IT-4081: suppress cis-aws-foundations-benchmark/v/1.4.0/3.9 since we use GuardDuty to monitor flow logs #1319
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…use GuardDuty to monitor flow logs
ConsoleCatzirl
requested changes
Jan 10, 2025
| @@ -377,6 +377,8 @@ Resources: | |||
| - 'arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/4.1' | |||
| - 'arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/4.2' | |||
| - 'cis-aws-foundations-benchmark/v/1.4.0/3.5' # (IT-3619) "3.5 Ensure AWS Config is enabled in all regions" | |||
| # suppress cis-aws-foundations-benchmark/v/1.4.0/3.9 since we use GuardDuty to monitor flow logs: | |||
| - 'cis-aws-foundations-benchmark/v/1.4.0/3.9' | |||
There was a problem hiding this comment.
My understanding is that guard duty is good for detection but not for investigation so I think we should enforce this finding at least for production accounts, but I'm ok with suppressing it in non-prod accounts
There was a problem hiding this comment.
it would probably be beneficial if you could add a reference to issue IT-4081 and provide justification for this suppression in the issue.
zaro0508
approved these changes
Jan 10, 2025
| @@ -377,6 +377,8 @@ Resources: | |||
| - 'arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/4.1' | |||
| - 'arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/4.2' | |||
| - 'cis-aws-foundations-benchmark/v/1.4.0/3.5' # (IT-3619) "3.5 Ensure AWS Config is enabled in all regions" | |||
| # suppress cis-aws-foundations-benchmark/v/1.4.0/3.9 since we use GuardDuty to monitor flow logs: | |||
| - 'cis-aws-foundations-benchmark/v/1.4.0/3.9' | |||
There was a problem hiding this comment.
it would probably be beneficial if you could add a reference to issue IT-4081 and provide justification for this suppression in the issue.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
suppress cis-aws-foundations-benchmark/v/1.4.0/3.9 since we use GuardDuty to monitor flow logs