Ensure that AWS Security Hub security standards, enabled within your AWS account(s), are reviewed in order to decide whether or not these standards should be considered unwanted and disabled.
optimisation
A Security Hub standard, such as CIS AWS Foundations standard, is a predefined collection of rules based on the AWS cloud and industry best practices. Once the Security Hub service is enabled, it immediately begins running continuous and automated checks on your AWS environment's resources against the rules included in the active standards. Then AWS Security Hub generates findings based on the results of the checks defined within the enabled standards. Even if these standards help you adhere to industry (including AWS) best practices, there can be scenarios where specific security standards are not needed or are considered unwanted due to regulatory requirements that these promote, or where these need to be disabled to lower the cost of the monthly AWS bill as standards rules use the configuration items recorded by AWS Config, therefore Config service charges apply.
Audit
To check for unwanted Security Hub standards enabled within your AWS account, perform the following actions:
Remediation / Resolution
To disable any unwanted AWS Security Hub standards enabled within your AWS account, perform the following actions:
References
- AWS Documentation
- AWS Security Hub FAQs
- AWS Security Hub Terminology and Concepts
- Standards Supported in AWS Security Hub - CIS AWS Foundations
- AWS Command Line Interface (CLI) Documentation
- securityhub
- get-enabled-standards
- batch-disable-standards