Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to suppress findings whose type is AwsAccount #38

Open
kei500 opened this issue Jul 9, 2023 · 4 comments
Open

How to suppress findings whose type is AwsAccount #38

kei500 opened this issue Jul 9, 2023 · 4 comments

Comments

@kei500
Copy link

kei500 commented Jul 9, 2023

Thank you for a useful tool.

I want to suppress findings (ex: IAM.6) whose type is AwsAccount.
I tried the following setting but it didn't work with error Error: arn: invalid prefix.

standards:
  aws-foundational-security-best-practices/v/1.0.0:
    enable: true
    controls:
      enable: [APIGateway.5, APIGateway.8, APIGateway.9, Account.1, AutoScaling.1, AutoScaling.2, AutoScaling.3, AutoScaling.4, AutoScaling.6, AutoScaling.9, CloudTrail.1, CloudTrail.2, CloudTrail.4, CloudTrail.5, Config.1, DynamoDB.1, EC2.19, EC2.2, EC2.21, EC2.25, EC2.6, ECR.3, ECS.5, EFS.3, EFS.4, ELB.10, ELB.12, ELB.13, ELB.14, ELB.5, ELB.7, ES.4, ES.5, ES.6, ES.7, ES.8, IAM.1, IAM.2, IAM.3, IAM.5, IAM.7, IAM.8, NetworkFirewall.3, NetworkFirewall.4, NetworkFirewall.5, NetworkFirewall.6, RDS.11, RDS.17, RDS.18, RDS.19, RDS.2, RDS.20, RDS.21, RDS.22, RDS.23, RDS.25, RDS.3, RDS.5, Redshift.4, Redshift.6, Redshift.8, Redshift.9, S3.1, S3.10, S3.11, S3.12, S3.13, S3.2, S3.3, S3.4, S3.5, S3.6, S3.9, SNS.2, SQS.1, SSM.1, SSM.4, SageMaker.2, SageMaker.3, WAF.2, WAF.4]
      disable:
        IAM.6: '(snip)'
    findings:
      IAM.6:
        AWS::::Account:${account_id}:
          status: SUPPRESSED
          note: '(snip)'

Does control-contorls support this?
@k1LoW
Copy link
Contributor

k1LoW commented Jul 10, 2023

Hi @kei500

In IAM.6, the arn specified in findings: is the IAM User's arn.

    findings:
      IAM.6:
-        AWS::::Account:${account_id}:
+        arn:aws:iam::${account_id}:user/xxxxx

If you just want to disable IAM.6, you don't need to set findings:.

@kei500
Copy link
Author

kei500 commented Jul 10, 2023

@k1LoW

Thank you for your quick response.

IAM.6 is "Hardware MFA should be enabled for the root user", so, this control isn't related to specific IAM user.

I want to disable IAM.6 and also make workflow status SUPPRESSED not to notify by EventBridge rule like:

{
  "detail": {
    "findings": {
      "Compliance": {
        "Status": [{
          "anything-but": "PASSED"
        }]
      },
      "RecordState": ["ACTIVE"],
      "Severity": {
        "Label": ["CRITICAL"]
      },
      "Workflow": {
        "Status": ["NEW"]
      }
    }
  },
  "detail-type": ["Security Hub Findings - Imported"],
  "source": ["aws.securityhub"]
}

@k1LoW
Copy link
Contributor

k1LoW commented Jul 10, 2023

IAM.6 is "Hardware MFA should be enabled for the root user", so, this control isn't related to specific IAM user.

You are right. I had the wrong reference.

We are not able to achieve the specification other than arn in the findings:, so we will consider improving it.

@kei500
Copy link
Author

kei500 commented Jul 10, 2023

I see, thank you for your confirmation.
(I'll also try to fix if I can...)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@k1LoW @kei500