhub batch-disable-standards --standards-subscription-arns "arn:aws:securityhub:us-west-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0" @@ -89 +68,3 @@ AWS CLI - 3. Repeat in each Region in which you want to disable the standard. + $ aws securityhub batch-disable-standards \ + --standards-subscription-arns "arn:aws:securityhub:us-east-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0" \ + --region us-east-1 @@ -90,0 +72 @@ AWS CLI +Where `arn:aws:securityhub:us-east-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0` is the ARN of the FSBP standard for the account in the US East (N. Virginia) Region, and `us-east-1` is the Region in which to disable it. @@ -91,0 +74 @@ AWS CLI +To obtain the ARN for a standard, you can use the [GetEnabledStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetEnabledStandards.html) operation. This operation retrieves information about the standards that are currently enabled in your account. If you're using the AWS CLI, you can run the [get-enabled-standards](https://docs.aws.amazon.com/cli/latest/reference/securityhub/get-enabled-standards.html) command to retrieve this information. @@ -92,0 +76 @@ AWS CLI +After you disable a standard, Security Hub begins performing tasks to disable the standard in the account and the specified Region. This includes disabling all the controls that apply to the standard. To monitor the status of these tasks, you can [check the status of the standard](./enable-standards.html#standard-subscription-status) for the account and Region.