By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Exception and suppression handling in AWS Security Hub and AWS Config

0

As we are exploring AWS Security Hub and AWS Config to improve our security and compliance posture, we want to ensure we do not run into alert fatigue so we need information on the below:

  1. How can exemptions/exceptions be managed and reported in AWS Security Hub and AWS Config? To provide further context, I will elaborate below: a. If we have deliberately exposed one S3 bucket publicly, and it is known to the whole organization conceptually. How can we make sure the security findings and metrics reporting take account into approved exemptions and allow operations team focus on the real issues? b. Does suppressing the workflow suppress the entire control or can we suppress it for a specific resource?
Topics
Security, Identity, & ComplianceManagement & Governance
Tags
Security, Identity, & ComplianceAWS Security HubAWS Config
Language
English
AWS
AWS-User-0951530
asked a month ago156 views
1 Answer
1
Accepted Answer

Hello,

Yes, Security Hub supports resource-level suppression. There are a few ways to suppress findings at the resource level:

  • You can manually suppress findings for specific resources from the Security Hub console or API. This prevents those findings from being included in your results.
  • Security Hub supports automation rules that can suppress findings based on custom criteria, such as specific resource IDs or types. Automation rules run automatically to keep your findings optimized.

For controls that involve global resources like IAM or S3 buckets, you can suppress findings by disabling the control in all regions except one. Or by configuring AWS Config to not record global resources outside your chosen region.

Some key points about resource-level suppression in Security Hub:

  1. It helps reduce noise and cost by not processing irrelevant findings.
  2. Suppressed findings are still visible in the Security Hub console but marked as suppressed.
  3. You have control over what exactly is suppressed based on your environment and policies.

Sources [1] Security Hub controls that you might want to disable - AWS Security Hub [2] How AWS Security Hub works with IAM - AWS Security Hub [3] Disabling Security Hub - AWS Security Hub [4] AWS Security Blog - How to create auto-suppression rules in AWS Security Hub - https://aws.amazon.com/blogs/security/how-to-create-auto-suppression-rules-in-aws-security-hub/

AWS
Manish Joshi
answered a month ago
profile picture
EXPERT
Oleksii Bebych
reviewed a month ago
profile picture
EXPERT
Adeleke Adebowale J
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content