By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Can you add custom Security Stadards or edit existing Standards?

0

I don't see this mentioned in the documentation and I do not see any options in the console, so I thought I would double check here to ensure I am not missing anything:

  1. Can you create your own Security Standard that has a set of rules that you'd like your accounts to comply with?

  2. Can you customize existing Security Standards? For example, before enabling the CIS Benchmark, can I disable all Level 2 controls? Or is the only way to do this to enable the standard and then disable individual controls afterwards?

Perhaps using another tool that can integrate with Security Hub, such as Prowler, is the way to go for a custom Security Standard?

Thank you

Topics
Security, Identity, & Compliance
Tags
AWS Security Hub
Language
English
Jhoov
asked 4 years ago394 views
2 Answers
0

Fully customizable standards are coming in the future. Today, you can disable individual controls in a standard. This can only be done after you have enabled the standard.

Relevant docs:

https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable-controls.html

https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis-to-disable.html

Ely_K
answered 4 years ago
  • rePost-User-9257957
    2 years ago

    Hi Ely, so are we now able to add custom Security Standards in the security hub?

  • Jhoov
    2 years ago

    Hi Ely,

    I don't see that this was ever released and we'd still like to be able to define a custom standard. Selecting rules from the existing standards would be perfectly acceptable for us. We know we can enable the standards via the API and then turn off individual rules, but we then have to monitor for new rules and add them to the script or we will have new AWS accounts with rules that we do not wish to be enabled. It would be so much easier to just select the rules we wish to have enabled and add them to a custom standard. We wouldn't have to constantly maintain the script that way and it would simplify the entire process. Please let us know if this is still planned.

    Thank you, Jeff

0

Thank you, Ely. That is great to hear about fully customizable standards coming in the future. Also, thank you for confirming that we can only enable standards and then disable individual rules. That is what I thought.

Jhoov
answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content