SecurityHub Control Parameters

[matthew-sinn]

Problem statement
While working on certain SecurityHub finding remediation tasks, we identified Config.1 as one for which our environment configuration deviates from the recommended standard. It was recently updated by AWS to be a CRITICAL finding and to involve additional checks. Included in these checks is whether or not the Config service is configured to use the AWS managed service role. Ours is not, but instead uses the LZA's.

AWS provided a Control Parameter allowing the disablement of that particular part of the checks.

Describe the feature you'd like
Looking over the documentation here, it doesn't appear that the LZA provides configuration options for managing the parameters of particular SecurityHub controls; only entirely disabling them. So the requested feature is individual management of SecurityHub control parameters.

The management of at least the particular control identified as our example is done on a per-account and per-region basis; this is why having such configuration included in the LZA would be valuable. Our organization is large.

Additional context
This screenshot illustrates what an individual control configuration looks like in the AWS console, for a particular account and particular region (obfuscated by the blue lines).

Presumably such configuration in the LZA would allow for the configuration of these parameters:

• deploymentTargets block appropriately scoped for accounts and/or OUs
• region list
• control id
• parameter name(s)
• parameter value(s)
• reason for parameter config change

AWS control documentation:
https://docs.aws.amazon.com/securityhub/latest/userguide/config-controls.html#config-1