AWS securityhub documentation change
Summary
Updated documentation on disabling automatic enablement of security standards, clarified configuration types, added detailed console steps, and updated API examples.
Security assessment
The changes clarify how to manage security standards configuration in Security Hub, particularly disabling auto-enablement. While this relates to security configuration management, there is no evidence of addressing a specific vulnerability or incident. The updates enhance documentation about existing security features.
Diff
diff --git a/securityhub/latest/userguide/securityhub-auto-enabled-standards.md b/securityhub/latest/userguide/securityhub-auto-enabled-standards.md index 46f117ea8..674aace83 100644 --- a//securityhub/latest/userguide/securityhub-auto-enabled-standards.md +++ b//securityhub/latest/userguide/securityhub-auto-enabled-standards.md @@ -5 +5 @@ -# Turning off automatically enabled standards +# Turning off automatically enabled security standards @@ -7 +7 @@ -If you don't use central configuration, your organization uses a configuration type called local configuration. Under local configuration, Security Hub can automatically enable default security standards in new member accounts when they join your organization. All controls that are part of the default standards are also automatically enabled. +If your organization doesn't use central configuration, it uses a configuration type called _local configuration_. With local configuration, AWS Security Hub can automatically enable default security standards for new member accounts when the accounts join your organization. All the controls that apply to these default standards are also enabled automatically. @@ -9 +9 @@ If you don't use central configuration, your organization uses a configuration t -Currently, the default security standards that are automatically enabled are **AWS Foundational Security Best Practices v1.0.0** and **Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0**. You can turn off automatically enabled standards if you prefer to manually enable standards in new accounts. +Currently, the default security standards are the AWS Foundational Security Best Practices v1.0.0 standard and the Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0 standard. For information about these standards, see the [Security Hub standards reference](./standards-reference.html). @@ -11 +11 @@ Currently, the default security standards that are automatically enabled are **A -If you use central configuration, you can create a configuration policy that enables the default standards and associate this policy with the root. All of your organization accounts and OUs will inherit this configuration policy unless they are associated with a different policy or are self-managed. +If you prefer to manually enable security standards for new member accounts, you can turn off automatic enablement of the default standards. You can do this only if you integrate with AWS Organizations and use local configuration. If you use central configuration, you can instead create a configuration policy that enables the default standards and associate the policy with the root. All of your organization accounts and OUs then inherit this configuration policy unless they are associated with a different policy or are self-managed. If you don't integrate with AWS Organizations, you can disable a default standard when you initially enable Security Hub or later. To learn how, see [Disabling a standard](./disable-standards.html). @@ -13 +13 @@ If you use central configuration, you can create a configuration policy that ena -The following steps apply only if you integrate with AWS Organizations and use local configuration. If you don't use the Organizations integration, you can turn off a default standard when you first enable Security Hub, or you can follow the steps for [Disabling a standard in a single account and AWS Region](./disable-standards.html#securityhub-standard-disable-console). +To turn off automatic enablement of the default standards for new member accounts, you can use the Security Hub console or the Security Hub API. @@ -18 +18,3 @@ Security Hub console -###### To turn off automatically enabled standards (console) +Follow these steps to turn off automatic enablement of the default standards by using the Security Hub console. + +###### To turn off automatic enablement of default standards @@ -24 +26 @@ Sign in using the credentials of the administrator account. - 2. In the Security Hub navigation pane, under **Settings** , choose **Configuration**. + 2. In the navigation pane, under **Settings** , choose **Configuration**. @@ -26 +28 @@ Sign in using the credentials of the administrator account. - 3. In the **Accounts** section, turn off **Auto-enable default standards**. + 3. In the **Overview** section, choose **Edit**. @@ -27,0 +30 @@ Sign in using the credentials of the administrator account. + 4. Under **New account settings** , clear the **Enable the default security standards** checkbox. @@ -28,0 +32 @@ Sign in using the credentials of the administrator account. + 5. Choose **Confirm**. @@ -31 +34,0 @@ Sign in using the credentials of the administrator account. -Security Hub API @@ -34 +37 @@ Security Hub API -**To turn off automatically enabled standards (API)** +Security Hub API @@ -36 +38,0 @@ Security Hub API -Use the [UpdateOrganizationConfiguration](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_UpdateOrganizationConfiguration.html) operation of the Security Hub API from the Security Hub administrator account. If you use the AWS CLI, run the [update-organization-configuration](https://docs.aws.amazon.com/cli/latest/reference/securityhub/update-organization-configuration.html) command. @@ -38 +40 @@ Use the [UpdateOrganizationConfiguration](https://docs.aws.amazon.com/securityhu -To turn off automatically enabled standards in new member accounts, set `AutoEnableStandards` equal to `NONE`. +To turn off automatic enablement of the default standards programmatically, from the Security Hub administrator account, use the [UpdateOrganizationConfiguration](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_UpdateOrganizationConfiguration.html) operation of the Security Hub API. In your request, specify `NONE` for the `AutoEnableStandards` parameter. @@ -40 +42 @@ To turn off automatically enabled standards in new member accounts, set `AutoEna -For example, the following AWS CLI command turns off automatically enabled standards. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\\) line-continuation character to improve readability. +If you're using the AWS CLI, run the [update-organization-configuration](https://docs.aws.amazon.com/cli/latest/reference/securityhub/update-organization-configuration.html) command to turn off automatic enablement of the default standards. For the `auto-enable-standards` parameter, specify `NONE`. For example, the following command automatically enables Security Hub for new member accounts, and turns off automatic enablement of the default standards for the accounts. @@ -43 +45 @@ For example, the following AWS CLI command turns off automatically enabled stand - $ aws securityhub update-organization-configuration --auto-enable-standards NONE + $ aws securityhub update-organization-configuration --auto-enable --auto-enable-standards NONE @@ -51 +53 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Disabling a standard +Reviewing the details of a standard @@ -53 +55 @@ Disabling a standard -Reviewing details of an enabled standard +Disabling a standard