By using AWS re:Post, you agree to the Terms of Use

Control Tower - Disable Compliance Change Notifications


Hello, we are using Control Tower and we have subscribed email (Slack) notifications to aws-controltower-AggregateSecurityNotifications SNS Topics.

We are receiving Control Tower drift notifications and AWS Config compliance change notifications as described in We are interested especially in Control Tower drift notifications.

Unfortunately AWS Config compliance change notifications are too noisy, it notifies on all compliance, noncompliance, and not_applicable events. The noise is caused by rule AWSControlTower_AWS-GR_ENCRYPTED_VOLUMES which triggers COMPLIANT notification each time new EC2 node with EBS is provisioned and NOT_APPLICABLE when the node is shut down. We are interested only in non-compliant notifications, is it possible to change the behaviour?

Or alternatively is it possible to disable at all sending AWS Config compliance change notifications to aws-controltower-AggregateSecurityNotifications topic? So only Control Tower drift notifications would be send to this topic.

I've noticed that Event Rules which are forwarding compliance notifications changes are deployed by stackset AWSControlTowerBP-BASELINE-CLOUDWATCH from management account to all accounts and there is possibility to disable these notifications by parameter EnableConfigRuleChangeNotification. Since the stackset is managed by ControlTower I am not sure if we can change these settings? Could you please guide us what is the recommended approach?

thanks Martin

1 Answer

Hi, You can set up to control some of the events you get emails for. This link discusses some measure you can use to reduce the chatter you get from Control Tower: It will require some work, but you can set up filters in EventBridge, or you can use Lambda to assist with the types and frequencies of events you get emailed on.

answered 5 months ago
  • Hi Byron, thanks I've read the mentioned documentation already. I am still not sure how to approach it, if I am interested only in Control Tower drift notifications. AFAIK these drift notifications are send only to aws-controltower-AggregateSecurityNotifications? Where these are mixed with compliance change notification so only solution is subsribe Lambda function to this topic and filter it there?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions