AWS Security Hub releases the ability to disable specific compliance controls

Posted on: Jan 15, 2020

AWS Security Hub now allows you to disable specific compliance controls, if they are not relevant for you. For example, if the control 2.3 from the CIS AWS Foundations Benchmark (“Ensure that the S3 bucket used to store CloudTrail logs is not publicly accessible”) is not relevant in a particular account or region because you have a centralized logging bucket set up in another account or region, you can disable that control either via the Security Hub console or via the API. Disabled controls are not counted against your compliance readiness score for that standard, and they have a mandatory field to explain why the control has been disabled. Disablement actions are logged to AWS CloudTrail. Security Hub’s documentation provides specific examples of controls that you may want to disable depending on your account setup.  

Available globally, AWS Security Hub gives you a comprehensive view of your high priority security alerts and compliance status across your AWS accounts. With Security Hub, you now have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie, as well as from AWS Partner solutions. You can also continuously monitor your environment using automated compliance checks based on the AWS best practices and industry standards, such as the CIS AWS Foundations Benchmark. You can also take action on these security and compliance findings by using Amazon CloudWatch Event rules to send the findings to ticketing, chat, Security Information and Event Management (SIEM), Security Orchestration Automation and Response (SOAR), and incident management tools or to custom remediation playbooks.

You can enable your 30-day free trial of AWS Security Hub with a single-click in the AWS Management console. Please see the AWS Regions page for all the regions where AWS Security Hub is available. To learn more about AWS Security Hub capabilities, see the AWS Security Hub documentation, and to start your 30-day free trial see the AWS Security Hub free trial page.