From ed1b5e0ce5e9b2f4be5d98d752647444d433b673 Mon Sep 17 00:00:00 2001
From: Alexander Amiri <alexander.amiri@piano.io>
Date: Thu, 12 Mar 2026 13:44:55 +0100
Subject: [PATCH] Filter Security Hub alerts to HIGH/CRITICAL only

MEDIUM findings (SSL, logging, required-tags) are too noisy and duplicate
what the compliance reporter already covers. A single S3 bucket
create/delete generated 4 MEDIUM Security Hub alerts on top of the
resource creation and compliance alerts.
---
 terraform/platform/monitoring/main.tf | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/terraform/platform/monitoring/main.tf b/terraform/platform/monitoring/main.tf
index 1b65139..7fe8a9a 100644
--- a/terraform/platform/monitoring/main.tf
+++ b/terraform/platform/monitoring/main.tf
@@ -440,10 +440,12 @@ resource "aws_securityhub_standards_subscription" "aws_foundational" {
   depends_on    = [aws_securityhub_account.main]
 }
 
-# Route Security Hub findings with severity >= MEDIUM to security SNS
+# Route Security Hub findings with severity >= HIGH to security SNS.
+# MEDIUM findings are too noisy (SSL, logging, tags) — these are covered
+# by Config rules and compliance reporter already.
 resource "aws_cloudwatch_event_rule" "securityhub_findings" {
   name        = "${var.project}-securityhub-findings"
-  description = "Route Security Hub findings (MEDIUM and above) to SNS"
+  description = "Route Security Hub findings (HIGH and above) to SNS"
 
   event_pattern = jsonencode({
     source      = ["aws.securityhub"]
@@ -451,7 +453,7 @@ resource "aws_cloudwatch_event_rule" "securityhub_findings" {
     detail = {
       findings = {
         Severity = {
-          Label = ["MEDIUM", "HIGH", "CRITICAL"]
+          Label = ["HIGH", "CRITICAL"]
         }
       }
     }