AWS securityhub documentation change
Summary
Updated documentation for disabling Security Hub with expanded details on consequences (data deletion timeline, re-enabling implications), added guidance for preserving findings via EventBridge, restructured disablement procedures, and clarified administrative constraints.
Security assessment
The changes clarify security-related consequences of disabling Security Hub (e.g., permanent data deletion after 90 days, risks of duplicate findings upon re-enabling) and provide proactive measures to preserve findings (EventBridge export). While these updates improve security awareness, they document existing functionality rather than address a specific vulnerability.
Diff
diff --git a/securityhub/latest/userguide/securityhub-disable.md b/securityhub/latest/userguide/securityhub-disable.md index 6435eb147..2ddcec472 100644 --- a//securityhub/latest/userguide/securityhub-disable.md +++ b//securityhub/latest/userguide/securityhub-disable.md @@ -7 +7 @@ -###### Note +You can disable AWS Security Hub by using the Security Hub console or the Security Hub API. If you disable Security Hub, you can enable it again later. @@ -9 +9 @@ -If you use central configuration, the delegated AWS Security Hub administrator can create configuration policies that disable Security Hub in specific accounts and organizational units (OUs) and keep it enabled in others. Configuration policies take effect in your home Region and all linked Regions. For more information, see [Understanding central configuration in Security Hub](./central-configuration-intro.html). +If your organization uses central configuration, the delegated AWS Security Hub administrator can create configuration policies that disable Security Hub for specific accounts and organizational units (OUs), and keep Security Hub enabled for others. Configuration policies affect the home Region and all linked Regions. For more information, see [Understanding central configuration in Security Hub](./central-configuration-intro.html). @@ -11 +11 @@ If you use central configuration, the delegated AWS Security Hub administrator c -You can use the Security Hub console, Security Hub API, or AWS CLI to disable Security Hub. +If you disable Security Hub for an account, the following occurs: @@ -13 +13 @@ You can use the Security Hub console, Security Hub API, or AWS CLI to disable Se -The following occurs when you disable Security Hub for an account: + * Any enabled standards and controls are disabled for the account. @@ -15 +15 @@ The following occurs when you disable Security Hub for an account: - * No new findings are generated or ingested for the account. + * Security Hub stops generating and ingesting new findings for the account. @@ -17 +17 @@ The following occurs when you disable Security Hub for an account: - * After 90 days, your existing findings and insights and any Security Hub configuration settings are deleted and cannot be recovered. + * After 90 days, Security Hub permanently deletes all existing findings for the account. The findings cannot be recovered by using Security Hub. @@ -19 +19 @@ The following occurs when you disable Security Hub for an account: -If you want to save your existing findings, you must export them before you disable Security Hub. For more information, see [Effect of account actions on Security Hub data](./securityhub-data-retention.html). + * After 90 days, Security Hub permanently deletes existing insights and Security Hub configuration settings for the account. The data and settings cannot be recovered. @@ -21 +20,0 @@ If you want to save your existing findings, you must export them before you disa - * Any enabled standards and controls are disabled. @@ -24,0 +24 @@ If you want to save your existing findings, you must export them before you disa +To retain existing findings for more than 90 days, you can use a custom action with an Amazon EventBridge rule to export the findings to an S3 bucket before you disable Security Hub. For more information, see [Using EventBridge for automated response and remediation](./securityhub-cloudwatch-events.html). @@ -26 +26 @@ If you want to save your existing findings, you must export them before you disa -You can't disable Security Hub in the following cases: +If you re-enable Security Hub within 90 days of disabling it for an account, you regain access to existing findings, insights, and Security Hub configuration settings for the account. However, existing findings might be inaccurate because they will reflect the state of your AWS environment when you disabled Security Hub. In addition, as you re-enable individual standards and controls, Security Hub might initially generate duplicate findings for specific AWS resources, depending on the standards and controls that you enable. For these reasons, we recommend that you do one of the following: @@ -28 +28 @@ You can't disable Security Hub in the following cases: - * Your account is the designated Security Hub administrator account for an organization. If you use central configuration, you can't associate a configuration policy that disables Security Hub with the delegated administrator account. The association can succeed for other accounts, but Security Hub doesn't apply such a policy to the delegated administrator account. + * Change the workflow status of all existing findings to `RESOLVED` before you disable Security Hub. For more information, see [Setting the workflow status of findings](./findings-workflow-status.html). @@ -30 +30 @@ You can't disable Security Hub in the following cases: - * Your account is a Security Hub administrator account by invitation, and you have member accounts. Before you can disable Security Hub, you must disassociate all of your member accounts. See [Disassociating member accounts in Security Hub](./securityhub-disassociate-members.html). + * Disable all standards at least six days before you disable Security Hub. Security Hub then archives all existing findings on a best-effort basis, typically within three to five days. For more information, see [Disabling a standard](./disable-standards.html). @@ -35 +35 @@ You can't disable Security Hub in the following cases: -Before the owner of a member account can disable Security Hub, the account must be disassociated from its administrator account. For an organization account, only the administrator account can disassociate member accounts. For more information, see [Disassociating Security Hub member accounts from your organization](./accounts-orgs-disassociate.html). For manually invited accounts, either the administrator account or the member account can disassociate the member account. For more information, see [Disassociating member accounts in Security Hub](./securityhub-disassociate-members.html) or [Disassociating from a Security Hub administrator account](./securityhub-disassociate-from-admin.html). Disassociation isn't required if you use central configuration because you can create a policy that disables Security Hub in specific member accounts. +You can't disable Security Hub in the following cases: @@ -37 +37 @@ Before the owner of a member account can disable Security Hub, the account must -When you disable Security Hub in an account, it is disabled only in the current Region. However, if you use central configuration to disable Security Hub in specific accounts, it is disabled in the home Region and all linked Regions. + * Your account is the delegated Security Hub administrator account for an organization. If you use central configuration, you can't associate a configuration policy that disables Security Hub for the delegated administrator account. The association can succeed for other accounts, but Security Hub doesn't apply such a policy to the delegated administrator account. @@ -39 +39 @@ When you disable Security Hub in an account, it is disabled only in the current -Choose your preferred method, and follow the steps to disable Security Hub. + * Your account is a Security Hub administrator account by invitation, and you have member accounts. Before you can disable Security Hub, you must disassociate all of your member accounts. To learn how, see [Disassociating member accounts in Security Hub](./securityhub-disassociate-members.html). @@ -41 +40,0 @@ Choose your preferred method, and follow the steps to disable Security Hub. -Security Hub console @@ -44 +42,0 @@ Security Hub console -###### To disable Security Hub @@ -46 +44 @@ Security Hub console - 1. Open the AWS Security Hub console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/). +Before the owner of a member account can disable Security Hub, the account must be disassociated from its administrator account. For an organization account, only the administrator account can disassociate member accounts. For more information, see [Disassociating Security Hub member accounts from your organization](./accounts-orgs-disassociate.html). For manually invited accounts, either the administrator account or the member account can disassociate the member account. For more information, see [Disassociating member accounts in Security Hub](./securityhub-disassociate-members.html) or [Disassociating from a Security Hub administrator account](./securityhub-disassociate-from-admin.html). Disassociation isn't required if you use central configuration because the Security Hub administrator can create a policy that disables Security Hub for specific member accounts. @@ -48 +46 @@ Security Hub console - 2. On the navigation pane, choose **Settings**. +When you disable Security Hub for an account, it is disabled only in the current Region. However, if you use central configuration to disable Security Hub for specific accounts, it is disabled in the home Region and all linked Regions. @@ -50 +48 @@ Security Hub console - 3. On the **Settings** page, choose **General**. +To disable Security Hub, choose your preferred method and follow the steps. @@ -52 +50 @@ Security Hub console - 4. Under **Disable AWS Security Hub** , choose **Disable AWS Security Hub**. Then choose **Disable AWS Security Hub** again. +Security Hub console @@ -54,0 +53 @@ Security Hub console +###### To disable Security Hub @@ -55,0 +55 @@ Security Hub console + 1. Open the AWS Security Hub console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/). @@ -57 +57 @@ Security Hub console -Security Hub API + 2. In the navigation pane, under **Settings** , choose **General**. @@ -58,0 +59 @@ Security Hub API + 3. In the **Disable AWS Security Hub** section, choose **Disable AWS Security Hub**. @@ -60 +61 @@ Security Hub API -**To disable Security Hub** + 4. When prompted for confirmation, choose **Disable AWS Security Hub**. @@ -62 +62,0 @@ Security Hub API -Invoke the [`DisableSecurityHub`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DisableSecurityHub.html) API. @@ -64 +63,0 @@ Invoke the [`DisableSecurityHub`](https://docs.aws.amazon.com/securityhub/1.0/AP -AWS CLI @@ -67 +66 @@ AWS CLI -**To disable Security Hub** +Security Hub API @@ -69 +67,0 @@ AWS CLI -Run the [`disable-security-hub`](https://docs.aws.amazon.com/cli/latest/reference/securityhub/disable-security-hub.html) command. @@ -71 +69 @@ Run the [`disable-security-hub`](https://docs.aws.amazon.com/cli/latest/referenc -**Example command:** +To disable Security Hub programmatically, use the [DisableSecurityHub](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DisableSecurityHub.html) operation of the Security Hub API. Or, if you're using the AWS CLI, run the [disable-security-hub](https://docs.aws.amazon.com/cli/latest/reference/securityhub/disable-security-hub.html) command. For example, the following command disables Security Hub in the current AWS Region: @@ -74 +72 @@ Run the [`disable-security-hub`](https://docs.aws.amazon.com/cli/latest/referenc - aws securityhub disable-security-hub + $ aws securityhub disable-security-hub