How do I resolve an empty or “0%” security score or a “No data” compliance status in Security Hub?

7 minute read
1

I want to check a standard’s security score in AWS Security Hub, but I see “0%” or “-”. Or, the compliance status of some or all controls shows “No Data”.

Short description

There are multiple reasons why you might not be able to see a standard's security score or overall score in Security Hub. In these cases, you see either one or both of the following metrics:

  • At least one security score shows a hyphen (-) or 0%.
  • The compliance status is No data for any or all the activated controls that are under this standard. In this case, the security score might fail to generate.

Security Hub might fail to generate the data of a control and score of a standard for any of the following reasons:

  • Security Hub is running a control evaluation for the first time.
  • You're checking the standard for the first time.
  • An AWS account is newly transitioned or an aggregation Region is newly configured.
  • The standard is in an INCOMPLETE state.
  • Security Hub doesn’t have any active findings for the control.
  • The AWS Config configuration recorder isn't correctly configured.
  • The AWS Config service role doesn't have the necessary permissions.
  • The control is newly released.
  • There are AWS Regional behavior discrepancies.

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent version of the AWS CLI.

Security Hub is running a control evaluation for the first time

After you activate Security Hub or a specific security standard, Security Hub runs all initial checks within 2 hours. Most checks start to run within 25 minutes. Until a control completes its first run of checks, its compliance status is No data.

You're checking the standard for the first time

When you first view the Summary or Security standards page in the Security Hub console, Security Hub calculates the initial security score for a standard. This typically takes 30 minutes to complete. During this time, there's no score for the standards, and their controls' compliance status is No Data.

An account is newly transitioned or an aggregation Region is newly configured

If you previously saw security scores and the compliance status but they now show no data, then this is likely because of a new configuration. Security Hub generates scores for your organization's admin accounts across all linked AWS Regions within the aggregation Region.

Therefore, the Security Hub console treats a newly configured aggregation Region or a newly transitioned account similar to a newly created account. This includes accounts that transition between a standalone account and an admin account. In this case, the same waiting period applies, and a new comprehensive score and compliance status are available within 30 minutes.

The standard is in the INCOMPLETE state

If all controls for a particular standard result in No Data, then run the get-enabled-standards AWS CLI command to check if the standard’s status is INCOMPLETE:

aws securityhub get-enabled-standards –standards-subscription-arn STANDARDS_SUBSCRIPTION_ARN

Note: Replace STANDARDS_SUBSCRIPTION_ARN with the ARN of your standard subscription.

This state occurs when Security Hub can't create all the activated controls in the standard. Security Hub retries standards that are in the INCOMPLETE state approximately every 12 hours until the status becomes READY. Security Hub keeps trying because of either of the following reasons:

  • The configuration recorder isn't activated in your account.
  • When you create controls, transient issues such as throttling or API failures might cause a standard to enter the INCOMPLETE state.

To troubleshoot this issue, first check the configuration recorder to make sure that you activated and correctly configured it. Then, deactivate and reactivate the security standards subscriptions.

Security Hub doesn't have any findings for the control

If Security Hub runs for more than 2 hours and the compliance status for a control is No data, then the control has no findings. The following scenarios are common reasons for no findings:

  • A new control has the No data status until it begins to generate findings.
    Note: Newly activated controls typically take 2 hours to generate findings, but might take up to 18 hours. After the control generates findings, the score might take up to 24 hours to update.
  • All the controls' findings are SUPPRESSED.
  • The control isn't generating any findings.
    Note: This occurs when you have no resources for the control.

The configuration recorder isn't correctly configured

Security Hub uses service-linked AWS Config rules to perform most of its security checks for controls. To support these controls, you must activate AWS Config on all accounts. This includes both the administrator account and member accounts in each Region where Security Hub is activated.

If the activated controls generate no findings, then check if the configuration recorder that's in the same Region is correctly configured. To generate the necessary findings, configure the configuration recorder to get the required resource compliance for Security Hub:

  1. Turn on AWS Config and the configuration recorder. Configure the configuration recorder to record the required resource types with a correctly configured delivery channel for each Region where you activated Security Hub.
    Note: Before you proceed to Step 2, allow time for the configuration recorder to take all inventory. To check the status, go to the Settings page on the AWS Config console. If the configuration recorder is still in the Taking inventory state, then the delivery channel isn't correctly configured. In this case, recreate the delivery channel.
  2. Open the Security Hub console, and then turn off the standard that has no score (represented as 0% or -). Wait 20–30 minutes to prevent any transient issues, and then turn the security standard back on. This prompts Security Hub to create all the required AWS Config rules.
    Note: Security Hub creates AWS Config rules only within 31 days after you activate the standard.

The AWS Config service role doesn't have necessary permissions

Most Security Hub controls are associated with an AWS Config rule. If a control returns No data, then AWS Config might use a service role (instead of a service-linked role) that doesn’t have the necessary permissions. To check if AWS Config is correctly evaluating the associated rule, run the describe-config-rule-evaluation-status AWS CLI command. If the service role doesn't have the necessary permissions to evaluate the rule, then you see an output with an error message that provides additional information. For example, you see a message such as, additional permissions needed.

The control is newly released

If AWS recently initiated a set of controls, then their scores aren't available for a period of time. If a score evaluation initiates when a control is released, then it can take up to 24 hours for the next successful score evaluation to complete.

For the latest updates to Security Hub, see Document history for the AWS Security Hub User Guide.

There are Regional behavior discrepancies

There are some situations when a standard displays No data because of Regional discrepancies:

  • Some standards, such as CIS 2.3 and CIS 2.6, sometimes show No data. This happens when AWS CloudTrail aggregates and stores logs in a single, centralized Amazon Simple Storage Service (Amazon S3) bucket. In this case, Security Hub runs the check only against the account and Region where the centralized Amazon S3 bucket is located. Therefore, the data is available only where the centralized S3 bucket is located, and the control shows No data in other Regions.
  • For nearly all the CIS 3.1-3.14 and CIS 1.1 controls, Security hub checks results in a No data control status in the following cases:
    The multi-Region trail is based in a different Region. Security Hub can generate findings only in the Region where the trail is based.
    The multi-Region trail belongs to a different account. Security Hub can generate findings only for the account that owns the trail.
  • Security Hub doesn't support the control in a particular Region. These controls are listed in unsupported Regions only if you activate aggregation Region (cross-Region or cross-account). To check if a control is supported in a particular Region, see Availability of controls by Region.
AWS OFFICIAL
AWS OFFICIALUpdated 10 months ago