bfg-cloudsupport
commented
1 month ago Sandbox accounts are still valid targets to attackers and having no security services enabled seems folly to me. Instead I'd prefer support of selectively enabling/disabling controls/services/standards on an account/ou basis. The standards are good practise but it's clear many of the controls are overhanded for earlier dev accounts and it just causes noise. The current option is to disable and replace these controls with our own.
Is your feature request related to a problem? Please describe. For customers leveraging a single LZA environment for both sensitive/protected and innovation/exploratory workloads, it would be great to be able to exclude certain OUs from AWS Security Hub, Detective, GuardDuty, and Inspector in order to reduce cost and operational overhead.
Describe the feature you'd like Support
excludeOusparameter in LZA security-service.yaml for AWS Security Hub, Detective, GuardDuty, and Inspector.