We have deployed AWS SecurityHub across our organization using the following configuration:
resource "aws_securityhub_organization_admin_account" "infosec-security-hub" {
admin_account_id = "12345678"
provider = aws.org-root
}
resource "aws_securityhub_organization_configuration" "security-hub" {
auto_enable = true
provider = aws.infosec
depends_on = [aws_securityhub_organization_admin_account.infosec-security-hub]
}
The auto_enable property on the organization ensures that new accounts are automatically enrolled into the SecurityHub organization. However, there is a negative side-effect which we want to eliminate - when new accounts are registered, two Security Standards are enabled by default (ex. CIS AWS Foundations Benchmark). Since we leverage AWS Config's organization-level rules (to track the status of the security controls applicable to our environment), this default behavior generates a lot of noise. Therefore, we need to run a script to disable these standards periodically. In other words, we leverage the SecurityHub only as a way to consolidate findings from various security services (ex. Config, IAM Analyzer, and Inspector).
My question: (given that we manage SecurityHub at the org-level), how could we overwrite this default of automatically enabling two security standards.
