Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Control Tower - Disable Compliance Change Notifications

3

Hello, we are using Control Tower and we have subscribed email (Slack) notifications to aws-controltower-AggregateSecurityNotifications SNS Topics.

We are receiving Control Tower drift notifications and AWS Config compliance change notifications as described in https://docs.aws.amazon.com/controltower/latest/userguide/compliance.html We are interested especially in Control Tower drift notifications.

Unfortunately AWS Config compliance change notifications are too noisy, it notifies on all compliance, noncompliance, and not_applicable events. The noise is caused by rule AWSControlTower_AWS-GR_ENCRYPTED_VOLUMES which triggers COMPLIANT notification each time new EC2 node with EBS is provisioned and NOT_APPLICABLE when the node is shut down. We are interested only in non-compliant notifications, is it possible to change the behaviour?

Or alternatively is it possible to disable at all sending AWS Config compliance change notifications to aws-controltower-AggregateSecurityNotifications topic? So only Control Tower drift notifications would be send to this topic.

I've noticed that Event Rules which are forwarding compliance notifications changes are deployed by stackset AWSControlTowerBP-BASELINE-CLOUDWATCH from management account to all accounts and there is possibility to disable these notifications by parameter EnableConfigRuleChangeNotification. Since the stackset is managed by ControlTower I am not sure if we can change these settings? Could you please guide us what is the recommended approach?

thanks Martin

  • rePost-User-2143845
    3 years ago

    +1 to this question.

    We recently started receiving the Config Rules Compliance Change noise too -- presumably when I updated our landing zone version? Whatever the case, I completely agree that getting notifications for COMPLIANT and NOT_APPLICABLE states makes these emails super noisy and not useful for us. It seems like the only workaround is to send all the default control tower spam to an unused email and set it all up ourselves with a sane configuration?

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
AWS ConfigSecurity, Identity, & ComplianceAWS Control Tower
Language
English
asked 4 years ago2.4K views
2 Answers
0

Hi, You can set up to control some of the events you get emails for. This link discusses some measure you can use to reduce the chatter you get from Control Tower: https://docs.aws.amazon.com/controltower/latest/userguide/receive-notifications.html. It will require some work, but you can set up filters in EventBridge, or you can use Lambda to assist with the types and frequencies of events you get emailed on.

AWS
answered 4 years ago
  • Martin Halamicek
    4 years ago

    Hi Byron, thanks I've read the mentioned documentation already. I am still not sure how to approach it, if I am interested only in Control Tower drift notifications. AFAIK these drift notifications are send only to aws-controltower-AggregateSecurityNotifications? Where these are mixed with compliance change notification so only solution is subsribe Lambda function to this topic and filter it there?

  • rePost-User-2143845
    3 years ago

    Completely agree with Martin. Is this really the suggested workaround? Is there any plan to make the default configuration more sane and useful?

0

The simplest solution is to use an SNS Subscription Filter Policy on the aws-controltower-AggregateSecurityNotifications topic. Filter Policy: Apply this Message Body filter to your subscription: { "DriftType": [ {"exists": true} ] } This filter only allows messages containing the DriftType field, which is present in all Control Tower drift notifications but absent in Config compliance notifications. Since you can't modify Control Tower's EventBridge rules, this message body filter provides a simple, native SNS solution without requiring Lambda functions or additional infrastructure.

answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content