search

awslabs / landing-zone-accelerator-on-aws

Deploy a multi-account cloud foundation to support highly-regulated workloads and complex compliance requirements.
https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/
Apache License 2.0
530 stars 418 forks source link

Security Hub Standards are not applied at the OU level #432

Open jaristizabalc opened 4 months ago

jaristizabalc commented 4 months ago

Describe the bug Using the following configuration on security-config.yaml

securityHub: enable: true regionAggregation: true excludeRegions: [] standards:

The intent is to apply Security Standards to a specific OU for onboarding brownfield accounts.

To Reproduce Release change to apply settings.

Expected behavior Standards are not enabled, only the AWS Foundational Security Best Practices v1.0.0, and it is applied at the root level. It looks like the deploymentTargets option does not have any effect.

After the LZA enabled Security Hub I noticed that it is still using the Local configuration setting:

Screen Shot 2024-04-11 at 4 43 17 PM

If you enable Central configuration you can apply the Standards at the OU level. Can I configure the LZA to use this feature? would deploymentTargets then apply the Standards accordingly?

Thank you.

Juan.

richardkeit commented 4 months ago

Hi @jaristizabalc ,

Consolidated findings are a duplicate of this issue - please go give it a 👍 https://github.com/awslabs/landing-zone-accelerator-on-aws/issues/359

mongrol commented 3 months ago

I don't believe Consolidated findings are a duplicate of this. This issue is about whether LZA allows the enabling (and subsequent usage) of Central Configuration of Security Hub. Consolidated Findings are a General Setting. In my testing clickopsing Central Configuration is reverted back to Local on the next run of LZA.