Open menu

Review Enabled Security Hub Standards

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security
Cost
optimisation

Risk level: Medium (should be achieved)

Ensure that AWS Security Hub security standards, enabled within your AWS account(s), are reviewed in order to decide whether or not these standards should be considered unwanted and disabled.

This rule resolution is part of the Cloud Conformity Tool

A Security Hub standard, such as CIS AWS Foundations standard, is a predefined collection of rules based on the AWS cloud and industry best practices. Once the Security Hub service is enabled, it immediately begins running continuous and automated checks on your AWS environment's resources against the rules included in the active standards. Then AWS Security Hub generates findings based on the results of the checks defined within the enabled standards. Even if these standards help you adhere to industry (including AWS) best practices, there can be scenarios where specific security standards are not needed or are considered unwanted due to regulatory requirements that these promote, or where these need to be disabled to lower the cost of the monthly AWS bill as standards rules use the configuration items recorded by AWS Config, therefore Config service charges apply.

Audit

To check for unwanted Security Hub standards enabled within your AWS account, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Security Hub dashboard at https://console.aws.amazon.com/securityhub/.

03 In the left navigation panel, choose Standards to view the Security Hub standards enabled within the current AWS region.

04 Choose the active Security Hub standard that you want to examine and click on its name (link) to access the rules promoted by the selected security standard. Based on the compatibility between the standard’s rules (checks) and your AWS cloud environment configuration, decide whether the selected security standard is required or not. If the standard is not needed, follow the steps outlined in the Remediation/Resolution section to disable it.

05 Repeat step no. 4 to review other enabled Amazon Security Hub standards, available in the current region.

06 Change the AWS region from the navigation bar and repeat the entire audit process for other regions.

Using AWS CLI

01 Run get-enabled-standards command (OSX/Linux/UNIX) to list and describe the AWS Security Hub standards enabled within the selected AWS region:

aws securityhub get-enabled-standards 
	--region us-east-1

02 The command output should return the metadata available for the enabled security standards:

{
    "StandardsSubscriptions": [
        {
            "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.x.x",
            "StandardsInput": {},
            "StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.x.x",
        },
 
        ...
 
        {
            "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.x.x",
            "StandardsInput": {},
            "StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.x.x",
        }
    ]
}

03 Identify the name and the version (highlighted in the get-enabled-standards command output) of each security standard enabled within the selected region and determine the compliance rules available for each standard, listed at this URL (AWS official documentation).

04 Based on the compatibility between the standard’s rules and your AWS environment configuration, decide whether the selected security standard is required or not. If the standard is not needed for your cloud environment, follow the steps presented in the Remediation/Resolution section to disable it.

05 Repeat steps no. 1 – 4 to review other enabled Amazon Security Hub standards, available in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To disable any unwanted AWS Security Hub standards enabled within your AWS account, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Security Hub dashboard at https://console.aws.amazon.com/securityhub/.

03 In the left navigation panel, choose Insights.

04 Choose the active Security Hub standard that you want to disable (see Audit section part I to identify the right security standard), then click Disable to shut down the specified standard.

05 Repeat step no. 4 to disable other unwanted Amazon Security Hub standards, available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat the process for other regions.

Using AWS CLI

01 Run batch-disable-standards command (OSX/Linux/UNIX) using the subscription ARN of the unwanted security standard (see Audit section part I to identify the right resource) to disable the specified Amazon Security Hub standard within the selected AWS region:

aws securityhub batch-disable-standards
	--region us-east-1
	--standards-subscription-arns arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.x.x

02 The command output should return the metadata available for the selected security standard:

{
    "StandardsSubscriptions": [
        {
            "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.x.x",
            "StandardsInput": {},
            "StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:575392585563:subscription/cis-aws-foundations-benchmark/v/1.x.x",
            "StandardsStatus": "DELETING"
        }
    ]
}

03 Repeat step no. 1 and 2 to disable other unneeded Amazon Security Hub standards, available within the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date Dec 14, 2018