bug: pci controls won't get disabled in securityhub

Describe the bug Using the controlsToDisable property for securityhub to disable PCI controls doesn't work.

To Reproduce I've used both the best practice examples and I've tried it to do it how you've originally intended it to work via your unit test.

Both these methods don't work and won't disable the checks for the corresponding securityhub standard (PCI DSS).

To be more clear, this is the config that I've deployed to my org:

  securityHub:
    enable: true
    regionAggregation: true
    excludeRegions: []
    standards:
      - name: AWS Foundational Security Best Practices v1.0.0
        # https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html
        deploymentTargets:
          organizationalUnits:
            -  Root
        enable: true
        controlsToDisable:
          - IAM.1
          - EC2.10
          - Lambda.4
      - name: PCI DSS v3.2.1
        # https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-pci-controls.html
        deploymentTargets:
          organizationalUnits:
            -  Root
        enable: true
        controlsToDisable:
          - IAM.3
          - IAM.6
          - CloudWatch.1
          - S3.3
          - EC2.3
          - Lambda.2

and this one:

  securityHub:
    enable: true
    regionAggregation: true
    excludeRegions: []
    standards:
      - name: AWS Foundational Security Best Practices v1.0.0
        # https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html
        enable: true
        controlsToDisable:
          - IAM.1
          - EC2.10
          - Lambda.4
      - name: PCI DSS v3.2.1
        # https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-pci-controls.html
        enable: true
        controlsToDisable:
          - PCI.IAM.3
          - PCI.IAM.6
          - PCI.CloudWatch.1
          - PCI.S3.3
          - PCI.EC2.3
          - PCI.Lambda.2

Expected behavior If I disable these controls, I expect it to reflect the change on the securityhub dashboard on the disabled tab of the corresponding security standard.

Please complete the following information about the solution:

[ ] Version: [v1.4.3]
[ ] Region: [eu-central-1]
[ ] Was the solution modified from the version published on this repository? No
[ ] Were there any errors in the CloudWatch Logs? No

This is the output of the cloudwatch log of the securityhub lambda function:

2023-08-07T09:37:13.237Z    fa820aca-63a1-41cf-94da-ebf538c0645d    INFO    inputStandard: {
    "enable": "true",
    "name": "PCI DSS v3.2.1",
    "controlsToDisable": [
        "IAM.3",
        "IAM.6",
        "CloudWatch.1",
        "S3.3",
        "EC2.3",
        "Lambda.2"
    ]
}

2023-08-07T09:37:13.237Z    fa820aca-63a1-41cf-94da-ebf538c0645d    INFO    Standard Name: arn:aws:securityhub:eu-central-1::standards/pci-dss/v/3.2.1
2023-08-07T09:37:13.237Z    fa820aca-63a1-41cf-94da-ebf538c0645d    INFO    Getting controls for arn:aws:securityhub:eu-central-1::subscription/pci-dss/v/3.2.1 subscription
2023-08-07T09:37:13.414Z    fa820aca-63a1-41cf-94da-ebf538c0645d    INFO    [AWS securityhub 200 0.176s 0 retries] describeStandardsControls({
  StandardsSubscriptionArn: 'arn:aws:securityhub:eu-central-1::subscription/pci-dss/v/3.2.1',
  NextToken: undefined
})
2023-08-07T09:37:13.437Z    fa820aca-63a1-41cf-94da-ebf538c0645d    INFO    [
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.AutoScaling.1',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.625Z,
    ControlId: 'PCI.AutoScaling.1',
    Title: 'Auto scaling groups associated with a Classic Load Balancer should use load balancer health checks',
    Description: 'This control checks whether your Auto Scaling groups that are associated with a Classic Load Balancer are using Elastic Load Balancing health checks.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/AutoScaling.1/remediation',
    SeverityRating: 'LOW',
    RelatedRequirements: [ 'PCI DSS 2.2' ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.CW.1',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.682Z,
    ControlId: 'PCI.CW.1',
    Title: 'A log metric filter and alarm should exist for usage of the "root" user',
    Description: 'This control checks for the CloudWatch metric filters using the following pattern { $.userIdentity.type = "Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != "AwsServiceEvent" } It checks that the log group name is configured for use with active multi-region CloudTrail, that there is at least one Event Selector for a Trail with IncludeManagementEvents set to true and ReadWriteType set to All, and that there is at least one active subscriber to an SNS topic associated with the alarm.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/CloudWatch.1/remediation',
    SeverityRating: 'MEDIUM',
    RelatedRequirements: [ 'PCI DSS 7.2.1' ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.CloudTrail.1',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.642Z,
    ControlId: 'PCI.CloudTrail.1',
    Title: 'CloudTrail logs should be encrypted at rest using AWS KMS CMKs',
    Description: 'This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption by checking if the KmsKeyId is defined.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation',
    SeverityRating: 'MEDIUM',
    RelatedRequirements: [ 'PCI DSS 3.4' ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.CloudTrail.2',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.702Z,
    ControlId: 'PCI.CloudTrail.2',
    Title: 'CloudTrail should be enabled',
    Description: 'This AWS control checks whether AWS CloudTrail is enabled in your AWS account.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/CloudTrail.3/remediation',
    SeverityRating: 'HIGH',
    RelatedRequirements: [
      'PCI DSS 10.1',   'PCI DSS 10.2.1',
      'PCI DSS 10.2.2', 'PCI DSS 10.2.3',
      'PCI DSS 10.2.4', 'PCI DSS 10.2.5',
      'PCI DSS 10.2.6', 'PCI DSS 10.2.7',
      'PCI DSS 10.3.1', 'PCI DSS 10.3.2',
      'PCI DSS 10.3.3', 'PCI DSS 10.3.4',
      'PCI DSS 10.3.5', 'PCI DSS 10.3.6'
    ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.CloudTrail.3',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.704Z,
    ControlId: 'PCI.CloudTrail.3',
    Title: 'CloudTrail log file validation should be enabled',
    Description: 'This AWS control checks whether CloudTrail log file validation is enabled.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/CloudTrail.4/remediation',
    SeverityRating: 'LOW',
    RelatedRequirements: [ 'PCI DSS 10.5.2', 'PCI DSS 10.5.5' ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.CloudTrail.4',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.707Z,
    ControlId: 'PCI.CloudTrail.4',
    Title: 'CloudTrail trails should be integrated with Amazon CloudWatch Logs',
    Description: 'This AWS control checks whether AWS CloudTrail trails are configured to send logs to Amazon CloudWatch Logs.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/CloudTrail.5/remediation',
    SeverityRating: 'LOW',
    RelatedRequirements: [ 'PCI DSS 10.5.3' ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.CodeBuild.1',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.684Z,
    ControlId: 'PCI.CodeBuild.1',
    Title: 'CodeBuild GitHub or Bitbucket source repository URLs should use OAuth',
    Description: 'This AWS control checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or user name and password.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/CodeBuild.1/remediation',
    SeverityRating: 'CRITICAL',
    RelatedRequirements: [ 'PCI DSS 8.2.1' ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.CodeBuild.2',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.686Z,
    ControlId: 'PCI.CodeBuild.2',
    Title: 'CodeBuild project environment variables should not contain clear text credentials',
    Description: 'This AWS control checks whether the project contains environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/CodeBuild.2/remediation',
    SeverityRating: 'CRITICAL',
    RelatedRequirements: [ 'PCI DSS 8.2.1' ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.Config.1',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.706Z,
    ControlId: 'PCI.Config.1',
    Title: 'AWS Config should be enabled',
    Description: 'This AWS control checks whether AWS Config is enabled in current account and region.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/Config.1/remediation',
    SeverityRating: 'MEDIUM',
    RelatedRequirements: [ 'PCI DSS 10.5.2', 'PCI DSS 11.5' ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.DMS.1',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.709Z,
    ControlId: 'PCI.DMS.1',
    Title: 'Database Migration Service replication instances should not be public',
    Description: 'This AWS control checks whether AWS Database Migration Service replication instances are public by examining the PubliclyAccessible field value.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/DMS.1/remediation',
    SeverityRating: 'CRITICAL',
    RelatedRequirements: [
      'PCI DSS 1.2.1',
      'PCI DSS 1.3.1',
      'PCI DSS 1.3.2',
      'PCI DSS 1.3.4',
      'PCI DSS 1.3.6'
    ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.EC2.1',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.605Z,
    ControlId: 'PCI.EC2.1',
    Title: 'EBS snapshots should not be publicly restorable',
    Description: 'This AWS control checks whether Amazon Elastic Block Store snapshots are not publicly restorable.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/EC2.1/remediation',
    SeverityRating: 'CRITICAL',
    RelatedRequirements: [
      'PCI DSS 1.2.1',
      'PCI DSS 1.3.1',
      'PCI DSS 1.3.4',
      'PCI DSS 7.2.1'
    ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.EC2.2',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.607Z,
    ControlId: 'PCI.EC2.2',
    Title: 'VPC default security group should prohibit inbound and outbound traffic',
    Description: 'This AWS control checks that the default security group of a VPC does not allow inbound or outbound traffic.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/EC2.2/remediation',
    SeverityRating: 'HIGH',
    RelatedRequirements: [ 'PCI DSS 1.2.1', 'PCI DSS 1.3.4', 'PCI DSS 2.1' ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.EC2.4',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.628Z,
    ControlId: 'PCI.EC2.4',
    Title: 'Unused EC2 EIPs should be removed',
    Description: 'This AWS control will assist you maintain an accurate asset inventory of EIPs by checking wheather Elastic IP addresses that are allocated to a VPC are attached to EC2 instances or in-use elastic network interfaces (ENIs).',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/EC2.12/remediation',
    SeverityRating: 'LOW',
    RelatedRequirements: [ 'PCI DSS 2.4' ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.EC2.5',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.608Z,
    ControlId: 'PCI.EC2.5',
    Title: 'Security groups should not allow ingress from 0.0.0.0/0 to port 22',
    Description: 'This AWS control checks that security groups in use disallow unrestricted incoming SSH traffic.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/EC2.13/remediation',
    SeverityRating: 'HIGH',
    RelatedRequirements: [ 'PCI DSS 1.2.1', 'PCI DSS 1.3.1', 'PCI DSS 2.2.2' ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.EC2.6',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.610Z,
    ControlId: 'PCI.EC2.6',
    Title: 'VPC flow logging should be enabled in all VPCs',
    Description: "This control checks whether Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPCs. The traffic type is set to 'Reject'.",
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/EC2.6/remediation',
    SeverityRating: 'MEDIUM',
    RelatedRequirements: [
      'PCI DSS 10.3.3',
      'PCI DSS 10.3.4',
      'PCI DSS 10.3.5',
      'PCI DSS 10.3.6'
    ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.ELBv2.1',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.727Z,
    ControlId: 'PCI.ELBv2.1',
    Title: 'Application Load Balancer should be configured to redirect all HTTP requests to HTTPS',
    Description: 'This AWS control checks whether HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers. The control will fail if one or more HTTP listeners of Application Load Balancers do not have HTTP to HTTPS redirection configured.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/ELB.1/remediation',
    SeverityRating: 'MEDIUM',
    RelatedRequirements: [ 'PCI DSS 2.3', 'PCI DSS 4.1' ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.ES.1',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.603Z,
    ControlId: 'PCI.ES.1',
    Title: 'Elasticsearch domains should be in a VPC',
    Description: 'This control checks whether Elasticsearch domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public reachability. This AWS control also does not check whether the Amazon OpenSearch Service resource-based policy permits public access by other accounts or external entities. You should ensure that Elasticsearch domains are not attached to public subnets. See Resource-based policies (https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-ac.html#es-ac-types-resource) in the Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) Developer Guide. You should also ensure that your VPC is configured according to the recommended best practices. See Security best practices for your VPC (https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-best-practices.html) in the Amazon VPC User Guide.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/ES.2/remediation',
    SeverityRating: 'HIGH',
    RelatedRequirements: [
      'PCI DSS 1.2.1',
      'PCI DSS 1.3.1',
      'PCI DSS 1.3.2',
      'PCI DSS 1.3.4',
      'PCI DSS 1.3.6'
    ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.ES.2',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.640Z,
    ControlId: 'PCI.ES.2',
    Title: 'Elasticsearch domains should have encryption at-rest enabled',
    Description: 'This AWS control checks whether Elasticsearch domains have encryption at rest configuration enabled. This check fails if the EncryptionAtRestOptions field is not enabled.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/ES.1/remediation',
    SeverityRating: 'MEDIUM',
    RelatedRequirements: [ 'PCI DSS 3.4' ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.GuardDuty.1',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.729Z,
    ControlId: 'PCI.GuardDuty.1',
    Title: 'GuardDuty should be enabled',
    Description: 'This AWS control checks whether Amazon GuardDuty is enabled in your AWS account and region.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/GuardDuty.1/remediation',
    SeverityRating: 'HIGH',
    RelatedRequirements: [ 'PCI DSS 11.4' ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.IAM.1',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.621Z,
    ControlId: 'PCI.IAM.1',
    Title: 'IAM root user access key should not exist',
    Description: 'This AWS control checks whether the root user access key is available.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/IAM.4/remediation',
    SeverityRating: 'CRITICAL',
    RelatedRequirements: [ 'PCI DSS 2.1', 'PCI DSS 2.2', 'PCI DSS 7.2.1' ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.IAM.2',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.665Z,
    ControlId: 'PCI.IAM.2',
    Title: 'IAM users should not have IAM policies attached',
    Description: 'This AWS control checks that none of your IAM users have policies attached. Instead, IAM users must inherit permissions from IAM groups or roles.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/IAM.2/remediation',
    SeverityRating: 'LOW',
    RelatedRequirements: [ 'PCI DSS 7.2.1' ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.IAM.3',
    ControlStatus: 'DISABLED',
    DisabledReason: 'Control disabled by Accelerator',
    ControlStatusUpdatedAt: 2023-08-02T11:30:54.163Z,
    ControlId: 'PCI.IAM.3',
    Title: 'IAM policies should not allow full "*" administrative privileges',
    Description: 'This AWS control checks whether the default version of AWS Identity and Access Management (IAM) policies (also known as customer managed policies) do not have administrator access with a statement that has "Effect": "Allow" with "Action": "*" over "Resource": "*". It only checks for the Customer Managed Policies that you created, but not inline and AWS Managed Policies.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/IAM.1/remediation',
    SeverityRating: 'HIGH',
    RelatedRequirements: [ 'PCI DSS 7.2.1' ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.IAM.4',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.688Z,
    ControlId: 'PCI.IAM.4',
    Title: 'Hardware MFA should be enabled for the root user',
    Description: 'This AWS control checks whether your AWS account is enabled to use a multi-factor authentication (MFA) hardware device to sign in with root user credentials.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/IAM.6/remediation',
    SeverityRating: 'CRITICAL',
    RelatedRequirements: [ 'PCI DSS 8.3.1' ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.IAM.5',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.690Z,
    ControlId: 'PCI.IAM.5',
    Title: 'Virtual MFA should be enabled for the root user',
    Description: 'This AWS control checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root user credentials.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/IAM.9/remediation',
    SeverityRating: 'CRITICAL',
    RelatedRequirements: [ 'PCI DSS 8.3.1' ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.IAM.6',
    ControlStatus: 'DISABLED',
    DisabledReason: 'Control disabled by Accelerator',
    ControlStatusUpdatedAt: 2023-08-02T11:30:54.299Z,
    ControlId: 'PCI.IAM.6',
    Title: 'MFA should be enabled for all IAM users',
    Description: 'This AWS control checks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/IAM.19/remediation',
    SeverityRating: 'MEDIUM',
    RelatedRequirements: [ 'PCI DSS 8.3.1' ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.IAM.7',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.731Z,
    ControlId: 'PCI.IAM.7',
    Title: 'IAM user credentials should be disabled if not used within a pre-defined number days',
    Description: 'This AWS control checks whether your AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within a specified number of days. The default is 90 days.\n' +
      '\n' +
      'We highly recommend that you do not generate and remove all access keys in your account. Instead, the recommended best practice is to either create one or more IAM roles, or to use federation (https://aws.amazon.com/identity/federation/)to allow your users to use their existing corporate credentials to log into the AWS console and CLI. If you already have an access key, we recommend that you remove or deactivate unused user credentials that are inactive for 90 days or longer.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/IAM.8/remediation',
    SeverityRating: 'MEDIUM',
    RelatedRequirements: [ 'PCI DSS 8.1.4' ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.IAM.8',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.741Z,
    ControlId: 'PCI.IAM.8',
    Title: 'Password policies for IAM users should have strong configurations',
    Description: 'This AWS control checks whether the account password policy for IAM users uses the following minimum PCI DSS configurations:\n' +
      '\n' +
      'RequireUppercaseCharacters: Require at least one uppercase character in password. (Default = true)\n' +
      'RequireLowercaseCharacters: Require at least one lowercase character in password. (Default = true)\n' +
      'RequireNumbers: Require at least one number in password. (Default = true)\n' +
      'MinimumPasswordLength: Password minimum length. (Default = 7 or longer)\n' +
      'PasswordReusePrevention: Number of passwords before allowing reuse. (Default = 4)\n' +
      'MaxPasswordAge: Number of days before password expiration. (Default = 90)',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/IAM.10/remediation',
    SeverityRating: 'MEDIUM',
    RelatedRequirements: [
      'PCI DSS 8.1.4',
      'PCI DSS 8.2.3',
      'PCI DSS 8.2.4',
      'PCI DSS 8.2.5'
    ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.KMS.1',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.644Z,
    ControlId: 'PCI.KMS.1',
    Title: 'AWS KMS key rotation should be enabled',
    Description: 'This AWS control checks that key rotation is enabled for each AWS KMS key. It does not check KMS keys that have imported key material.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/KMS.4/remediation',
    SeverityRating: 'MEDIUM',
    RelatedRequirements: [ 'PCI DSS 3.6.4' ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.Lambda.1',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.589Z,
    ControlId: 'PCI.Lambda.1',
    Title: 'Lambda functions should prohibit public access',
    Description: 'This AWS control checks whether the Lambda function policy attached to the Lambda resource prohibits public access.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/Lambda.1/remediation',
    SeverityRating: 'CRITICAL',
    RelatedRequirements: [
      'PCI DSS 1.2.1',
      'PCI DSS 1.3.1',
      'PCI DSS 1.3.2',
      'PCI DSS 1.3.4',
      'PCI DSS 7.2.1'
    ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.Lambda.2',
    ControlStatus: 'DISABLED',
    DisabledReason: 'Control disabled by Accelerator',
    ControlStatusUpdatedAt: 2023-08-02T11:30:54.396Z,
    ControlId: 'PCI.Lambda.2',
    Title: 'Lambda functions should be in a VPC',
    Description: 'This AWS control checks whether a Lambda function is in a VPC.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/Lambda.3/remediation',
    SeverityRating: 'LOW',
    RelatedRequirements: [
      'PCI DSS 1.2.1',
      'PCI DSS 1.3.1',
      'PCI DSS 1.3.2',
      'PCI DSS 1.3.4'
    ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.Opensearch.1',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.743Z,
    ControlId: 'PCI.Opensearch.1',
    Title: 'OpenSearch domains should be in a VPC',
    Description: 'This control checks Amazon OpenSearch Service domains are in an Amazon Virtual Private Cloud (VPC).',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/Opensearch.2/remediation',
    SeverityRating: 'CRITICAL',
    RelatedRequirements: [
      'PCI DSS 1.2.1',
      'PCI DSS 1.3.1',
      'PCI DSS 1.3.2',
      'PCI DSS 1.3.4',
      'PCI DSS 1.3.6'
    ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.Opensearch.2',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.745Z,
    ControlId: 'PCI.Opensearch.2',
    Title: 'EBS snapshots should not be publicly restorable',
    Description: 'This control checks whether Amazon OpenSearch domains have encryption-at-rest configuration enabled. The check fails if encryption at rest is not enabled.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/Opensearch.1/remediation',
    SeverityRating: 'HIGH',
    RelatedRequirements: [
      'PCI DSS 1.2.1',
      'PCI DSS 1.3.1',
      'PCI DSS 1.3.4',
      'PCI DSS 7.2.1'
    ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.RDS.1',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.585Z,
    ControlId: 'PCI.RDS.1',
    Title: 'RDS snapshot should be private',
    Description: 'This AWS control checks if Amazon Relational Database Service (Amazon RDS) snapshots are public.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/RDS.1/remediation',
    SeverityRating: 'CRITICAL',
    RelatedRequirements: [
      'PCI DSS 1.2.1',
      'PCI DSS 1.3.1',
      'PCI DSS 1.3.4',
      'PCI DSS 1.3.6',
      'PCI DSS 7.2.1'
    ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.RDS.2',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.587Z,
    ControlId: 'PCI.RDS.2',
    Title: 'RDS DB Instances should prohibit public access',
    Description: 'This AWS control checks whether RDS instances are publicly accessible by evaluating the publiclyAccessible field in the instance configuration item.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/RDS.2/remediation',
    SeverityRating: 'CRITICAL',
    RelatedRequirements: [
      'PCI DSS 1.2.1',
      'PCI DSS 1.3.1',
      'PCI DSS 1.3.2',
      'PCI DSS 1.3.4',
      'PCI DSS 1.3.6',
      'PCI DSS 7.2.1'
    ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.Redshift.1',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.601Z,
    ControlId: 'PCI.Redshift.1',
    Title: 'Amazon Redshift clusters should prohibit public access',
    Description: 'This control checks whether Amazon Redshift clusters are publicly accessible. It evaluates the publiclyAccessible field in the cluster configuration item.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/Redshift.1/remediation',
    SeverityRating: 'CRITICAL',
    RelatedRequirements: [
      'PCI DSS 1.2.1',
      'PCI DSS 1.3.1',
      'PCI DSS 1.3.2',
      'PCI DSS 1.3.4',
      'PCI DSS 1.3.6'
    ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.S3.1',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.581Z,
    ControlId: 'PCI.S3.1',
    Title: 'S3 buckets should prohibit public write access',
    Description: 'This AWS control checks whether your S3 buckets allow public write access by evaluating the Block Public Access settings, the bucket policy, and the bucket access control list (ACL).',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/S3.3/remediation',
    SeverityRating: 'CRITICAL',
    RelatedRequirements: [
      'PCI DSS 1.2.1',
      'PCI DSS 1.3.1',
      'PCI DSS 1.3.2',
      'PCI DSS 1.3.4',
      'PCI DSS 1.3.6',
      'PCI DSS 7.2.1'
    ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.S3.2',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.583Z,
    ControlId: 'PCI.S3.2',
    Title: 'S3 buckets should prohibit public read access',
    Description: 'This AWS control checks whether your S3 buckets allow public read access by evaluating the Block Public Access settings, the bucket policy, and the bucket access control list (ACL).',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/S3.2/remediation',
    SeverityRating: 'CRITICAL',
    RelatedRequirements: [
      'PCI DSS 1.2.1',
      'PCI DSS 1.3.1',
      'PCI DSS 1.3.2',
      'PCI DSS 1.3.6',
      'PCI DSS 7.2.1'
    ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.S3.3',
    ControlStatus: 'DISABLED',
    DisabledReason: 'Control disabled by Accelerator',
    ControlStatusUpdatedAt: 2023-08-02T11:30:54.539Z,
    ControlId: 'PCI.S3.3',
    Title: 'S3 buckets should have cross-region replication enabled',
    Description: 'This AWS control checks whether S3 buckets have cross-region replication enabled.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/S3.7/remediation',
    SeverityRating: 'LOW',
    RelatedRequirements: [ 'PCI DSS 2.2' ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.S3.4',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.630Z,
    ControlId: 'PCI.S3.4',
    Title: 'S3 buckets should have server-side encryption enabled',
    Description: 'This AWS control checks that your Amazon S3 bucket either has Amazon S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/S3.4/remediation',
    SeverityRating: 'MEDIUM',
    RelatedRequirements: [ 'PCI DSS 3.4' ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.S3.5',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.722Z,
    ControlId: 'PCI.S3.5',
    Title: 'S3 buckets should require requests to use Secure Socket Layer',
    Description: 'This AWS control checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL).',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/S3.5/remediation',
    SeverityRating: 'MEDIUM',
    RelatedRequirements: [ 'PCI DSS 4.1' ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.S3.6',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.724Z,
    ControlId: 'PCI.S3.6',
    Title: 'S3 Block Public Access setting should be enabled',
    Description: 'This AWS control checks whether the following public access block settings are configured from account level: ignorePublicAcls: True, blockPublicPolicy: True, blockPublicAcls: True, restrictPublicBuckets: True.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/S3.1/remediation',
    SeverityRating: 'MEDIUM',
    RelatedRequirements: [
      'PCI DSS 1.2.1',
      'PCI DSS 1.3.1',
      'PCI DSS 1.3.2',
      'PCI DSS 1.3.4',
      'PCI DSS 1.3.6'
    ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.SSM.1',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.660Z,
    ControlId: 'PCI.SSM.1',
    Title: 'EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation',
    Description: 'This AWS control checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance. It only checks instances that are managed by AWS Systems Manager Patch Manager.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/SSM.2/remediation',
    SeverityRating: 'HIGH',
    RelatedRequirements: [ 'PCI DSS 6.2' ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.SSM.2',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.662Z,
    ControlId: 'PCI.SSM.2',
    Title: 'EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT',
    Description: 'This AWS control checks whether the status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association is executed on an instance.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/SSM.3/remediation',
    SeverityRating: 'LOW',
    RelatedRequirements: [ 'PCI DSS 2.4' ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.SSM.3',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.664Z,
    ControlId: 'PCI.SSM.3',
    Title: 'EC2 instances should be managed by AWS Systems Manager',
    Description: 'This AWS control checks whether the Amazon EC2 instances in your account are managed by AWS Systems Manager.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/SSM.1/remediation',
    SeverityRating: 'MEDIUM',
    RelatedRequirements: [ 'PCI DSS 2.4' ]
  },
  {
    StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.SageMaker.1',
    ControlStatus: 'ENABLED',
    DisabledReason: null,
    ControlStatusUpdatedAt: 2023-08-01T08:56:25.725Z,
    ControlId: 'PCI.SageMaker.1',
    Title: 'Amazon SageMaker notebook instances should not have direct internet access',
    Description: 'This AWS control checks whether direct internet access is disabled for an Amazon SageMaker notebook instance by examining the DirectInternetAccess field is disabled for an Amazon SageMaker notebook instance.',
    RemediationUrl: 'https://docs.aws.amazon.com/console/securityhub/SageMaker.1/remediation',
    SeverityRating: 'HIGH',
    RelatedRequirements: [
      'PCI DSS 1.2.1',
      'PCI DSS 1.3.1',
      'PCI DSS 1.3.2',
      'PCI DSS 1.3.4',
      'PCI DSS 1.3.6'
    ]
  }
]
2023-08-07T09:37:13.437Z    fa820aca-63a1-41cf-94da-ebf538c0645d    INFO    following is disabled need to be enable now
2023-08-07T09:37:13.438Z    fa820aca-63a1-41cf-94da-ebf538c0645d    INFO    PCI.IAM.3
2023-08-07T09:37:13.438Z    fa820aca-63a1-41cf-94da-ebf538c0645d    INFO    following is disabled need to be enable now
2023-08-07T09:37:13.438Z    fa820aca-63a1-41cf-94da-ebf538c0645d    INFO    PCI.IAM.6
2023-08-07T09:37:13.438Z    fa820aca-63a1-41cf-94da-ebf538c0645d    INFO    following is disabled need to be enable now
2023-08-07T09:37:13.438Z    fa820aca-63a1-41cf-94da-ebf538c0645d    INFO    PCI.Lambda.2
2023-08-07T09:37:13.696Z    fa820aca-63a1-41cf-94da-ebf538c0645d    INFO    [AWS securityhub 200 0.125s 0 retries] updateStandardsControl({
  StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/aws-foundational-security-best-practices/v/1.0.0/IAM.1',
  ControlStatus: 'DISABLED',
  DisabledReason: 'Control disabled by Accelerator'
})
2023-08-07T09:37:13.813Z    fa820aca-63a1-41cf-94da-ebf538c0645d    INFO    [AWS securityhub 200 0.117s 0 retries] updateStandardsControl({
  StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.IAM.3',
  ControlStatus: 'ENABLED'
})
2023-08-07T09:37:13.911Z    fa820aca-63a1-41cf-94da-ebf538c0645d    INFO    [AWS securityhub 200 0.096s 0 retries] updateStandardsControl({
  StandardsControlArn: 'arn:aws:securityhub:eu-central-1::control/pci-dss/v/3.2.1/PCI.IAM.6',
  ControlStatus: 'ENABLED'
})
2023-08-07T09:37:14.148Z    fa820aca-63a1-41cf-94da-ebf538c0645d    INFO    submit response to cloudformation {
  Status: 'SUCCESS',
  Reason: 'SUCCESS',
  StackId: 'arn:aws:cloudformation:eu-central-1::stack/AWSAccelerator-SecurityStack--eu-central-1/6678c010-303a-11ee-9036-067aa8fc66e4',
  RequestId: '0fe69c7b-9a6d-4cb9-9afb-7f159a51364a',
  PhysicalResourceId: '5da71ca7-7ad7-46ab-ac58-ecceef30ad96',
  LogicalResourceId: 'SecurityHubStandards294083BB',
  NoEcho: undefined,
  Data: undefined
}

awslabs / landing-zone-accelerator-on-aws

bug: pci controls won't get disabled in securityhub #229