terraform-aws-control_tower_account_factory
terraform-aws-control_tower_account_factory copied to clipboard
aws-ia
High volume of messages being published to SNS topic "aws-controltower-AggregateSecurityNotifications"
Terraform Version & Prov: Terraform v1.5.7
AFT Version: 1.10.4
(Can be found in the AFT Management Account in the SSM Parameter /aft/config/aft/version)
Terraform Version & Provider Versions
Please provide the outputs of terraform version and terraform providers from within your AFT environment
terraform version
Terraform v1.5.7
terraform providers
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.27.0"
}
}
Bug Description A high volume of messages being published to SNS topic "aws-controltower-AggregateSecurityNotifications" which resulted in disabling the subscription on the above topic by AWS to avoid any further ISP blacklist.
To Reproduce Steps to reproduce the behavior:
- Enable Control Tower through AFT module
- Delegate administrator access to Audit account
- Enable AWS Security Hub services
Expected behavior
- Ability to override default SNS topic policy maxReceivesPerSecond to custom value
- Ability to modify the events bridge rule "aws-controltower-ConfigComplianceChangeEventRule" configured by CT AFT module to add filter to trigger on 'NON COMPLAIANT' instead of all.
Related Logs An AWS Automated email from SNS team for disabling topic: _"This is an automatic notification from the Amazon SNS team.
We have detected a high rate of messages being published to an Amazon SNS topic to which you have email endpoints subscribed. This has resulted in a high volume of messages being sent to the same email addresses, via your Amazon SNS topic. High email send rates to the same destination email addresses can cause external Internet Service Providers (ISPs) to identify sender email addresses, and their associated Internet Protocol (IP) addresses, as sources of email spam. ISPs will often blacklist these email and IP addresses and prevent subsequent emails from being successfully delivered. To avoid blacklisting, we have disabled email subscriptions on this Amazon SNS topic. "_ Additional context The root cause around this issue seems to be a config rule "securityhub-backup-recovery-point-encrypted-b4e9b0d1" which seems to be triggering on every AWS backup job that has run DynamoDB recovery points, this rule is triggered on each and every recovery point that was created as part of AWS backup job, which resulting on too many COMPLAINT notifications send out to SNS topic per each recovery point causing unnecessary email traffic.
Hey @sat007! Thank you for bring this to our attention! I have created a backlog item to review this issue.
Related issue https://github.com/aws-ia/terraform-aws-control_tower_account_factory/issues/295
