I deployed control tower in the ca-central-1 region and enabled security hub and aws config through a dedicated admin account (audit account provided by default via control tower).
I then enabled the following security standards:
- PCI DSS v3.2.1
- CIS AWS Foundations Benchmark v1.2.0
- AWS Foundational Security Best Practices v1.0.0
For AWS Config, I deployed the following conformance packs:
- Operational Best Practices for NIST CSF
- Operational Best Practices for CIS AWS Foundations Benchmark v1.3 Level 1
- Operational Best Practices for CIS AWS Foundations Benchmark v1.3 Level 2
- Operational Best Practices for AWS Well-Architected Framework Security Pillar
Upon enabling those security hub standards and config conformance packs, I was demonstrated with the following findings & violations on the respective resources:
- s3-bucket-logging-enabled (default created bucket by control tower: aws-controltower-s3-access-logs-ca-central-1)
- s3-bucket-default-lock-enabled (default created buckets by control tower: aws-controltower-s3-access-logs-ca-central-1 & aws-controltower-s3-logs-ca-central-1)
- Lambda functions should be in a VPC (default created lambdas by control tower: aws-controltower-NotificationForwarder)
- Lambda functions should have a dead-letter queue configured (default created lambdas by control tower: aws-controltower-NotificationForwarder)
To get rid of those violations, I need to either remediate somehow or suppress/delete those findings. Please keep in mind that remediation can be difficult and annoying because of the tight SCPs that prevent making changes to the above resources and their configurations. To be able to remediate you have to delete SCPs, put your control tower in drift state, make the necessary changes, and then repair the control tower. You can see why this isn't such a good idea to do.
From a compliance perspective, is it okay to suppress or delete those findings/violations?