SECURITYHUB controls (3)
CTL.SECURITYHUB.ENABLED.001
AWS Security Hub Must Be Enabled
- Severity: high
- Type: unsafe_state
- Domain: exposure
- Compliance: fedramp_moderate: SI-4; ffiec: CAT-D3; gdpr: Art.32; iso_27001_2022: A.8.16; nist_800_53_r5: SI-4; nist_csf_2.0: DE.CM; pci_dss_v4.0: 11.3.1; soc2: CC7.1;
Security Hub must be enabled to aggregate security findings from GuardDuty, Inspector, Macie, and Config into a unified view.
Remediation: Enable Security Hub: aws securityhub enable-security-hub --enable-default-standards
CTL.SECURITYHUB.INCOMPLETE.001
Complete Data Required for Security Hub Assessment
- Severity: info
- Type: unsafe_state
- Domain: exposure
The observation snapshot is missing required Security Hub properties.
Remediation: Ensure the extractor calls aws securityhub describe-hub.
CTL.SECURITYHUB.STANDARDS.001
Security Hub Must Have Relevant Standards Enabled
- Severity: high
- Type: unsafe_state
- Domain: governance
- Compliance: fedramp_moderate: SI-4; nist_800_53_r5: SI-4; pci_dss_v4.0: 11.3.1; soc2: CC7.1;
Safety mechanism integrity control. Checks that security guardrails are actively enforcing, not just present.
Remediation: Review the specific guardrail identified in this finding and restore it to an enforcing state.