Disabling a security standard in Security Hub - AWS Security Hub
Disabling a standard in multiple accounts and RegionsDisabling a standard in a single account and Region

Disabling a security standard in Security Hub

When you disable a security standard in Security Hub, the following occurs:

  • All of the controls that apply to the standard are also disabled unless they are associated with another standard.

  • Checks for the disabled controls are no longer performed, and no additional findings are generated for the disabled controls.

  • Existing findings for disabled controls are archived automatically after approximately 3–5 days.

  • The AWS Config rules that Security Hub created for the disabled controls are removed.

    This normally occurs within a few minutes after you disable the standard, but might take longer. If the first request to delete the AWS Config rules fails, then Security Hub retries every 12 hours. However, if you disabled Security Hub or you don't have any other standards enabled, then Security Hub can't retry the request, meaning that it can't delete the AWS Config rules. If this occurs, and you need to delete AWS Config rules, contact AWS Support.

Disabling a standard in multiple accounts and Regions

To disable a security standard across multiple accounts and Regions, you must use central configuration.

When you use central configuration, the delegated administrator can create configuration policies that disable one or more standards. You can associate a configuration policy with specific accounts and OUs or the root. A configuration policy takes effect in your home Region (also called an aggregation Region) and all linked Regions.

Configuration policies offer customization. For example, you can choose to disable Payment Card Industry Data Security Standard (PCI DSS) in one OU, and you can choose to disable both PCI DSS and National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5 in another OU. For instructions on creating a configuration policy that disables specified standards, see Creating and associating configuration policies.

Note

The delegated administrator can create configuration policies to disable any standard except the Service-Managed Standard: AWS Control Tower. You can disable this standard only in the AWS Control Tower service. If you use central configuration, you can enable and disable controls in this standard for a centrally managed account only in AWS Control Tower.

If you want some accounts to configure their own standards rather than the delegated administrator, the delegated administrator can designate those accounts as self-managed. Self-managed accounts must configure standards separately in each Region.

Disabling a standard in a single account and Region

If you don't use central configuration or are a self-managed account, you can't use configuration policies to centrally disable standards in multiple accounts and Regions. However, you can use the following steps to disable a standard in a single account and Region.

Security Hub console
To disable a standard in one account and Region

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. Confirm that you are using Security Hub in the Region in which you want to disable the standard.

  3. In the Security Hub navigation pane, choose Security standards.

  4. For the standard you want to disable, choose Disable.

  5. Repeat in each Region in which you want to disable the standard.

Security Hub API
To disable a standard in one account and Region

  1. Invoke the BatchDisableStandards API.

  2. For each standard you want to disable, provide the standard subscription ARN. To get the subscription ARNs for your enabled standards, invoke the GetEnabledStandards API.

  3. Repeat in each Region in which you want to disable the standard.

AWS CLI
To disable a standard in one account and Region

  1. Run the batch-disable-standards command.

  2. For each standard you want to disable, provide the standard subscription ARN. To get the subscription ARNs for your enabled standards, run the get-enabled-standards command.

    aws securityhub batch-disable-standards --standards-subscription-arns "standard subscription ARN"

    Example

    aws securityhub batch-disable-standards --standards-subscription-arns "arn:aws:securityhub:us-west-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0"

  3. Repeat in each Region in which you want to disable the standard.