AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-04-11 · Documentation low

File: securityhub/latest/userguide/enable-standards.md

Summary

Updated documentation for enabling security standards with improved clarity on AWS Config prerequisites, control management, security score generation, central configuration workflows, and new section for checking standard statuses.

Security assessment

Changes focus on operational guidance and documentation clarity rather than addressing specific vulnerabilities. While they emphasize proper AWS Config setup (a security best practice), there's no evidence of patching a security flaw or incident response.

Diff

diff --git a/securityhub/latest/userguide/enable-standards.md b/securityhub/latest/userguide/enable-standards.md
index 00a679cc4..b53ff3807 100644
--- a//securityhub/latest/userguide/enable-standards.md
+++ b//securityhub/latest/userguide/enable-standards.md
@@ -5 +5 @@
-Enabling a standard in multiple accounts and RegionsEnabling a standard in a single account and Region
+Enabling a standard in multiple accounts and AWS RegionsEnabling a standard in a single account and AWS RegionChecking the status of a standard
@@ -9 +9 @@ Enabling a standard in multiple accounts and RegionsEnabling a standard in a sin
-When you enable a security standard in AWS Security Hub, all of the controls that apply to the standard are automatically enabled in it. Security Hub also starts running security checks and generating findings for controls that apply to the standard.
+When you enable a security standard in AWS Security Hub, Security Hub automatically creates and enables all the controls that apply to the standard. Security Hub also starts running security checks and generating findings for the controls.
@@ -11 +11 @@ When you enable a security standard in AWS Security Hub, all of the controls tha
-Before you enable any security standards, you should turn on resource recording in AWS Config for all resources that are used by controls that apply to the standard. Otherwise, Security Hub may not be able to generate findings for the controls that apply to a standard. For more information, see [Considerations before enabling and configuring AWS Config](./securityhub-setup-prereqs.html#securityhub-prereq-config).
+To optimize coverage and the accuracy of findings, enable and configure resource recording in AWS Config before you enable a standard. When you configure resource recording, also be sure to enable it for all the types of resources that are checked by controls that apply to the standard. Otherwise, Security Hub might not be able to evaluate the appropriate resources, and generate accurate findings for controls that apply to the standard. For more information, see [Enabling and configuring AWS Config for Security Hub](./securityhub-setup-prereqs.html).
@@ -13 +13 @@ Before you enable any security standards, you should turn on resource recording
-You can choose which controls to enable and disable in each standard. Disabling a control stops findings for the control from being generated, and the control is ignored when calculating security scores.
+After you enable a standard, you can disable or later re-enable individual controls that apply to the standard. If you disable a control for a standard, Security Hub stops generating findings for the control. In addition, Security Hub ignores the control when it calculates the security score for the standard. The security score is the percentage of controls that passed evaluation, relative to the total number of controls that apply to the standard, are enabled, and have evaluation data.
@@ -15 +15 @@ You can choose which controls to enable and disable in each standard. Disabling
-When you enable Security Hub, Security Hub calculates the initial security score for a standard within 30 minutes after your first visit to the **Summary** page or **Security standards** page on the Security Hub console. It can take up to 24 hours for first-time security scores to be generated in the China Regions and AWS GovCloud (US) Region. Scores are only generated for standards that are enabled when you visit those pages. In addition, AWS Config resource recording must be configured for scores to appear. After first-time score generation, Security Hub updates the security score every 24 hours. Security Hub displays a timestamp to indicate when a security score was last updated. To view a list of standards that are currently enabled in your account, invoke the [GetEnabledStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetEnabledStandards.html) API.
+When you enable a standard, Security Hub generates a preliminary security score for the standard, typically within 30 minutes of your first visit to the **Summary** or **Security standards** page on the Security Hub console. Security scores are generated only for standards that are enabled when you visit those pages on the console. In addition, resource recording must be configured in AWS Config for the scores to appear. In the China Regions and AWS GovCloud (US) Regions, it can take up to 24 hours for Security Hub to generate a preliminary security score for a standard. After Security Hub generates a preliminary score, it updates the score every 24 hours. To determine when a security score was last updated, you can refer to a timestamp that Security Hub provides for the score. For more information, see [Calculating security scores](./standards-security-score.html).
@@ -17 +17 @@ When you enable Security Hub, Security Hub calculates the initial security score
-The instructions for enabling a standard vary based on whether or not you use [central configuration](./central-configuration-intro.html). You can use central configuration if you integrate Security Hub and AWS Organizations. We recommend using central configuration if you want to enable standards in multi-account, multi-Region environments. If you don't use central configuration, you must individually enable each standard in each account and each Region.
+How you enable a standard depends on whether you use [central configuration](./central-configuration-intro.html) to manage Security Hub for multiple accounts and AWS Regions. We recommend using central configuration if you want to enable standards in multi-account, multi-Region environments. You can use central configuration if you integrate Security Hub with AWS Organizations. If you don't use central configuration, you must enable each standard separately in each account and each Region.
@@ -19 +19 @@ The instructions for enabling a standard vary based on whether or not you use [c
-## Enabling a standard in multiple accounts and Regions
+## Enabling a standard in multiple accounts and AWS Regions
@@ -21 +21 @@ The instructions for enabling a standard vary based on whether or not you use [c
-To enable a security standard across multiple accounts and AWS Regions, you must use [central configuration](./central-configuration-intro.html).
+To enable and configure a security standard across multiple accounts and AWS Regions, use [central configuration](./central-configuration-intro.html). With central configuration, the delegated Security Hub administrator can create Security Hub configuration policies that enable one or more standards. The administrator can then associate a configuration policy with individual accounts, organizational units (OUs), or the root. A configuration policy affects the home Region, also referred to as an _aggregation Region_ , and all linked Regions.
@@ -23 +23 @@ To enable a security standard across multiple accounts and AWS Regions, you must
-When you use central configuration, the delegated administrator can create Security Hub configuration policies that enable one or more standards. You can then associate the configuration policy with specific accounts and organizational units (OUs) or the root. A configuration policy takes effect in your home Region (also called an aggregation Region) and all linked Regions.
+Configuration policies offer customization options. For example, you might choose to enable only the AWS Foundational Security Best Practices (FSBP) standard for one OU. For another OU, you might choose to enable both the FSBP standard and the Center for Internet Security (CIS) AWS Foundations Benchmark v1.4.0 standard. For information about creating a configuration policy that enables particular standards that you specify, see [Creating and associating configuration policies](./create-associate-policy.html).
@@ -25,3 +25 @@ When you use central configuration, the delegated administrator can create Secur
-Configuration policies offer customization. For example, you can choose to enable only AWS Foundational Security Best Practices (FSBP) in one OU, and you can choose to enable FSBP and Center for Internet Security (CIS) AWS Foundations Benchmark v1.4.0 in another OU. For instructions on creating a configuration policy that enables specified standards, see [Creating and associating configuration policies](./create-associate-policy.html)
-
-If you use central configuration, Security Hub doesn't automatically enable any standards in new or existing accounts. Instead, when creating a configuration policy, the delegated administrator defines which standards to enable in different accounts. Security Hub offers a recommended configuration policy in which only FSBP is enabled. For more information, see [Types of configuration policies](./configuration-policies-overview.html#policy-types).
+If you use central configuration, Security Hub doesn't automatically enable any standards in new or existing accounts. Instead, the Security Hub administrator specifies which standards to enable in different accounts when they create Security Hub configuration policies for their organization. Security Hub offers a recommended configuration policy in which only the FSBP standard is enabled. For more information, see [Types of configuration policies](./configuration-policies-overview.html#policy-types).
@@ -31 +29 @@ If you use central configuration, Security Hub doesn't automatically enable any
-The delegated administrator can create configuration policies to enable any standard except [Service-Managed Standard: AWS Control Tower](https://docs.aws.amazon.com/securityhub/latest/userguide/service-managed-standard-aws-control-tower.html). You can enable this standard only in the AWS Control Tower service. If you use central configuration, you can enable and disable controls in this standard for a centrally managed account only in AWS Control Tower.
+The Security Hub administrator can use configuration policies to enable any standard except the [AWS Control Tower service-managed standard](./service-managed-standard-aws-control-tower.html). To enable this standard, the administrator must use AWS Control Tower directly. They must also use AWS Control Tower to enable or disable individual controls in this standard for a centrally managed account.
@@ -33 +31 @@ The delegated administrator can create configuration policies to enable any stan
-If you want some accounts to configure their own standards rather than the delegated administrator, the delegated administrator can designate those accounts as self-managed. Self-managed accounts must configure standards separately in each Region.
+If you want some accounts to enable and configure standards for their own accounts, the Security Hub administrator can designate those accounts as _self-managed accounts_. Self-managed accounts must enable and configure standards separately in each Region.
@@ -35 +33 @@ If you want some accounts to configure their own standards rather than the deleg
-## Enabling a standard in a single account and Region
+## Enabling a standard in a single account and AWS Region
@@ -37 +35 @@ If you want some accounts to configure their own standards rather than the deleg
-If you don't use central configuration or if you are a self-managed account, you can't use configuration policies to centrally enable standards in multiple accounts and Regions. However, you can use the following steps to enable a standard in a single account and Region.
+If you don't use central configuration or you have a self-managed account, you can't use configuration policies to centrally enable security standards in multiple accounts or AWS Regions. However, you can enable a standard in a single account and Region. You can do this by using the Security Hub console or the Security Hub API.
@@ -41,0 +40,2 @@ Security Hub console
+Follow these steps to enable a standard in one account and Region by using the Security Hub console.
+
@@ -46 +46 @@ Security Hub console
-  2. Confirm that you are using Security Hub in the Region in which you want to enable the standard.
+  2. By using the AWS Region selector in the upper-right corner of the page, choose the Region in which you want to enable the standard.
@@ -48 +48 @@ Security Hub console
-  3. In the Security Hub navigation pane, choose **Security standards**.
+  3. In the navigation pane, choose **Security standards**. The **Security standards** page lists all the standards that Security Hub currently supports. If you already enabled a standard, the section for the standard includes the current security score and additional details for the standard.
@@ -50 +50 @@ Security Hub console
-  4. For the standard you want to enable, choose **Enable**. This also enables all controls within that standard.
+  4. In the section for the standard that you want to enable, choose **Enable standard**.
@@ -52 +51,0 @@ Security Hub console
-  5. Repeat in each Region in which you want to enable the standard.
@@ -55,0 +55 @@ Security Hub console
+To enable the standard in additional Regions, repeat the preceding steps in each additional Region.
@@ -60 +60 @@ Security Hub API
-###### To enable a standard in one account and Region
+To enable a standard programmatically in a single account and Region, use the [BatchEnableStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchEnableStandards.html) operation. Or, if you're using the AWS Command Line Interface (AWS CLI), run the [batch-enable-standards](https://docs.aws.amazon.com/cli/latest/reference/securityhub/batch-enable-standards.html) command.
@@ -62 +62 @@ Security Hub API
-  1. Invoke the [BatchEnableStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchEnableStandards.html) API.
+In your request, use the `StandardsArn` parameter to specify the Amazon Resource Name (ARN) of the standard that you want to enable. Also specify the Region that your request applies to. For example, the following command enables the AWS Foundational Security Best Practices v1.0.0 (FSBP) standard:
@@ -64 +63,0 @@ Security Hub API
-  2. Provide the Amazon Resource Name (ARN) of the standard that you want to enable. To obtain the standard ARN, invoke the [DescribeStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API.
@@ -66 +65,3 @@ Security Hub API
-  3. Repeat in each Region in which you want to enable the standard.
+    $ aws securityhub batch-enable-standards \
+    --standards-subscription-requests '{"StandardsArn":"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"}' \
+    --region us-east-1
@@ -67,0 +69 @@ Security Hub API
+Where `arn:aws:securityhub:`us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0`` is the ARN of the FSBP standard in the US East (N. Virginia) Region, and `us-east-1` is the Region in which to enable it.
@@ -68,0 +71 @@ Security Hub API
+To obtain the ARN for a standard, use the [DescribeStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) operation or, if you're using the AWS CLI, run the [describe-standards](https://docs.aws.amazon.com/cli/latest/reference/securityhub/describe-standards.html) command.
@@ -69,0 +73 @@ Security Hub API
+To first review a list of standards that are currently enabled in your account, you can use the [GetEnabledStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetEnabledStandards.html) operation. If you're using the AWS CLI, you can run the [get-enabled-standards](https://docs.aws.amazon.com/cli/latest/reference/securityhub/get-enabled-standards.html) command to retrieve this list.
@@ -71 +75 @@ Security Hub API
-AWS CLI
+After you enable a standard, Security Hub begins performing tasks to enable the standard in the account and the specified Region. This includes creating all the controls that apply to the standard. To monitor the status of these tasks, you can check the status of the standard for the account and Region.
@@ -72,0 +77 @@ AWS CLI
+## Checking the status of a standard
@@ -74 +79,38 @@ AWS CLI
-###### To enable a standard in one account and Region
+When you enable a security standard for an account, Security Hub begins creating all the controls that apply to the standard in the account. Security Hub also performs additional tasks to enable the standard for the account, such as generating a preliminary security score for the standard. While Security Hub performs these tasks, the status of the standard is _Pending_ for the account. The status of the standard then passes through additional states, which you can monitor and check.
+
+###### Note
+
+Changes to individual controls for a standard don't affect the overall status of the standard. For example, if you enable a control that you previously disabled, your change doesn't affect the status of the standard. Similarly, if you change a parameter value for an enabled control, your change doesn't affect the status of the standard.
+
+To check the status of a standard by using the Security Hub console, choose **Security standards** in the navigation pane. The **Security standards** page lists all the standards that Security Hub currently supports. If Security Hub is currently performing tasks to enable the standard, the section for the standard indicates that Security Hub is still generating a security score for the standard. If a standard is enabled, the section for the standard includes the current score. Choose **View results** to review additional details, including the status of individual controls that apply to the standard. For more information, see [Schedule for running security checks](./securityhub-standards-schedule.html).
+
+To check the status of a standard programmatically with the Security Hub API, use the [GetEnabledStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetEnabledStandards.html) operation. In your request, optionally use the `StandardsSubscriptionArns` parameter to specify the Amazon Resource Name (ARN) of the standard whose status you want to check. If you're using the AWS Command Line Interface (AWS CLI), you can run the [get-enabled-standards](https://docs.aws.amazon.com/cli/latest/reference/securityhub/get-enabled-standards.html) command to check the status of a standard. To specify the ARN of the standard to check, use the `standards-subscription-arns` parameter. To determine which ARN to specify, you can use the [DescribeStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) operation or, for the AWS CLI, run the [describe-standards](https://docs.aws.amazon.com/cli/latest/reference/securityhub/describe-standards.html) command.
+
+If your request succeeds, Security Hub responds with an array of `StandardsSubscription` objects. A _standard subscription_ is an AWS resource that Security Hub creates in an account when a standard is enabled for the account. Each `StandardsSubscription` object provides details about a standard that is currently enabled or is being enabled or disabled for the account. Within each object, the `StandardsStatus` field specifies the current status of the standard for the account.
+
+The status of a standard (`StandardsStatus`) can be one of the following.
+
+**PENDING**
+    
+
+Security Hub is currently performing tasks to enable the standard for the account. This includes creating the controls that apply to the standard, and generating a preliminary security score for the standard. It can take several minutes for Security Hub to complete all the tasks. A standard can also have this status if it's already enabled for the account and Security Hub is currently adding new controls to the standard.
+
+If a standard has this status, you might not be able to retrieve the details of individual controls that apply to the standard. In addition, you might not be able to configure or disable individual controls for the standard. For example, if you try to disable a control by using the [UpdateStandardsControl](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_UpdateStandardsControl.html) operation, an error occurs.
+
+To determine whether you can configure or otherwise manage individual controls for the standard, refer to the value for the `StandardsControlsUpdatable` field. If the value for this field is `READY_FOR_UPDATES`, you can start managing individual controls for the standard. Otherwise, wait until Security Hub completes additional processing tasks to enable the standard.
+
+**READY**
+    
+
+The standard is currently enabled for the account. Security Hub can run security checks and generate findings for all the controls that apply to the standard and are currently enabled. Security Hub can also calculate a security score for the standard.
+
+If a standard has this status, you can retrieve the details of individual controls that apply to the standard. In addition, you can configure, disable, or re-enable the controls. You can also disable the standard.
+
+**INCOMPLETE**
+    
+
+Security Hub wasn't able to enable the standard completely for the account. Security Hub can't run security checks and generate findings for all the controls that apply to the standard and are currently enabled. In addition, Security Hub can't calculate a security score for the standard.
+
+To determine why the standard wasn't enabled completely, refer to the information in the `StandardsStatusReason` array. This array specifies issues that prevented Security Hub from enabling the standard. If an internal error occurred, try enabling the standard for the account again. For other types of issues, [check your AWS Config settings](./securityhub-setup-prereqs.html). You can also [disable individual controls](./disable-controls-overview.html) that you don't want to check, or disable the standard completely.
+
+**DELETING**
@@ -76 +117,0 @@ AWS CLI
-  1. Run the [batch-enable-standards](https://docs.aws.amazon.com/cli/latest/reference/securityhub/batch-enable-standards.html) command.
@@ -78 +119 @@ AWS CLI
-  2. Provide the Amazon Resource Name (ARN) of the standard that you want to enable. To obtain the standard ARN, run the [describe-standards](https://docs.aws.amazon.com/cli/latest/reference/securityhub/describe-standards.html) command.
+Security Hub is currently processing a request to disable the standard for the account. This includes disabling the controls that apply to the standard, and removing the associated security score. It can take several minutes for Security Hub to finish processing the request.
@@ -80 +121 @@ AWS CLI
-        aws securityhub batch-enable-standards --standards-subscription-requests '{"StandardsArn": "standard ARN"}'
+If a standard has this status, you can't re-enable the standard or try to disable it again for the account. Security Hub must finish processing the current request first. In addition, you can't retrieve the details of individual controls that apply to the standard or manage the controls.
@@ -82 +123 @@ AWS CLI
-**Example**
+**FAILED**
@@ -84 +124,0 @@ AWS CLI
-        aws securityhub batch-enable-standards --standards-subscription-requests '{"StandardsArn":"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"}'
@@ -86 +126 @@ AWS CLI
-  3. Repeat in each Region in which you want to enable the standard.
+Security Hub wasn't able to disable the standard for the account. One or more errors occurred when Security Hub attempted to disable the standard. In addition, Security Hub can't calculate a security score for the standard.
@@ -87,0 +128 @@ AWS CLI
+To determine why the standard wasn't disabled completely, refer to the information in the `StandardsStatusReason` array. This array specifies issues that prevented Security Hub from disabling the standard.
@@ -88,0 +130 @@ AWS CLI
+If a standard has this status, you can't retrieve the details of individual controls that apply to the standard or manage the controls. You can, however, re-enable the standard for the account. If you address the issues that prevented Security Hub from disabling the standard, you can also try to disable the standard again.
@@ -89,0 +132 @@ AWS CLI
+If the status of a standard is `READY`, Security Hub runs security checks and generates findings for all the controls that apply to the standard and are currently enabled. For other statuses, Security Hub might run checks and generate findings for some, but not all, enabled controls. It can take up to 24 hours to generate or update control findings. For more information, see [Schedule for running security checks](./securityhub-standards-schedule.html).