feat: support disabling individual securityhub controls

schubergphilis · May 23, 2024 · 65b72a0 · 65b72a0
1 parent 8dee354
commit 65b72a0
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 2 deletions.
diff --git a/examples/basic/main.tf b/examples/basic/main.tf
@@ -32,14 +32,24 @@ provider "datadog" {
 }
 
 provider "mcaf" {
- aws {}
+ aws {
+ region = "eu-west-1"
+ }
 }
 
 module "landing_zone" {
  providers = { aws = aws, aws.audit = aws.audit, aws.logging = aws.logging }
 
  source = "../../"
-
+ aws_security_hub = {
+ disabled_standards_arns = [{
+ standards_control_arn = "bla"
+ disabled_reason = "Daarom"
+ }, {
+ standards_control_arn = "bla"
+ disabled_reason = "Daarom"
+ }]
+ }
  control_tower_account_ids = local.control_tower_account_ids
  tags = { Terraform = true }
 }
diff --git a/security_hub.tf b/security_hub.tf
@@ -65,6 +65,17 @@ resource "aws_securityhub_standards_subscription" "default" {
  depends_on = [aws_securityhub_account.default]
 }
 
+resource "aws_securityhub_standards_control" "default" {
+ for_each = toset(var.aws_security_hub.disabled_standards_arns)
+ provider = aws.audit
+
+ standards_control_arn = each.key
+ control_status = "DISABLED"
+ disabled_reason = each.value
+
+ depends_on = [aws_securityhub_account.default]
+}
+
 resource "aws_cloudwatch_event_rule" "security_hub_findings" {
  provider = aws.audit
 

diff --git a/variables.tf b/variables.tf
@@ -162,6 +162,10 @@ variable "aws_security_hub" {
  create_cis_metric_filters = optional(bool, true)
  product_arns = optional(list(string), [])
  standards_arns = optional(list(string), null)
+ disabled_standards_arns = optional(list(object({
+ standards_control_arn = string
+ disabled_reason = string
+ })), null)
  })
  default = {
  enabled = true
@@ -171,6 +175,7 @@ variable "aws_security_hub" {
  create_cis_metric_filters = true
  product_arns = []
  standards_arns = null
+ disabled_standards_arns = null
  }
  description = "AWS Security Hub settings"