[Enhancement]: Security Hub - Support enabling and disabling controls in all standards

[matthewbarreiro]

Description

When using unified security controls, AWS provides a method to enable or disable a control across all standards.

Doing this in Terraform now requires disabling the control in each individual standard, e.g.:

"arn:aws:securityhub:us-east-1:111111111111:control/aws-foundational-security-best-practices/v/1.0.0/IAM.14"
"arn:aws:securityhub:us-east-1:111111111111:control/cis-aws-foundations-benchmark/v/1.4.0/1.9",
# etc

as opposed to just once (e.g. "IAM.14").

This functionality would likely be implemented by adding a new aws_securityhub_standards_control resource, but would be closely related to the aws_securityhub_standards_control resource

Affected Resource(s) and/or Data Source(s)

• aws_securityhub_standards_control
• aws_securityhub_account
• aws_securityhub_standards_subscription

Potential Terraform Configuration

resource "aws_securityhub_account" "example" {
  control_finding_generator = "SECURITY_CONTROL"
}

resource "aws_securityhub_standards_subscription" "cis_aws_foundations_benchmark" {
  standards_arn = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"
  depends_on    = [aws_securityhub_account.example]
}

resource "aws_securityhub_security_control" "ensure_iam_password_policy_prevents_password_reuse" {
  security_control_id   = "IAM.16" 
  control_status        = "DISABLED"
  disabled_reason       = "We handle password policies within Okta"

  depends_on = [aws_securityhub_standards_subscription.cis_aws_foundations_benchmark]
}

References

• Enabling and disabling controls in all standards | AWS Security Hub User Guide
• BatchUpdateStandardsControlAssociations | AWS Security Hub API Reference
  • Go SDK
• ListStandardsControlAssociations | AWS Security Hub API Reference
  • Go SDK
• BatchGetStandardsControlAssociations | AWS Security Hub API Reference
  • Go SDK
• Disabling Security Hub controls in a multi-account environment | AWS Security Blog

Would you like to implement a fix?

No

EDIT: Removed superfluous details

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[fatbasstard]

Is there any progress in this?

[srgoni]

The AWS documentation is actually a bit unclear here.

The user guide documents how to disable a particular control across all standards in one account. But the API example doesn't do this directly, instead it describes that one needs to list all standards a control is in, and then does a batch update to disable the control in each standard. The API documentation confirms that both the SecurityControlId and the StandardsArn parameters are mandatory.

The aws_securityhub_standards_control currently uses the UpdateStandardsControl API, and it doesn't support the list+update workflow. Instead, one has to give a combined ARN that encapsulates a standard together with a control ID.