Why do SecurityHub detection results show both PASSED and FAILED for the same resource?
The SecurityHub detection results have the following titles:
4.3 Ensure the default security group of every VPC restricts all traffic
In response, we have removed the default security group inbound and outbound rules. After that, I re-evaluated with Config.
After re-evaluation, the SecurityHub detection results show both PASSED and FAILED with the above title.
The update date and time of PASSED is the time when it was re-evaluated by Config. On the other hand, the update date and time of FAILED is 19 hours ago.
Why are both PASSED and FAILED displayed for the same detection result?
Thank you for answering.
We have confirmed that all results with compliance status = FAILED are detection results for the default security group. After my research, I'm guessing that the content of the following document is the answer.
For examples, the workflow status tracks the progress of your investigation into a finding. The workflow status is specific to an individual finding. It does not affect the generation of new findings. For example, setting the workflow status to SUPPRESSED or RESOLVED does not prevent a new finding for the same issue.
A finding that has a RecordState set to ARCHIVED. Archiving a finding indicates that the finding provider believes that the finding is no longer relevant. The record state is separate from the workflow status, which tracks the status of an investigation into a finding.
Finding providers can use the BatchImportFindings operation of the Security Hub API to archive findings that they created. Security Hub automatically archives findings for controls if the control is disabled or the associated resource is deleted, based on one of the following criteria.
・ The finding is not updated in three to five days (note that this is best effort and not guaranteed).
In other words, it is speculated that similar detection results for similar resources are separate results and will not be overwritten. In addition, I'm guessing that the archived results will continue to be displayed for some time.
If this perception is wrong, please point it out.
Your perception is correct. You can add a filter to to not show ARCHIVED findings in the findings page. Our default views in SecHub all filter out ARCHIVED findings.
Are you sure the finding with Compliance Status = FAILED is the same Security Group as the other? If you have more than one VPC (e.g. the Default one may still be there) you may have more than one default security group.
What AWS native service for AWS account anomaly detection and intrusion detection?Accepted AnswerEXPERTasked 2 years ago
Need Some Guidance for listing Security hub findings for "Compliance: Passed" StatusAccepted Answerasked 3 months ago
Many buckets created by AWSConfig StackSet (required for SecurityHub)Accepted Answer
The route for the VPC not showing in iproute2 when a subnet has different maskAccepted Answerasked 5 months ago
Cannot add AWS Management Account as member of Security HubAccepted Answer
Comprehend Medical Entity Detection Classification Accuracyasked 3 years ago
Port 3306 results closedasked 2 years ago
How to store the Athena Query Results in DynamoDB table?asked 3 years ago
Why do SecurityHub detection results show both PASSED and FAILED for the same resource?asked 3 months ago
Security Hub - AWS Foundational Security Best PracticesAccepted Answerasked 4 months ago