Exception and suppression handling in AWS Security Hub and AWS Config


As we are exploring AWS Security Hub and AWS Config to improve our security and compliance posture, we want to ensure we do not run into alert fatigue so we need information on the below:

  1. How can exemptions/exceptions be managed and reported in AWS Security Hub and AWS Config? To provide further context, I will elaborate below: a. If we have deliberately exposed one S3 bucket publicly, and it is known to the whole organization conceptually. How can we make sure the security findings and metrics reporting take account into approved exemptions and allow operations team focus on the real issues? b. Does suppressing the workflow suppress the entire control or can we suppress it for a specific resource?
1 Answer
Accepted Answer


Yes, Security Hub supports resource-level suppression. There are a few ways to suppress findings at the resource level:

  • You can manually suppress findings for specific resources from the Security Hub console or API. This prevents those findings from being included in your results.
  • Security Hub supports automation rules that can suppress findings based on custom criteria, such as specific resource IDs or types. Automation rules run automatically to keep your findings optimized.

For controls that involve global resources like IAM or S3 buckets, you can suppress findings by disabling the control in all regions except one. Or by configuring AWS Config to not record global resources outside your chosen region.

Some key points about resource-level suppression in Security Hub:

  1. It helps reduce noise and cost by not processing irrelevant findings.
  2. Suppressed findings are still visible in the Security Hub console but marked as suppressed.
  3. You have control over what exactly is suppressed based on your environment and policies.

Sources [1] Security Hub controls that you might want to disable - AWS Security Hub [2] How AWS Security Hub works with IAM - AWS Security Hub [3] Disabling Security Hub - AWS Security Hub [4] AWS Security Blog - How to create auto-suppression rules in AWS Security Hub - https://aws.amazon.com/blogs/security/how-to-create-auto-suppression-rules-in-aws-security-hub/

answered 2 months ago
profile picture
reviewed 2 months ago
profile picture
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions