Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exclude LZA Resources from Config Rules #687

Open
Godtrilla opened this issue Dec 20, 2024 · 2 comments
Open

Exclude LZA Resources from Config Rules #687

Godtrilla opened this issue Dec 20, 2024 · 2 comments
Labels
enhancement New feature or request

Comments

@Godtrilla
Copy link

Is your feature request related to a problem? Please describe.
This feature is related to a problem.

We are currently utilizing the AWS Landing Zone Accelerator (LZA) alongside AWS Security Hub. However, the resources created and managed by the LZA pipeline are adversely affecting our Security Score. To mitigate this issue, our team has implemented several Custom Config Rules to explicitly exclude all LZA-created resources from evaluation. We are seeking a solution that addresses this challenge without the need to establish multiple custom configuration rules to maintain or improve our security score.

Describe the feature you'd like

I would like an option for rules to ignore resources based on regex or LZA resources.

Additional context
Here are some examples of The Custom Config Rules we had to create:

Rule Name: ECRLifecyclePolicyEnforcement
Description: Ensures that all ECR repositories have lifecycle policies attached, excluding LZA-created repositories matching the pattern cdk-accel-container-assets-*.
Rule Replaced: ECR.3

Name: S3BucketLoggingEnabledExclusion
description: Ensures that all S3 buckets have logging enabled, excluding LZA-created buckets matching the pattern aws-accelerator-s3-access-logs-*.
Rule Replaced: S3.9
@Godtrilla Godtrilla added the enhancement New feature or request label Dec 20, 2024
@matthew-sinn
Copy link

matthew-sinn commented Dec 22, 2024
edited
Loading

Another example finding is Lambda.3 which expects functions to run in a VPC. Conveniently excluding LZA resources from findings which they are intentionally in violation of using a default configuration would indeed eliminate a large amount of security noise. It would also provide a convenient explanation to cyber security folks who need to provide approval for such exceptions.

Please count me as a second for this enhancement

@bo1984
Copy link

bo1984 commented Dec 31, 2024

Hello @Godtrilla!

Thank you for reaching out. We have an open item in our backlog for this feature request, because as you indicated, this impacts the security score in your environment if you're using SecurityHub as your SIEM. I have added this issue to the aforementioned issue to get more traction. I will keep this issue open and keep you up to date once this is supported for a future release. Please let me know if you have any other questions or concerns in the meantime.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bo1984 @Godtrilla @matthew-sinn