Closed dannysteenman closed 1 year ago
Thank you for using the solution @dannysteenman, I was able to replicate this issue on my end and I see the CloudTrail events are signaling a successful UpdateStandardsControl API call to the Security Hub service.
{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "AROAVBOQUPAH4L4SPYJ2W:AWSAccelerator-SecuritySt-CustomSecurityHubBatchEn-cMPjHrmcU1dJ", "arn": "arn:aws:sts::REDACTED:assumed-role/AWSAccelerator-SecuritySt-CustomSecurityHubBatchEn-FGL3GXY1P5JU/AWSAccelerator-SecuritySt-CustomSecurityHubBatchEn-cMPjHrmcU1dJ", "accountId": "REDACTED", "accessKeyId": "REDACTED", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROAVBOQUPAH4L4SPYJ2W", "arn": "arn:aws:iam::REDACTED:role/AWSAccelerator-SecuritySt-CustomSecurityHubBatchEn-FGL3GXY1P5JU", "accountId": "REDACTED", "userName": "AWSAccelerator-SecuritySt-CustomSecurityHubBatchEn-FGL3GXY1P5JU" }, "webIdFederationData": {}, "attributes": { "creationDate": "2023-08-16T15:12:18Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-08-16T15:12:24Z", "eventSource": "securityhub.amazonaws.com", "eventName": "UpdateStandardsControl", "awsRegion": "us-east-1", "sourceIPAddress": "3.238.245.225", "userAgent": "aws-sdk-nodejs/2.1374.0 linux/v16.20.1 exec-env/AWS_Lambda_nodejs16.x AwsSolution/SO0199/1.4.3 promise", "requestParameters": { "ControlStatus": "DISABLED", "DisabledReason": "Control disabled by Accelerator", "StandardsControlArn": "arn%3Aaws%3Asecurityhub%3Aus-east-1%REDACTED%3Acontrol/pci-dss/v/3.2.1/PCI.IAM.6" }, "responseElements": null, "requestID": "491389db-e4af-4a69-a7a7-325e3d92a9ed", "eventID": "77ece5a6-964a-4039-b860-f29d9205c090", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "REDACTED", "eventCategory": "Management" }
However, on my end, I too am not seeing any disabled controls for the PCI DSS standards. I will look into this further and provide more updates.
@dannysteenman After some further investigation, I see an issue with the AWS Security Hub service, particularly around the mapping of some of the security controls. For example, in the best practice config, we have PCI.Lambda.2 as a control to disable where we note the control is disabled by the accelerator. In console though, I see that Lambda.3 is the control that is disabled. Here's a screenshot of what I'm seeing:
Do you have a current Support case for this? If so, I can use that for a bug with the service.
Describe the bug Using the
controlsToDisable
property for securityhub to disable PCI controls doesn't work.To Reproduce I've used both the best practice examples and I've tried it to do it how you've originally intended it to work via your unit test.
Both these methods don't work and won't disable the checks for the corresponding securityhub standard (PCI DSS).
To be more clear, this is the config that I've deployed to my org:
and this one:
Expected behavior If I disable these controls, I expect it to reflect the change on the securityhub dashboard on the disabled tab of the corresponding security standard.
Please complete the following information about the solution:
[ ] Version: [v1.4.3]
[ ] Region: [eu-central-1]
[ ] Was the solution modified from the version published on this repository? No
[ ] Were there any errors in the CloudWatch Logs? No
This is the output of the cloudwatch log of the securityhub lambda function: