By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Anomaly in AWS Security Hub Findings

-1

I have enabled AWS Security Hub CIS AWS foundations benchmark 1.4.0 for my account.

The findings have passed the check IAM users' access keys should be rotated every 90 days or less.

But my account has many IAM users with access keys older then 90 days. So why is security Hub not able to catch those accounts in the scan. It has been more than week the security hub is enabled.

Can you please explain why status is passed even after compliance failure?

Enter image description here

Topics
Security, Identity, & Compliance
Tags
AWS Security Hub
Language
English
rePost-User-7669034
asked a year ago352 views
2 Answers
0
Accepted Answer

Hi,

When you enable CIS AWS Foundations Benchmark v1.4.0, AWS Security Hub will perform security checks against specific controls. Some of this controls can be custom rules that AWS Security Hub itself develops, but others use AWS Config managed rules. The latter is the case of the control [IAM.3] 'IAM user's access keys should be rotated every 90 days or less'.

To enable checks against this AWS Config rule, you will need to (1) enable AWS Config in your account, and (2) enable resource recording for required resources -see section Required AWS Config resources for CIS v1.4.0-.

Additionally, please note that [IAM.3] control is not supported in the following AWS regions: Cape Town, Hyderabad, Melbourne, Milan, Zurich, Spain, UAE.

Hope this fixes the issue,

Best!

awsfer
answered a year ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago
  • rePost-User-7669034
    a year ago

    Please check update to the question with Screenshot so it is clear what anomaly I am facing

0

In response to your edited message,

AWS Security Hub uses the Compliance Status of all the controls you have enabled to determine the overall Control Status. If one or more controls present a Compliance Status of FAILED, then the overall Control Status should be marked as FAILED, too.

The only reason I can think of causing this misalignment is that the statuses have been updated at different times (4 hours ago vs. 6 hours ago). Thus, they should sync in the next run, and the overall Control Status will be marked as FAILED.

Kind regards

AWS
awsfer
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content