Configuring a standard or control in context

When you use central configuration in AWS Security Hub, the delegated Security Hub administrator can create configuration policies that specify how Security Hub, security standards, and security controls are configured for an organization. The delegated administrator can associate policies with specific accounts and organizational units (OU). The policies take effect in your home Region and all linked Regions. The delegated administrator can update configuration policies as necessary.

On the Security Hub console, the delegated administrator can update configuration policies in two ways—from the Configuration page, or in context with existing workflows. The latter can be beneficial because, as you view security findings, you can discover which standards and controls are most relevant to your environment and configure them at the same time.

In-context configuration is available only on the Security Hub console. Programmatically, the delegated administrator must invoke the UpdateConfigurationPolicy operation of the Security Hub API to change how specific standards or controls are configured in the organization.

Follow these steps to configure a Security Hub standard or control in context.

To configure a standard or control in context (console)

Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

Sign in using the credentials of the delegated Security Hub administrator account in the home Region.
In the navigation pane, choose one of the follow options:
- To configure a standard, choose Security standards, and choose a specific standard.
- To configure a control, choose Controls, and choose a specific control.
The console lists your existing Security Hub configuration policies and the status of the selected standard or control in each one. Choose the options to enable or disable the standard or control in each existing configuration policy. For controls, you can also choose to customize control parameters. You can't create a new policy during in-context configuration. To create a new policy, you must go to the Configuration page, choose the Policies tab, and then choose Create policy.
After making your changes, choose Next.
Review your changes, and choose Apply. The updates affect all accounts and OUs that are associated with a changed configuration policy. The updates also take effect in the home Region and all linked Regions.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Disassociating a configuration

Disabling central configuration