Use suppression to reduce the visibility of less critical findings while still tracking them in VMware Aria Automation for Secure Clouds

Suppression is a feature that lets you remove findings from normal views and reports for a defined period of time. Suppressed findings aren't deleted and are still monitored discretely by VMware Aria Automation for Secure Clouds for tracking and compliance purposes while a suppression is active.

There are many reasons to use suppression, and it is the responsibility of each organization to decide what valid usage looks like. Here are some typical scenarios where a finding may be suppressed:

• The finding is generated from an intentional resource configuration that is part of operational requirements.
• The finding is low severity but high volume and makes it difficult for users to review more critical findings, or is otherwise overwhelming them with noise (alerts, notifications, and so on).
• The finding cannot currently be resolved due to organizational dependencies or other restrictions beyond the user's control and must be deferred until action can be taken.

Suppression is modeled so that individual teams can submit suppression requests for their cloud accounts, which are then reviewed and approved or denied by a central security team. This helps security scale with an organization's growth and encourages service or feature teams to take an active role managing their own security findings.

Overview

There are two methods to suppress findings:

• Single suppressions that apply to an individual finding and associated resource.
• Suppression policies that use a set of criteria to suppress multiple findings across across a project or organization.

Which type to use depends on what you want to accomplish. Single suppressions are best leveraged when you want to isolate a very specific scenario without impacting other parts of your organization. A suppression policy is the better option when you want suppress a certain type of finding for multiple cloud accounts, projects, or your whole organization.

Disabling a rule

Another way to remove findings is to disable a rule from the Governance > Rules tab. Although similar, disabling a rule is not the same as suppression and the two must be understood as distinct processes with different outcomes from a compliance perspective.

Suppression

• Hides selected findings from normal view. New findings continue to be detected and monitored while suppression is active.
• Can use criteria to set the scope at which findings are suppressed (organization, project, or cloud account).
• When a suppression expires, all findings that were previously suppressed appear in normal views with the date and time they were detected on a resource.

Disable a rule

• Any current findings are resolved with the reason as "Rule disabled by user". Stops detecting new findings.
• Available only at the organization level, applies to all findings for the disable rules in all projects and cloud accounts.
• When a rule is enabled, all findings are detected at the same date and time regardless of when they actually occurred on a resource.

You can learn more about disabling rules at the Rules Management guide.

Role permissions

VMware Aria Automation for Secure Clouds uses a role-based permissions structure for suppressions that is designed to support a framework where cloud account owners submit suppression requests to a central governance team who then review the scope, duration, and reason for each request to determine if should be approved or denied based on organization policy. Privileges to review, request, and approve suppressions are based on the service roles described in the Project User Guide, but here is a quick reference for the purposes of suppression.