Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Viewing the controls for an enabled standard

PDF
RSS
Focus mode
Viewing the controls for an enabled standard - AWS Security Hub

When you visit the details page for a standard, you can view a list of security controls that apply to the standard.

For each control, the table displays the following information:

Security Hub updates the control statuses and security check count every 24 hours. A timestamp at the top of the page indicates when the control statuses and security check count were most recently updated. For more information, see Evaluating compliance status and control status in Security Hub.

For administrator accounts, the control statuses and number of security checks are aggregated across the administrator account and all member accounts. The count of enabled controls includes controls that are enabled in the standard in the administrator account or at least one member account. The count of disabled controls includes controls that are disabled in the standard in the administrator account and all member accounts.

By default, the table lists all enabled controls in the standard. Those with a Failed control status are shown at the top, sorted in order of decreasing severity.

You can filter the list of all controls in the standard. Using the Filter by options next to the table, you can choose to view only enabled or only disabled controls in the standard. If you view only enabled controls, you can further filter the list by control status. This lets you focus on controls with a specific control status.

In addition to the Filter by options, you can sort the controls lists by entering filters in the Filter controls search box. For example, you can filter by control ID or title.

Choose your preferred access method, and follow the steps to display the available controls for an enabled standard.

Security Hub console
To view the controls for an enabled standard (console)

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. Choose Security standards in the navigation pane.

  3. Choose View results for a standard. The bottom of the page lists all of the controls that apply to the standard. Filter and sort the list as needed.

Security Hub API
To view the controls for an enabled standard (API)

  1. Use the ListSecurityControlDefinitions operation of the Security Hub API. If you use the AWS CLI, run the list-security-control-definitions command.

    Provide the Amazon Resource Name (ARN) of the standard that you want to view controls for. To obtain standard ARNs, use the DescribeStandards operation or the describe-standards command. If you don't provide a standard ARN, Security Hub returns all security control IDs.

  2. Use the ListStandardsControlAssociations operation of the Security Hub API, or the list-standards-control-associations command. This operation tells you which standards a control is enabled in.

    Identify the control by providing the security control ID or ARN. Pagination parameters are optional.

The following example tells you which standards the Config.1 control is enabled in. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.

$ aws securityhub list-standards-control-associations --region us-east-1 --security-control-id Config.1
anchoranchor
To view the controls for an enabled standard (console)

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. Choose Security standards in the navigation pane.

  3. Choose View results for a standard. The bottom of the page lists all of the controls that apply to the standard. Filter and sort the list as needed.

You can download the current page of the controls list to a .csv file by choosing Download.

If you filter the controls list, then the downloaded file includes only the controls that match the filter settings.

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.