Managing Security Hub Standards in AWS
A Security Hub standard, such as the CIS AWS Foundations standard, is a predefined collection of rules based on the AWS cloud and industry best practices. Once the Security Hub service is enabled, it immediately begins running continuous and automated checks on your AWS environment’s resources against the rules included in the active standards.
Using AWS CLI
- Run the get-enabled-standards command (OSX/Linux/UNIX) to list and describe the AWS Security Hub standards enabled within the selected AWS region:
aws securityhub get-enabled-standards
--region us-east-12. The command output should return the metadata available for the enabled security standards:
{
"StandardsSubscriptions": [
{
"StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.x.x",
"StandardsInput": {},
"StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.x.x",
}, ... {
"StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.x.x",
"StandardsInput": {},
"StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.x.x",
}
]
}
3. Identify the name and the version (highlighted in the get-enabled-standards command output) of each security standard enabled within the selected region and determine the compliance rules available for each standard, listed at this URL (AWS official documentation).
04Based on the compatibility between the standard’s rules and your AWS environment configuration decide whether the selected security standard is required or not. If the standard is not needed for your cloud environment, follow the steps presented in the Remediation/Resolution section to disable it.
5. Repeat step no. 1–4 to review other enabled Amazon Security Hub standards, available in the selected region.
6. Change the AWS region by updating the — region command parameter value and repeat the audit process for other regions.
Resolution
To disable any unwanted AWS Security Hub standards enabled within your AWS account, perform the following actions:
Using AWS CLI
- Run batch-disable-standards command (OSX/Linux/UNIX) using the subscription ARN of the unwanted security standard (see Audit section part I to identify the right resource) to disable the specified Amazon Security Hub standard within the selected AWS region:
aws securityhub batch-disable-standards
--region us-east-1
--standards-subscription-arns arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.x.x2. The command output should return the metadata available for the selected security standard:
{
"StandardsSubscriptions": [
{
"StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.x.x",
"StandardsInput": {},
"StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:575392585563:subscription/cis-aws-foundations-benchmark/v/1.x.x",
"StandardsStatus": "DELETING"
}
]
}3. Repeat step no. 1 and 2 to disable other unneeded Amazon Security Hub standards, available within the selected region.
4. Change the AWS region by updating the — region command parameter value and repeat the entire process for other regions.
👋 Join us today !!
️Follow us on LinkedIn, Twitter, Facebook, and Instagram
If this post was helpful, please click the clap 👏 button below a few times to show your support! ⬇
