# Disabling controls in Security Hub CSPM
<a name="disable-controls-overview"></a>

To reduce finding noise, it can be helpful to disable controls that aren't relevant to your environment. In AWS Security Hub CSPM, you can disable a control across all security standards or for only specific standards. 

If you disable a control across all standards, the following occurs:
+ Security checks for the control are no longer performed.
+ No additional findings are generated for the control.
+ Existing findings are no longer updated for the control.
+ Existing findings for the control are archived automatically, typically within 3–5 days on a best-effort basis.
+ Security Hub CSPM removes any related AWS Config rules that it created for the control.

If you disable a control for only specific standards, Security Hub CSPM stops running security checks for the control for only those standards. This also removes the control from [calculations of the security score](standards-security-score.md) for each of those standards. If the control is enabled in other standards, Security Hub CSPM retains the associated AWS Config rule, if applicable, and continues running security checks for the control for the other standards. Security Hub CSPM also includes the control when it calculates the security score for each of the other standards, which affects your summary security score.

If you disable a standard, all of the controls that apply to the standard are disabled automatically for that standard. However, the controls might continue to be enabled in other standards. When you disable a standard, Security Hub CSPM doesn't track which controls were disabled for the standard. Consequently, if you later re-enable the same standard, all the controls that apply to it are automatically enabled. For information about disabling a standard, see [Disabling a standard](disable-standards.md).

Disabling a control isn't a permanent action. Suppose you disable a control, and then enable a standard that includes the control. The control is then enabled for that standard. When you enable a standard in Security Hub CSPM, all the controls that apply to the standard are automatically enabled. For information about enabling a standard, see [Enabling a standard](enable-standards.md).

**Topics**
+ [Disabling a control across standards](disable-controls-across-standards.md)
+ [Disabling a control in a specific standard](disable-controls-standard.md)
+ [Suggested controls to disable](controls-to-disable.md)

# Disabling a control across standards
<a name="disable-controls-across-standards"></a>

We recommend disabling an AWS Security Hub CSPM control across standards to maintain alignment throughout your organization. If you disable a control in only specific standards, you continue to receive findings for the control if it is enabled in other standards.

## Cross-standard disablement in multiple accounts and Regions
<a name="disable-controls-all-standards-central-configuration"></a>

To disable a security control across multiple AWS accounts and AWS Regions, you must use [central configuration](central-configuration-intro.md).

When you use central configuration, the delegated administrator can create Security Hub CSPM configuration policies that disable specified controls across enabled standards. You can then associate the configuration policy with specific accounts, OUs, or the root. A configuration policy takes effect in your home Region (also called an aggregation Region) and all linked Regions.

Configuration policies offer customization. For example, you can choose to disable all AWS CloudTrail controls in one OU, and you can choose to disable all IAM controls in another OU. The level of granularity depends on your intended goals for security coverage in your organization. For instructions on creating a configuration policy that disables specified controls across standards, see [Creating and associating configuration policies](create-associate-policy.md).

**Note**  
The delegated administrator can create configuration policies to manage controls in all standards except the [Service-Managed Standard: AWS Control Tower](https://docs.aws.amazon.com/securityhub/latest/userguide/service-managed-standard-aws-control-tower.html). Controls for this standard should be configured in the AWS Control Tower service.

If you want some accounts to configure their own controls rather than the delegated administrator, the delegated administrator can designate those accounts as self-managed. Self-managed accounts must configure controls separately in each Region.

## Cross-standard disablement in a single account and Region
<a name="disable-controls-all-standards"></a>

If you don't use central configuration or are a self-managed account, you can't use configuration policies to centrally disable controls in multiple accounts and Regions. However, you can disable a control in a single account and Region.

------
#### [ Security Hub CSPM console ]

**To disable a control across standards in one account and Region**

1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).

1. Choose **Controls** from the navigation pane.

1. Choose the option next to a control.

1. Choose **Disable Control**. This option doesn't appear for a control that's already disabled.

1. Select a reason for disabling the control, and confirm by choosing **Disable**.

1. Repeat in each Region in which you want to disable the control.

------
#### [ Security Hub CSPM API ]

**To disable a control across standards in one account and Region**

1. Invoke the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListStandardsControlAssociations.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListStandardsControlAssociations.html) API. Provide a security control ID.

   **Example request:**

   ```
   {
       "SecurityControlId": "IAM.1"
   }
   ```

1. Invoke the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateStandardsControlAssociations.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateStandardsControlAssociations.html) API. Provide the ARN of any standards that the control is enabled in. To obtain standard ARNs, run [https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_DescribeStandards.html](https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_DescribeStandards.html).

1. Set the `AssociationStatus` parameter equal to `DISABLED`. If you follow these steps for a control that's already disabled, the API returns an HTTP status code 200 response.

   **Example request:**

   ```
   {
       "StandardsControlAssociationUpdates": [{"SecurityControlId": "IAM.1", "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}, {"SecurityControlId": "IAM.1", "StandardsArn": "arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}}]
   }
   ```

1. Repeat in each Region in which you want to disable the control.

------
#### [ AWS CLI ]

**To disable a control across standards in one account and Region**

1. Run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/list-standards-control-associations.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/list-standards-control-associations.html) command. Provide a security control ID.

   ```
   aws securityhub  --region us-east-1 list-standards-control-associations --security-control-id CloudTrail.1
   ```

1. Run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/batch-update-standards-control-associations.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/batch-update-standards-control-associations.html) command. Provide the ARN of any standards that the control is enabled in. To obtain standard ARNs, run the `describe-standards` command.

1. Set the `AssociationStatus` parameter equal to `DISABLED`. If you follow these steps for a control that's already disabled, the command returns an HTTP status code 200 response.

   ```
   aws securityhub  --region us-east-1 batch-update-standards-control-associations --standards-control-association-updates '[{"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}, {"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws:securityhub:::standards/cis-aws-foundations-benchmark/v/1.4.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}]'
   ```

1. Repeat in each Region in which you want to disable the control.

------

# Disabling a control in a specific standard
<a name="disable-controls-standard"></a>

You can disable a control in only specific security standards, instead of across all standards. If the control applies to other enabled standards, AWS Security Hub CSPM continues to run security checks for the control and you continue to receive findings for the control.

We recommend aligning the enablement status of a control across all of the enabled standards that the control applies to. For information about disabling a control across all of the standards that it applies to, see [Disabling a control across standards](disable-controls-across-standards.md).

On the standards details page, you can also disable controls in specific standards. You must disable controls in specific standards separately in each AWS account and AWS Region. When you disable a control in specific standards, it affects only the current account and Region.

Choose your preferred method, and follow these steps to disable a control in one or more specific standards.

------
#### [ Security Hub CSPM console ]

**To disable a control in a specific standard**

1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).

1. Choose **Security standards** from the navigation pane. Choose **View results** for the relevant standard.

1. Select a control.

1. Choose **Disable Control**. This option doesn't appear for a control that's already disabled.

1. Provide a reason for disabling the control, and confirm by choosing **Disable**.

------
#### [ Security Hub CSPM API ]

**To disable a control in a specific standard**

1. Run `[https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListSecurityControlDefinitions.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListSecurityControlDefinitions.html)`, and provide a standard ARN to get a list of available controls for a specific standard. To obtain a standard ARN, run [https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_DescribeStandards.html](https://docs.aws.amazon.com//securityhub/1.0/APIReference/API_DescribeStandards.html). This API returns standard-agnostic security control IDs, not standard-specific control IDs.

   **Example request:**

   ```
   {
       "StandardsArn": "arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0"
   }
   ```

1. Run `[https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListStandardsControlAssociations.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListStandardsControlAssociations.html)`, and provide a specific control ID to return the current enablement status of a control in each standard.

   **Example request:**

   ```
   {
       "SecurityControlId": "IAM.1"
   }
   ```

1. Run `[https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateStandardsControlAssociations.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateStandardsControlAssociations.html)`. Provide the ARN of the standard in which you want to disable the control.

1. Set the `AssociationStatus` parameter equal to `DISABLED`. If you follow these steps for a control that's already disabled, the API returns an HTTP status code 200 response.

   **Example request:**

   ```
   {
       "StandardsControlAssociationUpdates": [{"SecurityControlId": "IAM.1", "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "AssociationStatus": "DISABLED",  "UpdatedReason": "Not applicable to environment"}]
   }
   ```

------
#### [ AWS CLI ]

**To disable a control in a specific standard**

1. Run the `[https://docs.aws.amazon.com/cli/latest/reference/securityhub/list-security-control-definitions.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/list-security-control-definitions.html)` command, and provide a standard ARN to get a list of available controls for a specific standard. To obtain a standard ARN, run `describe-standards`. This command returns standard-agnostic security control IDs, not standard-specific control IDs.

   ```
   aws securityhub --region us-east-1 list-security-control-definitions --standards-arn "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"
   ```

1. Run the `[https://docs.aws.amazon.com/cli/latest/reference/securityhub/list-standards-control-associations.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/list-standards-control-associations.html)` command, and provide a specific control ID to return the current enablement status of a control in each standard.

   ```
   aws securityhub  --region us-east-1 list-standards-control-associations --security-control-id CloudTrail.1
   ```

1. Run the `[https://docs.aws.amazon.com/cli/latest/reference/securityhub/batch-update-standards-control-associations.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/batch-update-standards-control-associations.html)` command. Provide the ARN of the standard in which you want to disable the control.

1. Set the `AssociationStatus` parameter equal to `DISABLED`. If you follow these steps for a control that's already enabled, the command returns an HTTP status code 200 response.

   ```
   aws securityhub  --region us-east-1 batch-update-standards-control-associations --standards-control-association-updates '[{"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}]'
   ```

------

# Suggested controls to disable in Security Hub CSPM
<a name="controls-to-disable"></a>

We recommend disabling some AWS Security Hub CSPM controls to reduce finding noise and usage costs.

## Controls that use global resources
<a name="controls-to-disable-global-resources"></a>

Some AWS services support global resources, which means that you can access the resource from any AWS Region. To save on the cost of AWS Config, you can disable recording of global resources in all but one Region. After you do this, however, Security Hub CSPM stills run security checks in all Regions where a control is enabled and charges you based on the number of checks per account per Region. Accordingly, to reduce finding noise and save on the cost of Security Hub CSPM, you should also disable controls that involve global resources in all Regions except the Region that records global resources.

If a control involves global resources but is available in only one Region, disabling it in that Region prevents you from getting any findings for the underlying resource. In this case, we recommend keeping the control enabled. When using cross-Region aggregation, the Region in which the control is available should be the aggregation Region or one of the linked Regions. The following controls involve global resources but are available in only a single Region:
+ **All CloudFront controls** – Available only in the US East (N. Virginia) Region
+ **GlobalAccelerator.1** – Available only in the US West (Oregon) Region
+ **Route53.2** – Available only in the US East (N. Virginia) Region
+ **WAF.1, WAF.6, WAF.7, WAF.8** – Available only in the US East (N. Virginia) Region

**Note**  
If you use central configuration, Security Hub CSPM automatically disables controls that involve global resources in all Regions except the home Region. Other controls that you choose to enable though a configuration policy are enabled in all Regions where they are available. To limit findings for these controls to just one Region, you can update your AWS Config recorder settings and turn off global resource recording in all Regions except the home Region.  
If an enabled control that involves global resources isn't supported in the home Region, Security Hub CSPM tries to enable the control in one linked Region where the control is supported. With central configuration, you lack coverage for a control that isn't available in the home Region or any of the linked Regions.  
For more information about central configuration, see [Understanding central configuration in Security Hub CSPM](central-configuration-intro.md).

For controls that have a *periodic* schedule type, disabling them in Security Hub CSPM is required to prevent billing. Setting the AWS Config parameter `includeGlobalResourceTypes` to `false` doesn't affect periodic Security Hub CSPM controls.

The following Security Hub CSPM controls use global resources:
+ [[Account.1] Security contact information should be provided for an AWS account](account-controls.md#account-1)
+ [[Account.2] AWS accounts should be part of an AWS Organizations organization](account-controls.md#account-2)
+ [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1)
+ [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3)
+ [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4)
+ [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5)
+ [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6)
+ [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7)
+ [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8)
+ [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9)
+ [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10)
+ [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12)
+ [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13)
+ [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15)
+ [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16)
+ [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1)
+ [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1)
+ [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2)
+ [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3)
+ [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4)
+ [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5)
+ [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6)
+ [[IAM.7] Password policies for IAM users should have strong configurations](iam-controls.md#iam-7)
+ [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8)
+ [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9)
+ [[IAM.10] Password policies for IAM users should have strong configurations](iam-controls.md#iam-10)
+ [[IAM.11] Ensure IAM password policy requires at least one uppercase letter](iam-controls.md#iam-11)
+ [[IAM.12] Ensure IAM password policy requires at least one lowercase letter](iam-controls.md#iam-12)
+ [[IAM.13] Ensure IAM password policy requires at least one symbol](iam-controls.md#iam-13)
+ [[IAM.14] Ensure IAM password policy requires at least one number](iam-controls.md#iam-14)
+ [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15)
+ [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16)
+ [[IAM.17] Ensure IAM password policy expires passwords within 90 days or less](iam-controls.md#iam-17)
+ [[IAM.18] Ensure a support role has been created to manage incidents with AWS Support](iam-controls.md#iam-18)
+ [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19)
+ [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21)
+ [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22)
+ [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24)
+ [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25)
+ [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26)
+ [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27)
+ [[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys](kms-controls.md#kms-1)
+ [[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys](kms-controls.md#kms-2)
+ [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2)
+ [[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1)
+ [[WAF.6] AWS WAF Classic global rules should have at least one condition](waf-controls.md#waf-6)
+ [[WAF.7] AWS WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7)
+ [[WAF.8] AWS WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8)

## CloudTrail logging controls
<a name="controls-to-disable-cloudtrail-logging"></a>

The [CloudTrail.2](cloudtrail-controls.md#cloudtrail-2) control evaluates the use of AWS Key Management Service (AWS KMS) to encrypt AWS CloudTrail trail logs. If you log these trails in a centralized logging account, you need to enable this control only in the account and AWS Region where centralized logging takes place.

If you use [central configuration](central-configuration-intro.md), the enablement status of a control is aligned across the home Region and linked Regions. You can't disable a control in some Regions and enable it in others. In this case, you can suppress findings from the CloudTrail.2 control to reduce finding noise.

## CloudWatch alarm controls
<a name="controls-to-disable-cloudwatch-alarms"></a>

If you prefer to use Amazon GuardDuty for anomaly detection instead of Amazon CloudWatch alarms, you can disable the following controls, which focus on CloudWatch alarms:
+ [[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user](cloudwatch-controls.md#cloudwatch-1)
+ [[CloudWatch.2] Ensure a log metric filter and alarm exist for unauthorized API calls](cloudwatch-controls.md#cloudwatch-2)
+ [[CloudWatch.3] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA](cloudwatch-controls.md#cloudwatch-3)
+ [[CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes](cloudwatch-controls.md#cloudwatch-4)
+ [[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail configuration changes](cloudwatch-controls.md#cloudwatch-5)
+ [[CloudWatch.6] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures](cloudwatch-controls.md#cloudwatch-6)
+ [[CloudWatch.7] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys](cloudwatch-controls.md#cloudwatch-7)
+ [[CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes](cloudwatch-controls.md#cloudwatch-8)
+ [[CloudWatch.9] Ensure a log metric filter and alarm exist for AWS Config configuration changes](cloudwatch-controls.md#cloudwatch-9)
+ [[CloudWatch.10] Ensure a log metric filter and alarm exist for security group changes](cloudwatch-controls.md#cloudwatch-10)
+ [[CloudWatch.11] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)](cloudwatch-controls.md#cloudwatch-11)
+ [[CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways](cloudwatch-controls.md#cloudwatch-12)
+ [[CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes](cloudwatch-controls.md#cloudwatch-13)
+ [[CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes](cloudwatch-controls.md#cloudwatch-14)