AWS Foundational Security Best Practices v1.0.0 getting enabled by default

[venkat197872]

When I run a command like below against only cis benchmarks enablement, AWS Foundational Security Best Practices v1.0.0 also getting enabled by default. Is it possible not to enable AWS Foundational Security Best Practices v1.0.0 by default.

enablesecurityhub.py --master_account *** --assume_role ManageSecurityHub1 --enabled_regions us-west-2 --enable_standards arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0 accounts.csv

[ryanholland]

When enabling Security Hub via the API both CIS and Foundational Security Best Practices are now enabled by default. If you want to disable the Foundational Security Best Practices standard you can use the disablesecurityhub.py script in this repo with the '--disable_standards_only' option to disable that standard.

Also if you use AWS Organizations you might want to leverage the delegated administrator feature to enable Security Hub on all accounts, and any new accounts with the auto-enable feature. https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html

[venkat197872]

ok, Thank you Ryan. I really found this asset very useful.

It would have been great if we could just enable CIS best practices without the "Foundational Security Best Practices " using the enablesecurityhub.py. As a workaround we will run the disablesecurityhub.py as you suggested.

I will explore the delegated administrator feature to enable Security Hub.

thank you

[ykcab]

I upvote on this. there is no point in enabling the Foundational Security Best Practices when using the enablesecurity.py script