AWS securityhub documentation change
Summary
Updated documentation structure and content for reviewing security standards controls. Added detailed steps for console/API usage, filtering options, control status explanations, and aggregation behavior across accounts/regions.
Security assessment
The changes enhance documentation about security controls and compliance monitoring features in AWS Security Hub, but there is no evidence of addressing a specific security vulnerability or incident. The updates focus on improving clarity and operational guidance for existing security features.
Diff
diff --git a/securityhub/latest/userguide/securityhub-standards-view-controls.md b/securityhub/latest/userguide/securityhub-standards-view-controls.md index 4e3f3aa88..249a87327 100644 --- a//securityhub/latest/userguide/securityhub-standards-view-controls.md +++ b//securityhub/latest/userguide/securityhub-standards-view-controls.md @@ -5 +5 @@ -Understanding the standard security score +Understanding the standard security scoreReviewing the controls for a standard @@ -7 +7 @@ Understanding the standard security score -# Reviewing details of an enabled standard +# Reviewing the details of a security standard @@ -9 +9 @@ Understanding the standard security score -On the AWS Security Hub console, the details page for a standard includes the following information: +After you enable a security standard in AWS Security Hub, you can use the console to review the details of the standard. On the console, the details page for a standard includes the following information: @@ -11 +11 @@ On the AWS Security Hub console, the details page for a standard includes the fo - * The security score for the standard. + * The current security score for the standard. @@ -13 +13 @@ On the AWS Security Hub console, the details page for a standard includes the fo - * A visual summary of the control statuses for the controls that apply to the standard. + * A table of controls that apply to the standard. @@ -15 +15 @@ On the AWS Security Hub console, the details page for a standard includes the fo - * A visual summary of security checks for the controls that are enabled in the standard. If you integrate with AWS Organizations, controls that are enabled in at least one organization account are considered enabled. + * Aggregated statistics for controls that apply to the standard. @@ -17 +17 @@ On the AWS Security Hub console, the details page for a standard includes the fo - * A list of controls that apply to the standard. You can filter and sort the controls as needed. + * A visual summary of the status of the controls that apply to the standard. @@ -18,0 +19 @@ On the AWS Security Hub console, the details page for a standard includes the fo + * A visual summary of security checks for controls that are enabled and apply to the standard. If you integrate with AWS Organizations, controls that are enabled in at least one organization account are considered enabled. @@ -22 +22,0 @@ On the AWS Security Hub console, the details page for a standard includes the fo -This section explains how to retrieve the details of a standard. @@ -24 +24 @@ This section explains how to retrieve the details of a standard. -###### To view details of a standard (console) +To review these details, choose **Security standards** in the navigation pane on the console. Then, in the section for the standard, choose **View results**. For deeper analysis, you can filter and sort the data, and drill down to review the details of individual controls that apply to the standard. @@ -26 +26 @@ This section explains how to retrieve the details of a standard. - 1. Open the AWS Security Hub console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/). +###### Topics @@ -28 +28 @@ This section explains how to retrieve the details of a standard. - 2. In the navigation pane, choose **Security standards**. + * Understanding the standard security score @@ -30 +30 @@ This section explains how to retrieve the details of a standard. - 3. For the standard that you want to display the details for, choose **View results**. + * Reviewing the controls for a standard @@ -37 +37 @@ This section explains how to retrieve the details of a standard. -At the top of the standard details page is the security score for the standard. The score is the percentage of controls that passed evaluation, relative to the total number of controls that apply to the standard, are enabled, and have evaluation data. Next to the score is a chart that summarizes security checks for controls that are enabled in the standard. The chart shows the number of passed and failed security checks. For administrator accounts, the standard score and chart are aggregated across the administrator account and all member accounts. You can choose a specific severity level to review failed security checks for controls of the chosen severity level. +On the AWS Security Hub console, the details page for a standard displays the security score for the standard. The score is the percentage of controls that passed evaluation, relative to the total number of controls that apply to the standard, are enabled, and have evaluation data. Under the score is a chart that summarizes security checks for controls that are enabled for the standard. This includes the number of passed and failed security checks. For administrator accounts, the standard score and chart are aggregated across the administrator account and all member accounts. To review failed security checks for controls that have a specific severity, choose the severity. @@ -41 +41,63 @@ When you enable a standard, Security Hub generates a preliminary security score -All the data on **Security standards** details pages is specific to the current Region unless you have set an aggregation Region. If you have set an aggregation Region, the security scores apply across Regions and include findings in all linked Regions. The compliance status of controls on standard details pages also reflect findings from linked Regions, and the number of security checks includes findings from linked Regions. +All the data on **Security standards** detail pages is specific to the current AWS Region unless you set an aggregation Region. If you set an aggregation Region, security scores apply across Regions and include findings for all linked Regions. In addition, the compliance status of controls reflects findings from linked Regions, and the number of security checks includes findings from linked Regions. + +## Reviewing the controls for a standard + +When you use the AWS Security Hub console to review the details of a standard that you enabled, you can review a table of security controls that apply to the standard. For each control, the table includes the following information: + + * The control ID and title. + + * The status of the control. For more information, see [Evaluating compliance status and control status in Security Hub](./controls-overall-status.html). + + * The severity assigned to the control. + + * The number of failed checks and the total number of checks. If applicable, the **Failed checks** field also specifies the number of findings with a status of **Unknown**. + + * Whether the control supports custom parameters. For more information, see [Understanding control parameters in Security Hub](./custom-control-parameters.html). + + + + +Security Hub updates control statuses and the count of security checks every 24 hours. A timestamp at the top of the page indicates when Security Hub most recently updated this data. + +For administrator accounts, control statuses and the number of security checks are aggregated across the administrator account and all member accounts. The count of enabled controls includes controls that are enabled for the standard in the administrator account or at least one member account. The count of disabled controls includes controls that are disabled for the standard in the administrator account and all member accounts. + +You can filter the table of controls that apply to the standard. Using the **Filter by** options next to the table, you can choose to view only enabled or only disabled controls for the standard. If you display only enabled controls, you can further filter the table by control status. You can then focus on controls that have a specific control status. In addition to the **Filter by** options, you can enter filter criteria in the **Filter controls** box. For example, you can filter by control ID or title. + +Choose your preferred access method. Then follow the steps to review the controls that apply to a standard that you enabled. + +Security Hub console + + +###### To review the controls for an enabled standard + + 1. Open the AWS Security Hub console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/). + + 2. Choose **Security standards** in the navigation pane. + + 3. In the section for the standard, choose **View results**. + + + + +The table at the bottom of the page lists all the controls that apply to the standard. You can filter and sort the table. You can also download the current page of the table as a CSV file. To do this, choose **Download** above the table. If you filter the table, the downloaded file includes only the controls that match your current filter settings. + +Security Hub API + + +###### To review the controls for an enabled standard + + 1. Use the [ListSecurityControlDefinitions](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListSecurityControlDefinitions.html) operation of the Security Hub API. If you're using the AWS CLI, run the [list-security-control-definitions](https://docs.aws.amazon.com/cli/latest/reference/securityhub/list-security-control-definitions.html) command. + +Specify the Amazon Resource Name (ARN) of the standard that you want to review controls for. To obtain ARNs for standards, use the [DescribeStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) operation or run the [describe-standards](https://docs.aws.amazon.com/cli/latest/reference/securityhub/describe-standards.html) command. If you don't specify the ARN for a standard, Security Hub returns all security control IDs. + + 2. Use the [ListStandardsControlAssociations](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListStandardsControlAssociations.html) operation of the Security Hub API, or run the [list-standards-control-associations](https://docs.aws.amazon.com/cli/latest/reference/securityhub/list-standards-control-associations.html) command. This operation tells you which standards a control is enabled in. + +Identify the control by providing the security control ID or ARN. Pagination parameters are optional. + + + + +The following example tells you which standards the Config.1 control is enabled in. + + + $ aws securityhub list-standards-control-associations --region us-east-1 --security-control-id Config.1 @@ -49 +111 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Turning off auto-enabled standards +Enabling a standard @@ -51 +113 @@ Turning off auto-enabled standards -Viewing the controls for an enabled standard +Turning off auto-enabled standards