Security Hub - AWS Foundational Security Best Practices
I am working on resolving various AWS CIS Benchmarks in Security Hub and I am wondering if there is any way to re-run or manually trigger to re-check the rule if compliance is met. I've updated multiple configurations to comply with rules that are currently at failed status, but I don't see an option to force security hub to re-evaluate whether various benchmarks are currently in compliance or not.
AWS Security Hub consolidates findings from other sources, such as AWS Config. It doesn't evaluate the compliance policies directly. Rather, every 12 hours AWS Config reports failed compliance rules to AWS Security Hub, and Security Hub asserts findings for each of the Security Standards.
I've found 2 ways to re-trigger the Config rules:
- Disable/enable the CIS standard. I would not recommend doing this often, and it's not practical for routine use. I use it when testing automated remediations.
- Determine the related AWS Config rule and use the AWS Config console to re-evaluate the rule.
Otherwise, the Config rules are evaluated every 12 hours.
To find the config rule, open the finding json and look for RelatedAWSResources:0:
"RelatedAWSResources:0/name": "securityhub-restricted-ssh-33f8347e", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
In AWS Config, search for the rule name, ex. "securityhub-restricted-ssh". Open the rule, click Actions and select Re-evaluate.
To show the status of findings that you have remediated, use the Workflow Status and Notes fields. Set WorkFlow Status to Resolved and use Notes to record steps taken. This reduces the need to re-evaluate the rule, though it still shows a FAILED status until the next config rule eval.
Thank you! Determine the related AWS Config rule and reevaluating worked.
In SecurityHub it checks and updates the compliance of enabled Security Standards every 24 hours - see https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-view-controls.html for some additiona; detail on that. So while there is no way to manually trigger the checks, it will be updated within 24 hours.
Small Charge for Security Hub every dayAccepted Answerasked 6 months ago
[EC2.21] Security Hub finding issueasked a month ago
Cannot add AWS Management Account as member of Security HubAccepted Answerasked 4 months ago
Security HUB RDS snapshots cannot be public findingasked 5 months ago
Need Some Guidance for listing Security hub findings for "Compliance: Passed" StatusAccepted Answerasked 3 months ago
Security Hub and Cloudwatch EventsAccepted Answerasked 3 years ago
Security Hub log findingsAccepted Answerasked 2 years ago
Security Hub - AWS Foundational Security Best PracticesAccepted Answerasked 4 months ago
S3 SSL security hub check failsasked a month ago
Security Hub Master Invites Not Receivedasked 2 years ago