[New Data Source]: Lists all security controls that apply to a specified security hub standard

[stefano-franco]

Description

Corresponding data source for boto3 method list_security_control_definitions and API call ListSecurityControlDefinitions.

This would allow to list all available controls for a specific Security Hub standard, including the CurrentRegionAvailability.
Security Hub has regional limitation that makes it really difficult to disable controls in different regions without adding manual exceptions.

A data source that could provide contextual information about all available controls could be used to conditionally disable only the available controls in each region.

Requested Resource(s) and/or Data Source(s)

• aws_securityhub_standards_control_definitions

Potential Terraform Configuration

# Get all security hub cis standard controls
data "aws_securityhub_standards_control_definitions" "cis_controls" {
  standards_control_arn = "arn:aws:securityhub:us-east-1:111111111111:control/cis-aws-foundations-benchmark/v/1.2.0/1.10"
}

# Get all security hub cis standard controls which are available in current region
data "aws_securityhub_standards_control_definitions" "cis_controls" {
  standards_control_arn = "arn:aws:securityhub:us-east-1:111111111111:control/cis-aws-foundations-benchmark/v/1.2.0/1.10"
  current_region_availability = "AVAILABLE"
}

# Get all security hub cis standard controls with severity critical
data "aws_securityhub_standards_control_definitions" "cis_controls" {
  standards_control_arn = "arn:aws:securityhub:us-east-1:111111111111:control/cis-aws-foundations-benchmark/v/1.2.0/1.10"
  severity_rating = "CRITICAL"
}

References

• https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/securityhub/client/list_security_control_definitions.html
• https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListSecurityControlDefinitions.html
• https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-regions.html#securityhub-regions-control-support

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[Carlovo]

Great! This would allow for a very elegant Security Hub 'control panel'.

At the moment it's only possible to easily define which controls are suppressed. It would be great to also keep track of all controls you want to keep active, so Terraform can keep track if someone secretly disabled a control to do bad stuff unnoticed.

You would be able to do this then like so:

locals {
  our_standard = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"

  our_exeptions = {
    "id1.1" : "We manage this some other way.",
    "id3.2" : "We manage this some other way too.",
  }

  extended_exeptions = { for id, reason in local.our_exeptions : "${local.our_standard}/${id}" => reason }
}

resource "aws_securityhub_standards_control" "our_exeptions" {
  for_each = local.extended_exeptions

  standards_control_arn = each.key
  control_status        = "DISABLED"
  disabled_reason       = each.value

  depends_on = [aws_securityhub_standards_subscription.not_present_in_this_example]
}

data "aws_securityhub_standards_control_definitions" "our_standard" {
  standards_control_arn = local.our_standard
}

resource "aws_securityhub_standards_control" "our_controls" {
  for_each = setsubtract(
    [for control in aws_securityhub_standards_control_definitions.our_standard : control.arn],
    keys(local.extended_exeptions)
  )

  standards_control_arn = each.key
  control_status        = "ENABLED"

  depends_on = [aws_securityhub_standards_subscription.not_present_in_this_example]
}

[KingLeak95]

I'd like to try this one!

[sakojun]

New centralized management features are now available and appear to be easier to apply to multiple regions.
https://aws.amazon.com/jp/blogs/security/introducing-new-central-configuration-capabilities-in-aws-security-hub/