Open matthewbarreiro opened 9 months ago
Voting for Prioritization
Volunteering to Work on This Issue
Is there any progress in this?
The AWS documentation is actually a bit unclear here.
The user guide documents how to disable a particular control across all standards in one account. But the API example doesn't do this directly, instead it describes that one needs to list all standards a control is in, and then does a batch update to disable the control in each standard. The API documentation confirms that both the SecurityControlId
and the StandardsArn
parameters are mandatory.
The aws_securityhub_standards_control
currently uses the UpdateStandardsControl API, and it doesn't support the list+update workflow. Instead, one has to give a combined ARN that encapsulates a standard together with a control ID.
Description
When using unified security controls, AWS provides a method to enable or disable a control across all standards.
Doing this in Terraform now requires disabling the control in each individual standard, e.g.:
as opposed to just once (e.g.
"IAM.14"
).This functionality would likely be implemented by adding a new
aws_securityhub_standards_control
resource, but would be closely related to theaws_securityhub_standards_control
resourceAffected Resource(s) and/or Data Source(s)
Potential Terraform Configuration
References
BatchUpdateStandardsControlAssociations
| AWS Security Hub API ReferenceListStandardsControlAssociations
| AWS Security Hub API ReferenceBatchGetStandardsControlAssociations
| AWS Security Hub API ReferenceWould you like to implement a fix?
No
EDIT: Removed superfluous details