- Newest
- Most votes
- Most comments
So those findings are coming from the CIS AWS Foundations Benchmark controls. The goal of these controls are to detect and alert you when potentially risky activity/configuration changes occur. When Security Hub performs the check for some of these controls, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region.
The check results in FAILED findings in the following cases:
No trail is configured.
The available trails that are in the current Region and that are owned by current account do not meet the control requirements.
The check results in a control status of NO_DATA in the following cases:
A multi-Region trail is based in a different Region. Security Hub can only generate findings in the Region where the trail is based.
A multi-Region trail belongs to a different account. Security Hub can only generate findings for the account that owns the trail.
AWS recommends organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the AWS Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of NO_DATA for controls evaluated in organization member accounts. In member accounts, Security Hub only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub delegated administrator account by using cross-Region aggregation.
For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling ListSubscriptionsByTopic. Otherwise Security Hub generates WARNING findings for the control.
If I had to guess, that management account finding is generating because the current account doesn't own or have access to the SNS topic needed. Most of this info is available by looking through the controls here: https://docs.aws.amazon.com/securityhub/latest/userguide/cis-aws-foundations-benchmark.html
Archiving a finding indicates that the finding provider believes that the finding is no longer relevant. I wouldn't be concerned, as Security Hub does this from time to time. Look into the CloudWatch configurations and ensure they satisfy the CIS Controls for peace of mind.
Relevant content
- Accepted Answerasked 9 months ago
- Accepted Answerasked 3 years ago
- Accepted Answerasked 25 days ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
So I played around with some settings but I'm still stuck. My management account is still getting a FAILED check in Security Hub for all of the CloudWatch controls; all of which require CloudTrail, CloudWatch log metrics and alarms, and an SNS topic to handle an alarm. My security account is the delegated administrator for multiple services, including CloudTrail. This CloudTrail is a multi-region trail and covers all accounts in the organization. As an organizational trail the management account still maintains ownership of the trail. However, all the logging is aggregated in the security account. When I completed the setup of the trail, created the required metrics and alarms in CloudWatch, and set the alarms to trigger the necessary SNS topic the CloudWatch controls in Security Hub appeared to be satisfied for the security account (in which all the services were configured) and both the production and development accounts (which were covered as part of the organization). The Security Hub controls for the management account, however, remain unsatisfied. I have tested my setup - taking various actions on the management account that should theoretically trigger a CloudWatch alarm in the security account and, indeed, the entire cross account process works as expected. So I remain stuck as to why this one particular account isn't satisfied. Thanks!