Disabling controls in Security Hub
There are multiple ways to disable a control in AWS Security Hub. You can disable a control across all security standards or in a specific standard. When you disable a control across all standards, the following occurs:
-
Security checks for the control are no longer performed.
-
No additional findings are generated for that control.
-
Existing findings are archived automatically after 3-5 days (note that this is best effort).
-
Any related AWS Config rules that Security Hub created are removed.
If you disable a control in one or more specific standards, Security Hub doesn't run security checks for the control for the standards you disabled it in, so it doesn't affect the security score for those standards. However, Security Hub retains the AWS Config rule and continues running security checks for the control if it is enabled in other standards. This can affect your summary security score.
To reduce finding noise, it can be useful to disable controls that aren't relevant to your environment. For recommendations of which controls to disable, see Security Hub controls that you might want to disable.
When you disable a standard, all of the controls that apply to the standard are disabled (however, those controls might remain enabled in other standards). For information about disabling a standard, see Disabling a security standard in Security Hub.
When you disable a standard, Security Hub doesn't track which of its applicable controls were disabled. If you subsequently re-enable the same standard, all of the controls that apply to it are automatically enabled. In addition, disabling a control isn't a permanent action. Suppose you disable a control, and then you enable a standard that was previously disabled. If the standard includes that control, it will be enabled in that standard. When you enable a standard in Security Hub, all of the controls that apply to that standard are automatically enabled. You can choose to disable specific controls.
