Viewing details of a control - AWS Security Hub

Viewing details of a control

Selecting an AWS Security Hub control on the Controls page or standard details page of the Security Hub console takes you to a page of control details.

The top of the control details page tells you the control status. The control status summarizes the performance of a control based on the compliance status of the control findings. Security Hub typically generates the initial control status within 30 minutes after your first visit to the Summary page or Security standards page on the Security Hub console. Statuses are only available for controls that are enabled when you visit those pages.

The control details page also provides a breakdown of the compliance status of the control findings in the last 24 hours. For more information about control status and compliance status, see Evaluating compliance status and control status in Security Hub.

AWS Config resource recording must be configured for the control status to appear. After control statuses are generated for the first time, Security Hub updates the control status every 24 hours based on the findings from the previous 24 hours.

Administrator accounts see an aggregated control status across the administrator account and member accounts. If you have set an aggregation Region, the control status includes findings across all linked Regions. For more information about control status, see Evaluating compliance status and control status in Security Hub.

You can also enable or disable the control from the control details page.


It can take up to 24 hours after enabling a control for first-time control statuses to be generated in the China Regions and AWS GovCloud (US) Region.

The Standards and Requirements tab lists the standards that a control can be enabled for and the requirements related to the control from different compliance frameworks.

The Checks tab lists the active findings for the control in the last 24 hours. Control findings are generated when Security Hub runs security checks against the control. The control finding list doesn't include archived findings.

For each finding, the list provides access to finding details such as the compliance status and related resource. You can also set the workflow status of each finding and send findings to custom actions. For more information, see Viewing and managing control findings.

Viewing details for a control

Choose your preferred access method, and follow these steps to view details for a control. Details apply to the current account and Region and include the following:

  • Title and description of the control

  • Link to remediation instructions for failed control findings

  • Severity of the control

  • Enablement status of the control

  • (On the console) A list of recent findings for the control. When using the Security Hub API or AWS CLI, use GetFindings to retrieve control findings.

Security Hub console
  1. Open the AWS Security Hub console at

  2. Choose Controls in the navigation pane.

  3. Select a control.

Security Hub API
  1. Run ListSecurityControlDefinitions, and provide one or more standard ARNs to get a list of control IDs for that standard. To obtain standard ARNs, run DescribeStandards. If you don't provide a standard ARN, this API returns all Security Hub control IDs. This API returns standard-agnostic security control IDs, not the standard-based control IDs that existed prior to these feature releases.

    Example request:

    { "StandardsArn": "arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0" }
  2. Run BatchGetSecurityControls to get details about one or more controls in the current AWS account and AWS Region.

    Example request:

    { "SecurityControlIds": ["Config.1", "IAM.1"] }
  1. Run the list-security-control-definitions command, and provide one or more standard ARNs to get a list of control IDs. To obtain standard ARNs, run the describe-standards command. If you don't provide a standard ARN, this command returns all Security Hub control IDs. This command returns standard-agnostic security control IDs, not the standard-based control IDs that existed prior to these feature releases.

    aws securityhub --region us-east-1 list-security-control-definitions --standards-arn "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"
  2. Run the batch-get-security-controls command to get details about one or more controls in the current AWS account and AWS Region.

    aws securityhub --region us-east-1 batch-get-security-controls --security-control-ids '["Config.1", "IAM.1"]'