feat: support disabling individual securityhub controls

README.md

@@ -510,6 +510,7 @@ module "landing_zone" {
 | [aws_securityhub_organization_admin_account.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_organization_admin_account) | resource |
 | [aws_securityhub_organization_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_organization_configuration) | resource |
 | [aws_securityhub_product_subscription.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_product_subscription) | resource |
+| [aws_securityhub_standards_control.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_control) | resource |
 | [aws_securityhub_standards_subscription.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_subscription) | resource |
 | [aws_securityhub_standards_subscription.logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_subscription) | resource |
 | [aws_securityhub_standards_subscription.management](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_subscription) | resource |
@@ -550,7 +551,7 @@ module "landing_zone" {
 | <a name="input_aws_guardduty"></a> [aws\_guardduty](#input\_aws\_guardduty) | AWS GuardDuty settings | <pre>object({<br> enabled = optional(bool, true)<br> finding_publishing_frequency = optional(string, "FIFTEEN_MINUTES")<br> ebs_malware_protection_status = optional(bool, true)<br> eks_addon_management_status = optional(bool, true)<br> eks_audit_logs_status = optional(bool, true)<br> eks_runtime_monitoring_status = optional(bool, true)<br> lambda_network_logs_status = optional(bool, true)<br> rds_login_events_status = optional(bool, true)<br> s3_data_events_status = optional(bool, true)<br> })</pre> | <pre>{<br> "ebs_malware_protection_status": true,<br> "eks_addon_management_status": true,<br> "eks_audit_logs_status": true,<br> "eks_runtime_monitoring_status": true,<br> "enabled": true,<br> "finding_publishing_frequency": "FIFTEEN_MINUTES",<br> "lambda_network_logs_status": true,<br> "rds_login_events_status": true,<br> "s3_data_events_status": true<br>}</pre> | no |
 | <a name="input_aws_inspector"></a> [aws\_inspector](#input\_aws\_inspector) | AWS Inspector settings, at least one of the scan options must be enabled | <pre>object({<br> enabled = optional(bool, false)<br> enable_scan_ec2 = optional(bool, true)<br> enable_scan_ecr = optional(bool, true)<br> enable_scan_lambda = optional(bool, true)<br> enable_scan_lambda_code = optional(bool, true)<br> })</pre> | <pre>{<br> "enable_scan_ec2": true,<br> "enable_scan_ecr": true,<br> "enable_scan_lambda": true,<br> "enable_scan_lambda_code": true,<br> "enabled": false<br>}</pre> | no |
 | <a name="input_aws_required_tags"></a> [aws\_required\_tags](#input\_aws\_required\_tags) | AWS Required tags settings | <pre>map(list(object({<br> name = string<br> values = optional(list(string))<br> enforced_for = optional(list(string))<br> })))</pre> | `null` | no |
-| <a name="input_aws_security_hub"></a> [aws\_security\_hub](#input\_aws\_security\_hub) | AWS Security Hub settings | <pre>object({<br> enabled = optional(bool, true)<br> auto_enable_controls = optional(bool, true)<br> auto_enable_default_standards = optional(bool, false)<br> control_finding_generator = optional(string, "SECURITY_CONTROL")<br> create_cis_metric_filters = optional(bool, true)<br> product_arns = optional(list(string), [])<br> standards_arns = optional(list(string), null)<br> })</pre> | <pre>{<br> "auto_enable_controls": true,<br> "auto_enable_default_standards": false,<br> "control_finding_generator": "SECURITY_CONTROL",<br> "create_cis_metric_filters": true,<br> "enabled": true,<br> "product_arns": [],<br> "standards_arns": null<br>}</pre> | no |
+| <a name="input_aws_security_hub"></a> [aws\_security\_hub](#input\_aws\_security\_hub) | AWS Security Hub settings | <pre>object({<br> enabled = optional(bool, true)<br> auto_enable_controls = optional(bool, true)<br> auto_enable_default_standards = optional(bool, false)<br> control_finding_generator = optional(string, "SECURITY_CONTROL")<br> create_cis_metric_filters = optional(bool, true)<br> product_arns = optional(list(string), [])<br> standards_arns = optional(list(string), null)<br> disabled_standards_arns = optional(list(object({<br> standards_control_arn = string<br> disabled_reason = string<br> })), null)<br> })</pre> | <pre>{<br> "auto_enable_controls": true,<br> "auto_enable_default_standards": false,<br> "control_finding_generator": "SECURITY_CONTROL",<br> "create_cis_metric_filters": true,<br> "disabled_standards_arns": null,<br> "enabled": true,<br> "product_arns": [],<br> "standards_arns": null<br>}</pre> | no |
 | <a name="input_aws_security_hub_sns_subscription"></a> [aws\_security\_hub\_sns\_subscription](#input\_aws\_security\_hub\_sns\_subscription) | Subscription options for the LandingZone-SecurityHubFindings SNS topic | <pre>map(object({<br> endpoint = string<br> protocol = string<br> }))</pre> | `{}` | no |
 | <a name="input_aws_service_control_policies"></a> [aws\_service\_control\_policies](#input\_aws\_service\_control\_policies) | AWS SCP's parameters to disable required/denied policies, set a list of allowed AWS regions, and set principals that are exempt from the restriction | <pre>object({<br> allowed_regions = optional(list(string), [])<br> aws_deny_disabling_security_hub = optional(bool, true)<br> aws_deny_leaving_org = optional(bool, true)<br> aws_deny_root_user_ous = optional(list(string), [])<br> aws_require_imdsv2 = optional(bool, true)<br> principal_exceptions = optional(list(string), [])<br> })</pre> | `{}` | no |
 | <a name="input_aws_sso_permission_sets"></a> [aws\_sso\_permission\_sets](#input\_aws\_sso\_permission\_sets) | Map of AWS IAM Identity Center permission sets with AWS accounts and group names that should be granted access to each account | <pre>map(object({<br> assignments = list(map(list(string)))<br> inline_policy = optional(string, null)<br> managed_policy_arns = optional(list(string), [])<br> session_duration = optional(string, "PT4H")<br> }))</pre> | `{}` | no |

examples/basic/main.tf

@@ -32,14 +32,24 @@ provider "datadog" {
 }
 
 provider "mcaf" {
- aws {}
+ aws {
+ region = "eu-west-1"
+ }
 }
 
 module "landing_zone" {
  providers = { aws = aws, aws.audit = aws.audit, aws.logging = aws.logging }
 
  source = "../../"
-
+ aws_security_hub = {
+ disabled_standards_arns = [{
+ standards_control_arn = "bla"
+ disabled_reason = "Daarom"
+ }, {
+ standards_control_arn = "bla"
+ disabled_reason = "Daarom"
+ }]
+ }
  control_tower_account_ids = local.control_tower_account_ids
  tags = { Terraform = true }
 }

security_hub.tf

@@ -65,6 +65,17 @@ resource "aws_securityhub_standards_subscription" "default" {
  depends_on = [aws_securityhub_account.default]
 }
 
+resource "aws_securityhub_standards_control" "default" {
+ for_each = { for standard in var.aws_security_hub.disabled_standards_arns : standard.standards_control_arn => standard }
+ provider = aws.audit
+
+ standards_control_arn = each.key
+ control_status = "DISABLED"
+ disabled_reason = each.value
+
+ depends_on = [aws_securityhub_account.default, aws_securityhub_standards_subscription.default]
+}
+
 resource "aws_cloudwatch_event_rule" "security_hub_findings" {
  provider = aws.audit
 

variables.tf

@@ -162,6 +162,10 @@ variable "aws_security_hub" {
  create_cis_metric_filters = optional(bool, true)
  product_arns = optional(list(string), [])
  standards_arns = optional(list(string), null)
+ disabled_standards_arns = optional(list(object({
+ standards_control_arn = string
+ disabled_reason = string
+ })), null)
  })
  default = {
  enabled = true
@@ -171,6 +175,7 @@ variable "aws_security_hub" {
  create_cis_metric_filters = true
  product_arns = []
  standards_arns = null
+ disabled_standards_arns = null
  }
  description = "AWS Security Hub settings"