AWS securityhub documentation change
Summary
Enhanced documentation about control disabling behavior in Security Hub CSPM, including details about findings archiving timelines, AWS Config rule removal, multi-standard behavior, and added navigation topics.
Security assessment
The changes clarify operational aspects of security controls management but do not address any specific vulnerability. They improve documentation about existing security posture management features without indicating remediation of a security flaw.
Diff
diff --git a/securityhub/latest/userguide/disable-controls-overview.md b/securityhub/latest/userguide/disable-controls-overview.md index d6ed03a9e..5ddd0acfb 100644 --- a//securityhub/latest/userguide/disable-controls-overview.md +++ b//securityhub/latest/userguide/disable-controls-overview.md @@ -7 +7,3 @@ -There are multiple ways to disable a control in AWS Security Hub Cloud Security Posture Management (CSPM). You can disable a control across all security standards or in a specific standard. When you disable a control across all standards, the following occurs: +To reduce finding noise, it can be helpful to disable controls that aren't relevant to your environment. In AWS Security Hub Cloud Security Posture Management (CSPM), you can disable a control across all security standards or for only specific standards. + +If you disable a control across all standards, the following occurs: @@ -11 +13,10 @@ There are multiple ways to disable a control in AWS Security Hub Cloud Security - * No additional findings are generated for that control. + * No additional findings are generated for the control. + + * Existing findings for the control are archived automatically, typically within 3–5 days on a best-effort basis. + + * Security Hub CSPM removes any related AWS Config rules that it created for the control. + + + + +If you disable a control for only specific standards, Security Hub CSPM stops running security checks for the control for only those standards. This also removes the control from [calculations of the security score](./standards-security-score.html) for each of those standards. If the control is enabled in other standards, Security Hub CSPM retains the associated AWS Config rule, if applicable, and continues running security checks for the control for the other standards. Security Hub CSPM also includes the control when it calculates the security score for each of the other standards, which affects your summary security score. @@ -13 +24 @@ There are multiple ways to disable a control in AWS Security Hub Cloud Security - * Existing findings are archived automatically after 3-5 days (note that this is best effort). +If you disable a standard, all of the controls that apply to the standard are disabled automatically for that standard. However, the controls might continue to be enabled in other standards. When you disable a standard, Security Hub CSPM doesn't track which controls were disabled for the standard. Consequently, if you later re-enable the same standard, all the controls that apply to it are automatically enabled. For information about disabling a standard, see [Disabling a standard](./disable-standards.html). @@ -15 +26 @@ There are multiple ways to disable a control in AWS Security Hub Cloud Security - * Any related AWS Config rules that Security Hub CSPM created are removed. +Disabling a control isn't a permanent action. Suppose you disable a control, and then enable a standard that includes the control. The control is then enabled for that standard. When you enable a standard in Security Hub CSPM, all of the controls that apply to that standard are automatically enabled. For information about enabling a standard, see [Enabling a standard](./enable-standards.html). @@ -16,0 +28 @@ There are multiple ways to disable a control in AWS Security Hub Cloud Security +###### Topics @@ -17,0 +30 @@ There are multiple ways to disable a control in AWS Security Hub Cloud Security + * [Disabling a control across standards](./disable-controls-across-standards.html) @@ -18,0 +32 @@ There are multiple ways to disable a control in AWS Security Hub Cloud Security + * [Disabling a control in a specific standard](./disable-controls-standard.html) @@ -20 +34 @@ There are multiple ways to disable a control in AWS Security Hub Cloud Security -If you disable a control in one or more specific standards, Security Hub CSPM doesn't run security checks for the control for the standards you disabled it in, so it doesn't affect the security score for those standards. However, Security Hub CSPM retains the AWS Config rule and continues running security checks for the control if it is enabled in other standards. This can affect your summary security score. + * [Suggested controls to disable](./controls-to-disable.html) @@ -22 +35,0 @@ If you disable a control in one or more specific standards, Security Hub CSPM do -To reduce finding noise, it can be useful to disable controls that aren't relevant to your environment. For recommendations of which controls to disable, see [Security Hub CSPM controls that you might want to disable](https://docs.aws.amazon.com/securityhub/latest/userguide/controls-to-disable.html). @@ -24 +36,0 @@ To reduce finding noise, it can be useful to disable controls that aren't releva -When you disable a standard, all of the controls that apply to the standard are disabled (however, those controls might remain enabled in other standards). For information about disabling a standard, see [Disabling a security standard](./disable-standards.html). @@ -26 +37,0 @@ When you disable a standard, all of the controls that apply to the standard are -When you disable a standard, Security Hub CSPM doesn't track which of its applicable controls were disabled. If you subsequently re-enable the same standard, all of the controls that apply to it are automatically enabled. In addition, disabling a control isn't a permanent action. Suppose you disable a control, and then you enable a standard that was previously disabled. If the standard includes that control, it will be enabled in that standard. When you enable a standard in Security Hub CSPM, all of the controls that apply to that standard are automatically enabled. You can choose to disable specific controls.