awslabs/landing-zone-accelerator-on-aws

controlsToDisable does not disable per region

Opened this issue · 1 comments

mongrol commented

Describe the bug
Security Hub docco recommends disabling SH controls that are assessing global services to reduce noise and cost.
https://docs.aws.amazon.com/securityhub/latest/userguide/controls-to-disable.html

LZA, which doesn't support SH Central Configuration, does not appear to provide a way to disable specific controls and deploy that configuration to a region.

To Reproduce
I've attempted this in a couple of ways but it appears I'm assuming I would need to "deploy" the standard to specific regions, one with controlsToDisable populated.

standards: 
    - name: AWS Foundational Security Best Practices v1.0.0
      deploymentTargets:
      regions:
        - ap-southeast-2
      enable: true
      controlsToDisable: []
    - name: AWS Foundational Security Best Practices v1.0.0
      deploymentTargets:
      regions:
        - us-east-1
      enable: true
      controlsToDisable:
        - IAM.4
        - IAM.5

Expected behavior
With the config above I expect IAM.4 and IAM.5 to be disabled in us-east-1 only. The result of the above config is the controls are disabled in both regions.

Please complete the following information about the solution:

  • Version: 1.6.1

To get the version of the solution, you can look at the description of the created AWS CloudFormation stack used to install the LZA (AWSAccelerator-InstallerStack). For example, "(SO0199) Landing Zone Accelerator on AWS. Version 1.5.1.". If the description does not contain the version information, you can look at the Parameters of the stack for the RepositoryBranchName as that should contain the version number.

  • Region: ap-southeast-2, us-east-1
  • Was the solution modified from the version published on this repository? No
  • If the answer to the previous question was yes, are the changes available on GitHub?
  • Have you checked your service quotas for the services this solution uses? Yes
  • Were there any errors in the CloudWatch Logs?

Additional context
Both SH lambda logs showed the correct entries for disabling the controls. Albiet in both regions.

bo1984 commented

Hi @mongrol ! Thank you for utilizing the Landing Zone Accelerator on AWS solution. I have filed a feature request to help track exceptions around the global services (IAM, Route53, etc..) so that these resources aren't duplicated across multi-region configurations. If you have any questions or concerns in the meantime, please do not hesitate to ask.