[Enhancement]: Security Hub - Support enabling and disabling controls in all standards

[matthewbarreiro]

Description

When using unified security controls, AWS provides a method to enable or disable a control across all standards.

Doing this in Terraform now requires disabling the control in each individual standard, e.g.:

"arn:aws:securityhub:us-east-1:111111111111:control/aws-foundational-security-best-practices/v/1.0.0/IAM.14"
"arn:aws:securityhub:us-east-1:111111111111:control/cis-aws-foundations-benchmark/v/1.4.0/1.9",
# etc

as opposed to just once (e.g. "IAM.14").

This functionality would likely be implemented by adding a new aws_securityhub_standards_control resource, but would be closely related to the aws_securityhub_standards_control resource

Affected Resource(s) and/or Data Source(s)

• aws_securityhub_standards_control
• aws_securityhub_account
• aws_securityhub_standards_subscription

Potential Terraform Configuration

resource "aws_securityhub_account" "example" {
  control_finding_generator = "SECURITY_CONTROL"
}

resource "aws_securityhub_standards_subscription" "cis_aws_foundations_benchmark" {
  standards_arn = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"
  depends_on    = [aws_securityhub_account.example]
}

resource "aws_securityhub_security_control" "ensure_iam_password_policy_prevents_password_reuse" {
  security_control_id   = "IAM.16" 
  control_status        = "DISABLED"
  disabled_reason       = "We handle password policies within Okta"

  depends_on = [aws_securityhub_standards_subscription.cis_aws_foundations_benchmark]
}

References

• Enabling and disabling controls in all standards | AWS Security Hub User Guide
• BatchUpdateStandardsControlAssociations | AWS Security Hub API Reference
  • Go SDK
• ListStandardsControlAssociations | AWS Security Hub API Reference
  • Go SDK
• BatchGetStandardsControlAssociations | AWS Security Hub API Reference
  • Go SDK
• Disabling Security Hub controls in a multi-account environment | AWS Security Blog

Would you like to implement a fix?

No

EDIT: Removed superfluous details

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[fatbasstard]

Is there any progress in this?

[srgoni]

The AWS documentation is actually a bit unclear here.

The user guide documents how to disable a particular control across all standards in one account. But the API example doesn't do this directly, instead it describes that one needs to list all standards a control is in, and then does a batch update to disable the control in each standard. The API documentation confirms that both the SecurityControlId and the StandardsArn parameters are mandatory.

The aws_securityhub_standards_control currently uses the UpdateStandardsControl API, and it doesn't support the list+update workflow. Instead, one has to give a combined ARN that encapsulates a standard together with a control ID.

[nitrocode]

Yes that makes sense. I had to give the following to disable the control.

aws securityhub batch-update-standards-control-associations \
  --standards-control-association-updates '[{
      "SecurityControlId": "IAM.16",
      "StandardsArn": "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
      "AssociationStatus": "DISABLED",
      "UpdatedReason": "We handle password policies within Okta"
  }]'

so a more accurate resource would be

resource "aws_securityhub_security_control" "default" {
  security_control_id = "IAM.16" 
  standards_arn       = "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"
  association_status  = "DISABLED"
  updated_reason      = "We handle password policies within Okta"
}

[srgoni]

Maybe it could also be useful to have a data source for finding a specific standard.
There's a DescribeStandards API to get the current list.

[github-actions]

Warning

This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[nitrocode]

Sweet, thank you very much

[github-actions]

This functionality has been released in v5.70.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!