By using AWS re:Post, you agree to the Terms of Use
/Security Hub - AWS Foundational Security Best Practices/

Security Hub - AWS Foundational Security Best Practices



I am working on resolving various AWS CIS Benchmarks in Security Hub and I am wondering if there is any way to re-run or manually trigger to re-check the rule if compliance is met. I've updated multiple configurations to comply with rules that are currently at failed status, but I don't see an option to force security hub to re-evaluate whether various benchmarks are currently in compliance or not.


2 Answers
Accepted Answer

AWS Security Hub consolidates findings from other sources, such as AWS Config. It doesn't evaluate the compliance policies directly. Rather, every 12 hours AWS Config reports failed compliance rules to AWS Security Hub, and Security Hub asserts findings for each of the Security Standards.

I've found 2 ways to re-trigger the Config rules:

  1. Disable/enable the CIS standard. I would not recommend doing this often, and it's not practical for routine use. I use it when testing automated remediations.
  2. Determine the related AWS Config rule and use the AWS Config console to re-evaluate the rule.

Otherwise, the Config rules are evaluated every 12 hours.

To find the config rule, open the finding json and look for RelatedAWSResources:0:

"RelatedAWSResources:0/name": "securityhub-restricted-ssh-33f8347e",
"RelatedAWSResources:0/type": "AWS::Config::ConfigRule",

In AWS Config, search for the rule name, ex. "securityhub-restricted-ssh". Open the rule, click Actions and select Re-evaluate.

To show the status of findings that you have remediated, use the Workflow Status and Notes fields. Set WorkFlow Status to Resolved and use Notes to record steps taken. This reduces the need to re-evaluate the rule, though it still shows a FAILED status until the next config rule eval.

answered 4 months ago
  • Thank you! Determine the related AWS Config rule and reevaluating worked.


In SecurityHub it checks and updates the compliance of enabled Security Standards every 24 hours - see for some additiona; detail on that. So while there is no way to manually trigger the checks, it will be updated within 24 hours.

answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions