AWS Yarns

A blog about AWS things.

A Script To Disable Security Hub In All Regions

Posted by Chris McKinnel - 12 April 2021
3 minute read

TLDR; I wrote a script to disable Security Hub in all accounts, in all regions, and open sourced it.

Wait, before you read this - are you sure you want to disable Security Hub? It's a pretty good service that can give you key insights into what is happening in your AWS accounts, and there's not many use-cases where it should be disabled.

My situation is a little special. A while back I ran an AWS Immersion day where I had 30 people at CCL deploy our IP for Landing Zones, which included a Service Catalog product that enabled Security Hub in all regions, for all accounts in the Landing Zone.

I've since realised that while AWS recommends we enable Security Hub in all accounts in all regions, they probably only mean in the regions we're currently using. Even though this language isn't clear in the documentation, it's pretty damn obvious when you think about it. Especially if you have SCPs defined that lock your users down to only the regions they're allowed to use.

Anyway, I had Security Hub enabled in one of my test Landing Zone accounts, which had the 3 core accounts and 4 other member accounts. I had enabled Security Hub in all of these accounts in every region where it was supported.

It turns out this is a lot of regions, and there are a lot of checks per region!

Bill shock

I noticed a $150 charge on my credit card bill from AWS and though I'd accidentally enabled Business Support on one of my test accounts, until I tracked down the amount to Security Hub in my Landing Zone master.

AWS bill meme.

Wowza! How could Security Hub rack up $150 in charges in just a month?

It turns out that if you enable it using the freely available scripts on the AWS Samples GitHub with a compliance frequency of 1 day and set the region filter to "SecurityHub" (all regions that Security Hub supports), it will generate around 5.5 million paid compliance checks a month, for each region.

Because each 100k paid compliance checks costs $0.001, this means each region costs around $5.50 USD a month. And there are a heap of regions!

Argh, let's disable it all and start again

Unfortunately, in the free script there doesn't appear to be an obvious way to disable Security Hub. Especially because it's deployed as a lambda, but also going through the code it looks like it's an enable-only.

I decided to write a script that would disable it for me, because what a nightmare having to go through every account, every region in both the Security Hub master account, and each of its members.

You can find the source of the script of GitHub.

Disable Security Hub script screen-shot.

It will:

  1. Disassociate all member accounts from the master in all enabled regions
  2. Delete all member accounts from the master in all enabled regions
  3. Disable Security Hub in all member accounts, in all enabled regions

Hopefully it helps save you some time and money, and feel free to do a pull request to fix any of the bugs I'm sure exist in it!