search

aws-ia / terraform-aws-control_tower_account_factory

AWS Control Tower Account Factory
Apache License 2.0
604 stars 386 forks source link

High volume of messages being published to SNS topic "aws-controltower-AggregateSecurityNotifications" #410

Open sat007 opened 6 months ago

sat007 commented 6 months ago

Terraform Version & Prov: Terraform v1.5.7

AFT Version: 1.10.4 (Can be found in the AFT Management Account in the SSM Parameter /aft/config/aft/version)

Terraform Version & Provider Versions Please provide the outputs of terraform version and terraform providers from within your AFT environment

terraform version

Terraform v1.5.7

terraform providers

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 4.27.0"
    }
  }

Bug Description A high volume of messages being published to SNS topic "aws-controltower-AggregateSecurityNotifications" which resulted in disabling the subscription on the above topic by AWS to avoid any further ISP blacklist.

To Reproduce Steps to reproduce the behavior:

  1. Enable Control Tower through AFT module
  2. Delegate administrator access to Audit account
  3. Enable AWS Security Hub services

Expected behavior 1) Ability to override default SNS topic policy maxReceivesPerSecond to custom value 2) Ability to modify the events bridge rule "aws-controltower-ConfigComplianceChangeEventRule" configured by CT AFT module to add filter to trigger on 'NON COMPLAIANT' instead of all.

Related Logs An AWS Automated email from SNS team for disabling topic: _"This is an automatic notification from the Amazon SNS team.

We have detected a high rate of messages being published to an Amazon SNS topic to which you have email endpoints subscribed. This has resulted in a high volume of messages being sent to the same email addresses, via your Amazon SNS topic. High email send rates to the same destination email addresses can cause external Internet Service Providers (ISPs) to identify sender email addresses, and their associated Internet Protocol (IP) addresses, as sources of email spam. ISPs will often blacklist these email and IP addresses and prevent subsequent emails from being successfully delivered. To avoid blacklisting, we have disabled email subscriptions on this Amazon SNS topic. "_ Additional context The root cause around this issue seems to be a config rule "securityhub-backup-recovery-point-encrypted-b4e9b0d1" which seems to be triggering on every AWS backup job that has run DynamoDB recovery points, this rule is triggered on each and every recovery point that was created as part of AWS backup job, which resulting on too many COMPLAINT notifications send out to SNS topic per each recovery point causing unnecessary email traffic.

hanafya commented 6 months ago

Hey @sat007! Thank you for bring this to our attention! I have created a backlog item to review this issue.

gcharest commented 5 months ago

Related issue https://github.com/aws-ia/terraform-aws-control_tower_account_factory/issues/295