Bug Description
A high volume of messages being published to SNS topic "aws-controltower-AggregateSecurityNotifications" which resulted in disabling the subscription on the above topic by AWS to avoid any further ISP blacklist.
To Reproduce
Steps to reproduce the behavior:
Enable Control Tower through AFT module
Delegate administrator access to Audit account
Enable AWS Security Hub services
Expected behavior
1) Ability to override default SNS topic policy maxReceivesPerSecond to custom value
2) Ability to modify the events bridge rule "aws-controltower-ConfigComplianceChangeEventRule" configured by CT AFT module to add filter to trigger on 'NON COMPLAIANT' instead of all.
Related Logs
An AWS Automated email from SNS team for disabling topic:
_"This is an automatic notification from the Amazon SNS team.
We have detected a high rate of messages being published to an Amazon SNS topic to which you have email endpoints subscribed. This has resulted in a high volume of messages being sent to the same email addresses, via your Amazon SNS topic. High email send rates to the same destination email addresses can cause external Internet Service Providers (ISPs) to identify sender email addresses, and their associated Internet Protocol (IP) addresses, as sources of email spam. ISPs will often blacklist these email and IP addresses and prevent subsequent emails from being successfully delivered. To avoid blacklisting, we have disabled email subscriptions on this Amazon SNS topic.
"_
Additional context
The root cause around this issue seems to be a config rule "securityhub-backup-recovery-point-encrypted-b4e9b0d1" which seems to be triggering on every AWS backup job that has run DynamoDB recovery points, this rule is triggered on each and every recovery point that was created as part of AWS backup job, which resulting on too many COMPLAINT notifications send out to SNS topic per each recovery point causing unnecessary email traffic.
Terraform Version & Prov: Terraform v1.5.7
AFT Version: 1.10.4 (Can be found in the AFT Management Account in the SSM Parameter
/aft/config/aft/version
)Terraform Version & Provider Versions Please provide the outputs of
terraform version
andterraform providers
from within your AFT environmentterraform version
terraform providers
Bug Description A high volume of messages being published to SNS topic "aws-controltower-AggregateSecurityNotifications" which resulted in disabling the subscription on the above topic by AWS to avoid any further ISP blacklist.
To Reproduce Steps to reproduce the behavior:
Expected behavior 1) Ability to override default SNS topic policy maxReceivesPerSecond to custom value 2) Ability to modify the events bridge rule "aws-controltower-ConfigComplianceChangeEventRule" configured by CT AFT module to add filter to trigger on 'NON COMPLAIANT' instead of all.
Related Logs An AWS Automated email from SNS team for disabling topic: _"This is an automatic notification from the Amazon SNS team.
We have detected a high rate of messages being published to an Amazon SNS topic to which you have email endpoints subscribed. This has resulted in a high volume of messages being sent to the same email addresses, via your Amazon SNS topic. High email send rates to the same destination email addresses can cause external Internet Service Providers (ISPs) to identify sender email addresses, and their associated Internet Protocol (IP) addresses, as sources of email spam. ISPs will often blacklist these email and IP addresses and prevent subsequent emails from being successfully delivered. To avoid blacklisting, we have disabled email subscriptions on this Amazon SNS topic. "_ Additional context The root cause around this issue seems to be a config rule "securityhub-backup-recovery-point-encrypted-b4e9b0d1" which seems to be triggering on every AWS backup job that has run DynamoDB recovery points, this rule is triggered on each and every recovery point that was created as part of AWS backup job, which resulting on too many COMPLAINT notifications send out to SNS topic per each recovery point causing unnecessary email traffic.