Understanding security standards in Security Hub

In AWS Security Hub, a security standard is a set of requirements based on regulatory frameworks, industry best practices, or company policies.

For a list of available standards in Security Hub and the controls that apply to them, see Security Hub standards reference. The Security standards page on the Security Hub console also shows all of the supported security standards in Security Hub and the following information:

When you enable a standard, Security Hub automatically enables all of the controls that apply to the standard. You can disable and re-enable controls as necessary. Security Hub runs security checks on the enabled controls. The security checks result in Security Hub findings. When you disable a standard, Security Hub stops running security checks on controls that are part of that standard. Findings are no longer generated.

You can enable standards individually for a single account and AWS Region. However, to save time and reduce configuration drift in multi-account or multi-Region environments, we recommend using central configuration to enable standards. With central configuration, the delegated Security Hub administrator can create policies that specify how a standard should be configured across multiple accounts and Regions. For more information about enabling a standard, see Enabling a security standard in Security Hub.

Security Hub generates a security score for each standard based on the status of controls that apply to the standard. If you sign in to an administrator account, security scores reflect control statuses across all member accounts. If you have set an aggregation Region, security scores reflect control statuses across all linked Regions. For more information, see Method of calculating security scores.