Hi all

It seems that the recent change to the the pattern for the "UnauthorizedAPICalls" alert is triggering a false finding in Security Hub
3d5332a

I guess the reason is that the "official" pattern tested for is:

{($.errorCode="*UnauthorizedOperation") || ($.errorCode="AccessDenied*")} 

The new pattern is:

{(($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*")) && (($.sourceIPAddress!="delivery.logs.amazonaws.com") && ($.eventName!="HeadBucket"))} 

Is my assumption correct?

Should you revert the change or should we suppress the finding?

Thanks,

Luigi