[BUG] certain Security Hub standard controls should be disabled when deploying to regions other than home

[oshaughnessy]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Describe the bug

Per Amazon's Security Hub docs, we should disable Config.1 and some IAM controls in non-default regions:

https://docs.aws.amazon.com/securityhub/latest/userguide/config-controls.html#config-1

To allow security checks against global resources in each Region, you also must record global resources. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources.

When the sra-securityhub-org Lambda runs, it enables all controls, regardless of region.

To Reproduce

Steps to reproduce the behavior:

Deploy the sra-securityhub-org solution through Control Tower.

Expected behavior

Controls for Security Hub standards that are not pertinent will be disabled in non-default regions, so that controls for global resources are only tested once.

Deployment Environment (please complete the following information)

• Customizations for Control Tower and CloudFormation StackSets
• SRA solution version 1.5

Additional context

A proposed solution is available in this PR against my fork of aws-security-reference-architecture-examples.

[oshaughnessy]

Hello, AWS team. I've submitted this per the contributing guidelines. Is there something else I can do to get the conversation going? Thank you.