- Newest
- Most votes
- Most comments
AWS Security Hub consolidates findings from other sources, such as AWS Config. It doesn't evaluate the compliance policies directly. Rather, every 12 hours AWS Config reports failed compliance rules to AWS Security Hub, and Security Hub asserts findings for each of the Security Standards.
I've found 2 ways to re-trigger the Config rules:
- Disable/enable the CIS standard. I would not recommend doing this often, and it's not practical for routine use. I use it when testing automated remediations.
- Determine the related AWS Config rule and use the AWS Config console to re-evaluate the rule.
Otherwise, the Config rules are evaluated every 12 hours.
To find the config rule, open the finding json and look for RelatedAWSResources:0:
"RelatedAWSResources:0/name": "securityhub-restricted-ssh-33f8347e",
"RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
In AWS Config, search for the rule name, ex. "securityhub-restricted-ssh". Open the rule, click Actions and select Re-evaluate.
To show the status of findings that you have remediated, use the Workflow Status and Notes fields. Set WorkFlow Status to Resolved and use Notes to record steps taken. This reduces the need to re-evaluate the rule, though it still shows a FAILED status until the next config rule eval.
In SecurityHub it checks and updates the compliance of enabled Security Standards every 24 hours - see https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-view-controls.html for some additiona; detail on that. So while there is no way to manually trigger the checks, it will be updated within 24 hours.
Relevant content
- asked 2 years ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
Thank you! Determine the related AWS Config rule and reevaluating worked.