Suppression is a feature that lets you remove findings from normal views and reports for a defined period of time. Suppressed findings aren't deleted and are still monitored discretely by VMware Aria Automation for Secure Clouds for tracking and compliance purposes while a suppression is active.
There are many reasons to use suppression, and it is the responsibility of each organization to decide what valid usage looks like. Here are some typical scenarios where a finding may be suppressed:
Suppression is modeled so that individual teams can submit suppression requests for their cloud accounts, which are then reviewed and approved or denied by a central security team. This helps security scale with an organization's growth and encourages service or feature teams to take an active role managing their own security findings.
There are two methods to suppress findings:
Which type to use depends on what you want to accomplish. Single suppressions are best leveraged when you want to isolate a very specific scenario without impacting other parts of your organization. A suppression policy is the better option when you want suppress a certain type of finding for multiple cloud accounts, projects, or your whole organization.
Another way to remove findings is to disable a rule from the Governance > Rules tab. Although similar, disabling a rule is not the same as suppression and the two must be understood as distinct processes with different outcomes from a compliance perspective.
Suppression
Disable a rule
You can learn more about disabling rules at the Rules Management guide.
VMware Aria Automation for Secure Clouds uses a role-based permissions structure for suppressions that is designed to support a framework where cloud account owners submit suppression requests to a central governance team who then review the scope, duration, and reason for each request to determine if should be approved or denied based on organization policy. Privileges to review, request, and approve suppressions are based on the service roles described in the Project User Guide, but here is a quick reference for the purposes of suppression.
Context | Org | Project | ||||
---|---|---|---|---|---|---|
Permissions | Admin | Analyst | Viewer | Admin | Analyst | Viewer |
Read Suppression | Y | Y | Y | Y | Y | Y |
Request Suppression | Y |
Y | N | Y | Y |
N |
Approve Suppression | Y | N | N |
N |
N |
N |