Control Lambda.4 is retired by AWS

[megaproaktiv]

Describe the bug "Lambda functions should be configured with a dead-letter queue" is retired by AWS. See history of aws docu:

"Retiring the Lambda.4 control

Security Hub is retiring the control [Lambda.4] Lambda functions should have a dead-letter queue configured. When a control is retired, it no longer displays on the console, and Security Hub does not perform checks against it.

August 31, 2021"

Steampipe version (steampipe -v) Example: v0.19.3

Plugin version (steampipe plugin list) Example: aws@latest | 0.99.0

To reproduce Run Rel.6

Expected behavior Control should not appear

[megaproaktiv]

Same in SEC 3.

[cbruno10]

Hey @megaproaktiv , thanks for opening this issue!

For the current benchmarks we have, we actually pull these from the Well-Architected Framework in AWS Audit Manager.

I just checked again now to see if they still have this Config rule listed as a data source for REL-6, and it looks like they do:

AWS Audit Manager uses some Security Hub rules, but in this case, the Lambda function DLQ check if based off of a linked AWS Config rule, lambda-dlq-check. For the Config rule, I don't see any notice of deprecation there yet, so it may be out of sync with Security Hub's definition.

In general, we try to keep up to date with what AWS Audit Manager has in their frameworks, so based off of their current framework data sources, we plan to keep the lambda_function_dead_letter_queue_configured control in the various benchmarks until it's removed from the framework in AWS Well-Architected.

If you have any other questions, please let us know!