[FEATURE] support Security Hub consolidated control findings

[oshaughnessy]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Is your feature request related to a problem? Please describe

I would like to deploy consolidated control findings in Security Hub, but the role definition and Lambda in the SRA solution don't yet support it.

Describe the solution you'd like

I'd like the sra-securityhub-configuration role to include permissions for the batch security control APIs and the deployment Lambda to explicitly specify consolidation when enabling Security Hub, to make the behavior of Security Hub deployments use this feature. This is the new default behavior, but my account was using Security Hub before that was changed.

Please see https://github.com/oshaughnessy/aws-security-reference-architecture-examples/pull/1/files for example code.

Describe alternatives you've considered

The alternative would be to leave consolidated control findings off.

Additional context

See the AWS blog post, Prepare for consolidated controls view and consolidated control findings in AWS Security Hub

See the description of securityhub.client.enable_security_hub():

... ControlFindingGenerator -

This field, used when enabling Security Hub, specifies whether the calling account has consolidated control findings turned on. If the value for this field is set to SECURITY_CONTROL, Security Hub generates a single finding for a control check even when the check applies to multiple enabled standards.

If the value for this field is set to STANDARD_CONTROL, Security Hub generates separate findings for a control check when the check applies to multiple enabled standards.

The value for this field in a member account matches the value in the administrator account. For accounts that aren’t part of an organization, the default value of this field is SECURITY_CONTROL if you enabled Security Hub on or after February 23, 2023.

My fork includes changes to the role definition and Lambda so that consolidated findings are used when deploying the Security Hub Organization solution.

[oshaughnessy]

Hello, AWS team. I've submitted this per the contributing guidelines. Is there something else I can do to get the conversation going? Thank you.