Understanding the standard security score

Viewing details of a standard

On the AWS Security Hub console, the details page for a standard includes the following information:

The standard security score
Visual summary of the control statuses for the controls that apply to the standard.
Visual summary of security checks for the controls that are enabled in the standard. If you integrate with AWS Organizations, controls that are enabled in at least one organization account are considered enabled.
A list of controls that apply to the standard. You can filter and sort the controls as needed.

This section explains how to retrieve the details of a standard.

If you are signed in to a Security Hub administrator account, you can view details for any standard that is enabled in at least one member account.

To view details of a standard (console)

Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.
In the Security Hub navigation pane, choose Security standards.
For the standard that you want to display the details for, choose View results.

Understanding the standard security score

At the top of the standard details page is the security score for the standard. The score is the percentage of passed controls relative to the number of enabled controls (that have data) for the standard.

Security Hub typically calculates the initial security score within 30 minutes after your first visit to the Summary page or Security standards page on the Security Hub console. Scores are only generated for standards that are enabled when you visit those pages. To view a list of standards that are currently enabled, use the GetEnabledStandards API operation. In addition, AWS Config resource recording must be configured for scores to appear. After first-time score generation, Security Hub updates the security score every 24 hours. Security Hub displays a timestamp to indicate when a security score was last updated. For more information about how scores are calculated, see Calculating security scores.

Note

It can take up to 24 hours for first-time security scores to be generated in the China Regions and AWS GovCloud (US) Region.

Next to the score is a chart that summarizes security checks for controls that are enabled in the standard. The chart shows the number of passed and failed security checks. You can also choose a specific severity level to view the failed security checks for controls of the chosen severity level

For administrator accounts, the standard score and chart are aggregated across the administrator account and all member accounts.

All of the data on the Security standards details pages is specific to the current Region unless you have set an aggregation Region. If you have set an aggregation Region, the security scores apply across Regions and include findings in all linked Regions. The compliance status of controls on the standards details pages also reflect findings from linked Regions, and the number of security checks includes findings from linked Regions.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Turning off auto-enabled standards

Viewing the controls for an enabled standard