This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::SecurityHub::ConfigurationPolicy The `AWS::SecurityHub::ConfigurationPolicy` resource creates a central configuration policy with the defined settings. Only the AWS Security Hub CSPM delegated administrator can create this resource in the home Region. For more information, see [Central configuration in Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html) in the *AWS Security Hub CSPM User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::SecurityHub::ConfigurationPolicy", "Properties" : { "[ConfigurationPolicy](#cfn-securityhub-configurationpolicy-configurationpolicy)" : Policy, "[Description](#cfn-securityhub-configurationpolicy-description)" : String, "[Name](#cfn-securityhub-configurationpolicy-name)" : String, "[Tags](#cfn-securityhub-configurationpolicy-tags)" : {Key: Value, ...} } } ``` ### YAML ``` Type: AWS::SecurityHub::ConfigurationPolicy Properties: [ConfigurationPolicy](#cfn-securityhub-configurationpolicy-configurationpolicy): Policy [Description](#cfn-securityhub-configurationpolicy-description): String [Name](#cfn-securityhub-configurationpolicy-name): String [Tags](#cfn-securityhub-configurationpolicy-tags): Key: Value ``` ## Properties `ConfigurationPolicy` An object that defines how AWS Security Hub CSPM is configured. It includes whether Security Hub CSPM is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If you provide a list of security controls that are enabled in the configuration policy, Security Hub CSPM disables all other controls (including newly released controls). If you provide a list of security controls that are disabled in the configuration policy, Security Hub CSPM enables all other controls (including newly released controls). *Required*: Yes *Type*: [Policy](aws-properties-securityhub-configurationpolicy-policy.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Description` The description of the configuration policy. *Required*: No *Type*: String *Minimum*: `0` *Maximum*: `512` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Name` The name of the configuration policy. Alphanumeric characters and the following ASCII characters are permitted: `-, ., !, *, /`. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` User-defined tags associated with a configuration policy. For more information, see [Tagging AWS Security Hub CSPM resources](https://docs.aws.amazon.com/securityhub/latest/userguide/tagging-resources.html) in the *Security Hub CSPM user guide*. *Required*: No *Type*: Object of String *Pattern*: `^(?!aws:)[a-zA-Z+-=._:/]{1,128}$` *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the Amazon Resource Name (ARN) of the configuration policy. For example, `arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111`. ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Arn` The ARN of the configuration policy. `CreatedAt` Property description not available. `Id` The universally unique identifier (UUID) of the configuration policy. A self-managed configuration has no UUID. The identifier of a self-managed configuration is `SELF_MANAGED_SECURITY_HUB`. `ServiceEnabled` Indicates whether the service that the configuration policy applies to is enabled in the policy. `UpdatedAt` The date and time, in UTC and ISO 8601 format, that the configuration policy was last updated. ## Examples ### Creating a Security Hub CSPM central configuration policy The following example creates a configuration policy with the specified settings. Only the delegated Security Hub CSPM administrator can create a configuration policy from the home Region. #### JSON ``` { "Description": "Example template to create a SecurityHub configuration policy", "Resources": { "SecurityHubConfigurationPolicy": { "Type": "AWS::SecurityHub::ConfigurationPolicy", "Properties": { "Tags": { "key1": "value1" }, "Name": "SecurityHubConfigurationPolicyExample", "Description": "Example template to create SecurityHub Configuration Policy", "ConfigurationPolicy" : { "SecurityHub": { "ServiceEnabled": true, "EnabledStandardIdentifiers": [ "arn:aws:securityhub:us-west-2::standards/aws-foundational-security-best-practices/v/1.0.0" ], "SecurityControlsConfiguration": { "EnabledSecurityControlIdentifiers": [ "APIGateway.1", "IAM.7", "RDS.14", "CloudFront.5", "EC2.18","S3.11", "CloudFront.6" ], "SecurityControlCustomParameters": [ { "SecurityControlId": "APIGateway.1", "Parameters": { "loggingLevel": { "ValueType": "CUSTOM", "Value": { "Enum": "ERROR" } } } } ] } } } } } } } ``` #### YAML ``` Description: Example template to create a Security Hub configuration policy Resources: SecurityHubConfigurationPolicy: Type: "AWS::SecurityHub::ConfigurationPolicy" Properties: Tags: key1: value1 Name: "SecurityHubConfigurationPolicyExample" Description: "Example template to create SecurityHub Configuration Policy" ConfigurationPolicy: SecurityHub: ServiceEnabled: true EnabledStandardIdentifiers: - !Sub "arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/aws-foundational-security-best-practices/v/1.0.0" SecurityControlsConfiguration: EnabledSecurityControlIdentifiers: - "APIGateway.1" - "IAM.7" - "RDS.14" - "CloudFront.5" - "EC2.18" - "S3.11" - "CloudFront.6" SecurityControlCustomParameters: - SecurityControlId: "APIGateway.1" Parameters: loggingLevel: ValueType: "CUSTOM" Value: Enum: "ERROR" ``` # AWS::SecurityHub::ConfigurationPolicy ParameterConfiguration An object that provides the current value of a security control parameter and identifies whether it has been customized. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Value](#cfn-securityhub-configurationpolicy-parameterconfiguration-value)" : ParameterValue, "[ValueType](#cfn-securityhub-configurationpolicy-parameterconfiguration-valuetype)" : String } ``` ### YAML ``` [Value](#cfn-securityhub-configurationpolicy-parameterconfiguration-value): ParameterValue [ValueType](#cfn-securityhub-configurationpolicy-parameterconfiguration-valuetype): String ``` ## Properties `Value` The current value of a control parameter. *Required*: No *Type*: [ParameterValue](aws-properties-securityhub-configurationpolicy-parametervalue.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ValueType` Identifies whether a control parameter uses a custom user-defined value or subscribes to the default AWS Security Hub CSPM behavior. When `ValueType` is set equal to `DEFAULT`, the default behavior can be a specific Security Hub CSPM default value, or the default behavior can be to ignore a specific parameter. When `ValueType` is set equal to `DEFAULT`, Security Hub CSPM ignores user-provided input for the `Value` field. When `ValueType` is set equal to `CUSTOM`, the `Value` field can't be empty. *Required*: Yes *Type*: String *Allowed values*: `DEFAULT | CUSTOM` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::ConfigurationPolicy ParameterValue An object that includes the data type of a security control parameter and its current value. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Boolean](#cfn-securityhub-configurationpolicy-parametervalue-boolean)" : Boolean, "[Double](#cfn-securityhub-configurationpolicy-parametervalue-double)" : Number, "[Enum](#cfn-securityhub-configurationpolicy-parametervalue-enum)" : String, "[EnumList](#cfn-securityhub-configurationpolicy-parametervalue-enumlist)" : [ String, ... ], "[Integer](#cfn-securityhub-configurationpolicy-parametervalue-integer)" : Integer, "[IntegerList](#cfn-securityhub-configurationpolicy-parametervalue-integerlist)" : [ Integer, ... ], "[String](#cfn-securityhub-configurationpolicy-parametervalue-string)" : String, "[StringList](#cfn-securityhub-configurationpolicy-parametervalue-stringlist)" : [ String, ... ] } ``` ### YAML ``` [Boolean](#cfn-securityhub-configurationpolicy-parametervalue-boolean): Boolean [Double](#cfn-securityhub-configurationpolicy-parametervalue-double): Number [Enum](#cfn-securityhub-configurationpolicy-parametervalue-enum): String [EnumList](#cfn-securityhub-configurationpolicy-parametervalue-enumlist): - String [Integer](#cfn-securityhub-configurationpolicy-parametervalue-integer): Integer [IntegerList](#cfn-securityhub-configurationpolicy-parametervalue-integerlist): - Integer [String](#cfn-securityhub-configurationpolicy-parametervalue-string): String [StringList](#cfn-securityhub-configurationpolicy-parametervalue-stringlist): - String ``` ## Properties `Boolean` A control parameter that is a boolean. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Double` A control parameter that is a double. *Required*: No *Type*: Number *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Enum` A control parameter that is an enum. *Required*: No *Type*: String *Maximum*: `2048` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `EnumList` A control parameter that is a list of enums. *Required*: No *Type*: Array of String *Maximum*: `2048 | 100` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Integer` A control parameter that is an integer. *Required*: No *Type*: Integer *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `IntegerList` A control parameter that is a list of integers. *Required*: No *Type*: Array of Integer *Maximum*: `100` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `String` A control parameter that is a string. *Required*: No *Type*: String *Maximum*: `2048` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `StringList` A control parameter that is a list of strings. *Required*: No *Type*: Array of String *Maximum*: `2048 | 100` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::ConfigurationPolicy Policy An object that defines how AWS Security Hub CSPM is configured. It includes whether Security Hub CSPM is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If you provide a list of security controls that are enabled in the configuration policy, Security Hub CSPM disables all other controls (including newly released controls). If you provide a list of security controls that are disabled in the configuration policy, Security Hub CSPM enables all other controls (including newly released controls). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[SecurityHub](#cfn-securityhub-configurationpolicy-policy-securityhub)" : SecurityHubPolicy } ``` ### YAML ``` [SecurityHub](#cfn-securityhub-configurationpolicy-policy-securityhub): SecurityHubPolicy ``` ## Properties `SecurityHub` The AWS service that the configuration policy applies to. *Required*: No *Type*: [SecurityHubPolicy](aws-properties-securityhub-configurationpolicy-securityhubpolicy.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::ConfigurationPolicy SecurityControlCustomParameter A list of security controls and control parameter values that are included in a configuration policy. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Parameters](#cfn-securityhub-configurationpolicy-securitycontrolcustomparameter-parameters)" : {Key: Value, ...}, "[SecurityControlId](#cfn-securityhub-configurationpolicy-securitycontrolcustomparameter-securitycontrolid)" : String } ``` ### YAML ``` [Parameters](#cfn-securityhub-configurationpolicy-securitycontrolcustomparameter-parameters): Key: Value [SecurityControlId](#cfn-securityhub-configurationpolicy-securitycontrolcustomparameter-securitycontrolid): String ``` ## Properties `Parameters` An object that specifies parameter values for a control in a configuration policy. *Required*: No *Type*: Object of [ParameterConfiguration](aws-properties-securityhub-configurationpolicy-parameterconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SecurityControlId` The ID of the security control. *Required*: No *Type*: String *Maximum*: `2048` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::ConfigurationPolicy SecurityControlsConfiguration An object that defines which security controls are enabled in an AWS Security Hub CSPM configuration policy. The enablement status of a control is aligned across all of the enabled standards in an account. This property is required only if `ServiceEnabled` is set to `true` in your configuration policy. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[DisabledSecurityControlIdentifiers](#cfn-securityhub-configurationpolicy-securitycontrolsconfiguration-disabledsecuritycontrolidentifiers)" : [ String, ... ], "[EnabledSecurityControlIdentifiers](#cfn-securityhub-configurationpolicy-securitycontrolsconfiguration-enabledsecuritycontrolidentifiers)" : [ String, ... ], "[SecurityControlCustomParameters](#cfn-securityhub-configurationpolicy-securitycontrolsconfiguration-securitycontrolcustomparameters)" : [ SecurityControlCustomParameter, ... ] } ``` ### YAML ``` [DisabledSecurityControlIdentifiers](#cfn-securityhub-configurationpolicy-securitycontrolsconfiguration-disabledsecuritycontrolidentifiers): - String [EnabledSecurityControlIdentifiers](#cfn-securityhub-configurationpolicy-securitycontrolsconfiguration-enabledsecuritycontrolidentifiers): - String [SecurityControlCustomParameters](#cfn-securityhub-configurationpolicy-securitycontrolsconfiguration-securitycontrolcustomparameters): - SecurityControlCustomParameter ``` ## Properties `DisabledSecurityControlIdentifiers` A list of security controls that are disabled in the configuration policy. Provide only one of `EnabledSecurityControlIdentifiers` or `DisabledSecurityControlIdentifiers`. If you provide `DisabledSecurityControlIdentifiers`, Security Hub CSPM enables all other controls not in the list, and enables [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_UpdateSecurityHubConfiguration.html#securityhub-UpdateSecurityHubConfiguration-request-AutoEnableControls](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_UpdateSecurityHubConfiguration.html#securityhub-UpdateSecurityHubConfiguration-request-AutoEnableControls). *Required*: No *Type*: Array of String *Maximum*: `2048 | 1000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `EnabledSecurityControlIdentifiers` A list of security controls that are enabled in the configuration policy. Provide only one of `EnabledSecurityControlIdentifiers` or `DisabledSecurityControlIdentifiers`. If you provide `EnabledSecurityControlIdentifiers`, Security Hub CSPM disables all other controls not in the list, and disables [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_UpdateSecurityHubConfiguration.html#securityhub-UpdateSecurityHubConfiguration-request-AutoEnableControls](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_UpdateSecurityHubConfiguration.html#securityhub-UpdateSecurityHubConfiguration-request-AutoEnableControls). *Required*: No *Type*: Array of String *Maximum*: `2048 | 1000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SecurityControlCustomParameters` A list of security controls and control parameter values that are included in a configuration policy. *Required*: No *Type*: Array of [SecurityControlCustomParameter](aws-properties-securityhub-configurationpolicy-securitycontrolcustomparameter.md) *Maximum*: `1000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::ConfigurationPolicy SecurityHubPolicy An object that defines how AWS Security Hub CSPM is configured. The configuration policy includes whether Security Hub CSPM is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If you provide a list of security controls that are enabled in the configuration policy, Security Hub CSPM disables all other controls (including newly released controls). If you provide a list of security controls that are disabled in the configuration policy, Security Hub CSPM enables all other controls (including newly released controls). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[EnabledStandardIdentifiers](#cfn-securityhub-configurationpolicy-securityhubpolicy-enabledstandardidentifiers)" : [ String, ... ], "[SecurityControlsConfiguration](#cfn-securityhub-configurationpolicy-securityhubpolicy-securitycontrolsconfiguration)" : SecurityControlsConfiguration, "[ServiceEnabled](#cfn-securityhub-configurationpolicy-securityhubpolicy-serviceenabled)" : Boolean } ``` ### YAML ``` [EnabledStandardIdentifiers](#cfn-securityhub-configurationpolicy-securityhubpolicy-enabledstandardidentifiers): - String [SecurityControlsConfiguration](#cfn-securityhub-configurationpolicy-securityhubpolicy-securitycontrolsconfiguration): SecurityControlsConfiguration [ServiceEnabled](#cfn-securityhub-configurationpolicy-securityhubpolicy-serviceenabled): Boolean ``` ## Properties `EnabledStandardIdentifiers` A list that defines which security standards are enabled in the configuration policy. This property is required only if `ServiceEnabled` is set to `true` in your configuration policy. *Required*: Conditional *Type*: Array of String *Maximum*: `2048 | 1000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SecurityControlsConfiguration` An object that defines which security controls are enabled in the configuration policy. The enablement status of a control is aligned across all of the enabled standards in an account. This property is required only if `ServiceEnabled` is set to true in your configuration policy. *Required*: Conditional *Type*: [SecurityControlsConfiguration](aws-properties-securityhub-configurationpolicy-securitycontrolsconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ServiceEnabled` Indicates whether Security Hub CSPM is enabled in the policy. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)