Alarm baseline

[andy-townsend]

Looking at the module and the example code, it looks as though its set so that the alarm-baseline is only ever deployed to the master account where cloudtrail is also configured.

module "alarm_baseline" {
  count  = var.alarm_baseline_enabled && local.is_cloudtrail_enabled && var.cloudtrail_cloudwatch_logs_enabled ? 1 : 0

Are people just calling the sub-module directly for other accounts or am I missing something here? Security hub reports issues which would be fixed by the resources in alarm baseline for all accounts in the organisation.

[nozaq]

@andy-townsend When you use the account type master and member, this module configures an organization trail in your master account. Since all log events from member accounts are recorded in the organization trail in the master account, it would be sufficient to monitor the master account.

Please let me know if you have any question or concerns, thanks!

[andy-townsend]

The problem is that Security Hub still reports issues with all of the member accounts not having those alarms enabled in their accounts. Are you disabling those findings for those accounts within Security Hub and if so, how are you doing that?

[nozaq]

@andy-townsend I personally leave findings which can be safely ignored opened though, have you tried suppressing those findings? https://docs.aws.amazon.com/securityhub/latest/userguide/finding-workflow-status.html

[andy-townsend]

Closing issue as info provided