- Newest
- Most votes
- Most comments
Thank you for answering.
We have confirmed that all results with compliance status = FAILED are detection results for the default security group. After my research, I'm guessing that the content of the following document is the answer.
https://docs.aws.amazon.com/ja_jp/securityhub/latest/userguide/finding-workflow-status.html
For examples, the workflow status tracks the progress of your investigation into a finding. The workflow status is specific to an individual finding. It does not affect the generation of new findings. For example, setting the workflow status to SUPPRESSED or RESOLVED does not prevent a new finding for the same issue.
https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-concepts.html
Archived finding A finding that has a RecordState set to ARCHIVED. Archiving a finding indicates that the finding provider believes that the finding is no longer relevant. The record state is separate from the workflow status, which tracks the status of an investigation into a finding.
Finding providers can use the BatchImportFindings operation of the Security Hub API to archive findings that they created. Security Hub automatically archives findings for controls if the control is disabled or the associated resource is deleted, based on one of the following criteria.
・ The finding is not updated in three to five days (note that this is best effort and not guaranteed).
In other words, it is speculated that similar detection results for similar resources are separate results and will not be overwritten. In addition, I'm guessing that the archived results will continue to be displayed for some time.
If this perception is wrong, please point it out.
Are you sure the finding with Compliance Status = FAILED is the same Security Group as the other? If you have more than one VPC (e.g. the Default one may still be there) you may have more than one default security group.
Relevant content
- Accepted Answerasked a year ago
- asked a year ago
- Accepted Answerasked 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 8 months ago
Your perception is correct. You can add a filter to to not show ARCHIVED findings in the findings page. Our default views in SecHub all filter out ARCHIVED findings.