[Enhancement]: Exclusion lists for GuardDuty and SecurityHub Organization Configuration

[nb1016]

Description

Both of these resources provide a way to enable the security tooling across the board.:

• aws_securityhub_organization_configuration
• aws_guardduty_organization_configuration

In our current use case we want to be able to disable the tooling in a certain subset of accounts while still assuming that all accounts will have the tooling enabled as a default.

An exclusions list which allows us to input account IDs would provide the functionality we need.

Affected Resource(s) and/or Data Source(s)

• aws_securityhub_organization_configuration

• aws_guardduty_organization_configuration

Potential Terraform Configuration

resource "aws_guardduty_organization_configuration" "example" {
  auto_enable_organization_members = "ALL"
  detector_id = aws_guardduty_detector.example.id
  excluded_accounts = ["accountId1", "accountId2"]
}

resource "aws_securityhub_organization_configuration" "example" {
  auto_enable = true
  excluded_accounts = ["accountId1", "accountId2"]
}

References

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_organization_configuration https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_configuration

Would you like to implement a fix?

No

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @nb1016 👋 Thank you for taking the time to raise this! I took a look at the input objects for each of these in the AWS Go SDK (guardduty and securityhub respectively), and it looks like neither of them currently support filtering in the way that you've described. In order for us to support this, it will first need to be implemented on the AWS side and introduced to the AWS Go SDK. With that in mind, we'll close this issue for now, but if the necessary changes are made on the AWS side, we'd be happy to take another look at this!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.