Reverting to default control parameter values
A control parameter can have a default value that AWS Security Hub defines. Occasionally, Security Hub updates the default
value for a parameter to reflect evolving security best practices. If you haven't specified a custom value for a control parameter,
the control automatically tracks those updates and uses the new default value.
You can revert to using default parameter values for a control. The instructions for reversion depend on whether you use
central configuration in Security Hub. Central
configuration is a feature that the delegated Security Hub administrator can use to configure Security Hub capabilities across AWS Regions, accounts,
and organizational units (OUs).
Not all control parameters have a default Security Hub value. In such cases, when
ValueType
is set to DEFAULT
, there isn't a specific default value that Security Hub uses. Rather,
Security Hub ignores the parameter in the absence of a custom value.
Reverting to default control parameters in multiple accounts and Regions
If you use central configuration, you can revert control parameters for multiple, centrally managed accounts and OUs in the home Region and linked Regions.
Choose your preferred method, and follow the steps to revert to default parameter values across multiple accounts and Regions using central configuration.
- Security Hub console
-
To revert to default control parameter values in multiple accounts and Regions (console)
Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.
Sign in using the credentials of the delegated Security Hub administrator account in the home Region.
-
In the navigation pane, choose Settings and Configuration.
-
Choose the Policies tab.
-
Select a policy, and then choose Edit.
-
Under Custom policy, the Controls section shows a
list of controls that you specified custom parameters for.
-
Find the control that has one or more parameter values to revert. Then, choose Remove to revert to the default values.
In the Accounts section, verify the accounts or OUs that you want to apply the policy to.
-
Choose Next.
-
Review your changes, and verify that they're correct. When you finish, choose Save policy and apply. In your home Region and all linked Regions, this action overrides the existing configuration settings
of accounts and OUs that are associated with this configuration policy. Accounts and OUs can be associated with a configuration policy
through direct application or inheritance from a parent.
- Security Hub API
-
To revert to default control parameter values in multiple accounts and Regions (API)
Invoke the UpdateConfigurationPolicy API from the delegated administrator account in the
home Region.
For the Identifier
field, provide the Amazon Resource Name (ARN) or ID of the policy that you want to update.
For the SecurityControlCustomParameters
object, provide the identifier of each control for which you want to revert one or more parameters.
In the Parameters
object, for each parameter that you want to revert, provide DEFAULT
for the
ValueType
field. When ValueType
is set to DEFAULT
, you don't need to provide a value for the Value
field.
If a value is included in your request, Security Hub ignores it. If your request
omits a parameter that the control supports, that parameter retains its current value.
If you omit a control object from the SecurityControlCustomParameters
field, Security Hub reverts all custom parameters for the control to their default values. A
completely empty list for SecurityControlCustomParameters
reverts custom parameters for all controls to their default values.
For example, the following AWS CLI command reverts the daysToExpiration
control parameter for ACM.1
to its default value in the specified
configuration policy.
This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.
$
aws securityhub create-configuration-policy \
--region us-east-1
\
--identifier "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
" \
--name "TestConfigurationPolicy"
\
--description "Updated configuration policy"
\
--updated-reason "Revert ACM.1 parameter to default value"
--configuration-policy '{"SecurityHub": {"ServiceEnabled": true
, "EnabledStandardIdentifiers": ["arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0
","arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0
"],"SecurityControlsConfiguration":{"DisabledSecurityControlIdentifiers": ["CloudTrail.2"]
, "SecurityControlCustomParameters": [{"SecurityControlId": "ACM.1"
, "Parameters": {"daysToExpiration
": {"ValueType": "DEFAULT"
}}}]}}}'
Reverting to default control parameters in a single
account and Region
If you don't use central configuration or have a self-managed account, you can revert to using default parameter values
for your account in one Region at a time.
Choose your preferred method, and follow the steps to revert to default parameter values for your account in a
single Region. To revert to default parameter values in additional Regions, repeat these steps in each additional Region.
If you disable Security Hub, your custom control parameters are reset. If you enable Security Hub again in the future, all
controls will use default parameter values to start.
- Security Hub console
-
To revert to default control parameter values in one account and Region (console)
Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.
-
In the navigation pane, choose Controls. Choose the control that you want to revert to
default parameter values.
-
On the Parameters
tab, choose Customized next to a control parameter. Then, choose Remove customization.
This parameter now uses the default Security Hub value and tracks future updates to the default value.
-
Repeat the preceding step for each parameter value that you want to revert.
- Security Hub API
-
To revert to default control parameter values in one account and Region (API)
Invoke the UpdateSecurityControl API.
For SecurityControlId
, provide the ARN or ID of the control whose
parameters you want to revert.
In the Parameters
object, for each parameter that you want to revert, provide DEFAULT
for the
ValueType
field. When ValueType
is set to DEFAULT
, you don't need to provide a value for the Value
field.
If a value is included in your request, Security Hub ignores it.
Optionally, for LastUpdateReason
, provide a reason for reverting to default parameter values.
For example, the following AWS CLI command reverts the daysToExpiration
control parameter for ACM.1
to its default value.
This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.
$
aws securityhub update-security-control \
--region us-east-1
\
--security-control-id ACM.1
\
--parameters '{"daysToExpiration": {"ValueType": "DEFAULT"
}}' \
--last-update-reason "New internal requirement"