By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Control Tower - Disable Compliance Change Notifications

2

Hello, we are using Control Tower and we have subscribed email (Slack) notifications to aws-controltower-AggregateSecurityNotifications SNS Topics.

We are receiving Control Tower drift notifications and AWS Config compliance change notifications as described in https://docs.aws.amazon.com/controltower/latest/userguide/compliance.html We are interested especially in Control Tower drift notifications.

Unfortunately AWS Config compliance change notifications are too noisy, it notifies on all compliance, noncompliance, and not_applicable events. The noise is caused by rule AWSControlTower_AWS-GR_ENCRYPTED_VOLUMES which triggers COMPLIANT notification each time new EC2 node with EBS is provisioned and NOT_APPLICABLE when the node is shut down. We are interested only in non-compliant notifications, is it possible to change the behaviour?

Or alternatively is it possible to disable at all sending AWS Config compliance change notifications to aws-controltower-AggregateSecurityNotifications topic? So only Control Tower drift notifications would be send to this topic.

I've noticed that Event Rules which are forwarding compliance notifications changes are deployed by stackset AWSControlTowerBP-BASELINE-CLOUDWATCH from management account to all accounts and there is possibility to disable these notifications by parameter EnableConfigRuleChangeNotification. Since the stackset is managed by ControlTower I am not sure if we can change these settings? Could you please guide us what is the recommended approach?

thanks Martin

  • rePost-User-2143845
    2 years ago

    +1 to this question.

    We recently started receiving the Config Rules Compliance Change noise too -- presumably when I updated our landing zone version? Whatever the case, I completely agree that getting notifications for COMPLIANT and NOT_APPLICABLE states makes these emails super noisy and not useful for us. It seems like the only workaround is to send all the default control tower spam to an unused email and set it all up ourselves with a sane configuration?

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
Security, Identity, & ComplianceAWS ConfigAWS Control Tower
Language
English
Martin Halamicek
asked 2 years ago1456 views
1 Answer
0

Hi, You can set up to control some of the events you get emails for. This link discusses some measure you can use to reduce the chatter you get from Control Tower: https://docs.aws.amazon.com/controltower/latest/userguide/receive-notifications.html. It will require some work, but you can set up filters in EventBridge, or you can use Lambda to assist with the types and frequencies of events you get emailed on.

AWS
Byron_G
answered 2 years ago
  • Martin Halamicek
    2 years ago

    Hi Byron, thanks I've read the mentioned documentation already. I am still not sure how to approach it, if I am interested only in Control Tower drift notifications. AFAIK these drift notifications are send only to aws-controltower-AggregateSecurityNotifications? Where these are mixed with compliance change notification so only solution is subsribe Lambda function to this topic and filter it there?

  • rePost-User-2143845
    2 years ago

    Completely agree with Martin. Is this really the suggested workaround? Is there any plan to make the default configuration more sane and useful?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content