aws-security-reference-architecture-examples
aws-security-reference-architecture-examples copied to clipboard
aws-samples
[BUG] certain Security Hub standard controls should be disabled when deploying to regions other than home
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Describe the bug
Per Amazon's Security Hub docs, we should disable Config.1 and some IAM controls in non-default regions:
https://docs.aws.amazon.com/securityhub/latest/userguide/config-controls.html#config-1
To allow security checks against global resources in each Region, you also must record global resources. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources.
When the sra-securityhub-org Lambda runs, it enables all controls, regardless of region.
To Reproduce
Steps to reproduce the behavior:
Deploy the sra-securityhub-org solution through Control Tower.
Expected behavior
Controls for Security Hub standards that are not pertinent will be disabled in non-default regions, so that controls for global resources are only tested once.
Deployment Environment (please complete the following information)
- Customizations for Control Tower and CloudFormation StackSets
- SRA solution version 1.5
Additional context
A proposed solution is available in this PR against my fork of aws-security-reference-architecture-examples.
Hello, AWS team. I've submitted this per the contributing guidelines. Is there something else I can do to get the conversation going? Thank you.