Open mongrol opened 4 months ago
Hi @mongrol ! Thank you for utilizing the Landing Zone Accelerator on AWS solution. I have filed a feature request to help track exceptions around the global services (IAM, Route53, etc..) so that these resources aren't duplicated across multi-region configurations. If you have any questions or concerns in the meantime, please do not hesitate to ask.
Describe the bug Security Hub docco recommends disabling SH controls that are assessing global services to reduce noise and cost. https://docs.aws.amazon.com/securityhub/latest/userguide/controls-to-disable.html
LZA, which doesn't support SH Central Configuration, does not appear to provide a way to disable specific controls and deploy that configuration to a region.
To Reproduce I've attempted this in a couple of ways but it appears I'm assuming I would need to "deploy" the standard to specific regions, one with controlsToDisable populated.
Expected behavior With the config above I expect IAM.4 and IAM.5 to be disabled in us-east-1 only. The result of the above config is the controls are disabled in both regions.
Please complete the following information about the solution:
Additional context Both SH lambda logs showed the correct entries for disabling the controls. Albiet in both regions.