AWS::SecurityHub::SecurityControl - AWS CloudFormation
SyntaxPropertiesReturn valuesExamples

This is the new AWS CloudFormation Template Reference Guide. Please update your bookmarks and links. For help getting started with CloudFormation, see the AWS CloudFormation User Guide.

AWS::SecurityHub::SecurityControl

The AWS::SecurityHub::SecurityControl resource specifies custom parameter values for an AWS Security Hub control. For a list of controls that support custom parameters, see Security Hub controls reference. You can also use this resource to specify the use of default parameter values for a control. For more information about custom parameters, see Custom control parameters in the AWS Security Hub User Guide.

Tags aren't supported for this resource.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::SecurityHub::SecurityControl",
  "Properties" : {
      "LastUpdateReason" : String,
      "Parameters" : {Key: Value, ...},
      "SecurityControlArn" : String,
      "SecurityControlId" : String
    }
}

YAML

Type: AWS::SecurityHub::SecurityControl
Properties:
  LastUpdateReason: String
  Parameters: 
    Key: Value
  SecurityControlArn: String
  SecurityControlId: String

Properties

LastUpdateReason

The most recent reason for updating the customizable properties of a security control. This differs from the UpdateReason field of the BatchUpdateStandardsControlAssociations API, which tracks the reason for updating the enablement status of a control. This field accepts alphanumeric characters in addition to white spaces, dashes, and underscores.

Required: No

Type: String

Pattern: ^([^-]|[-_ a-zA-Z0-9])+$

Update requires: No interruption

Parameters

An object that identifies the name of a control parameter, its current value, and whether it has been customized.

Required: Yes

Type: Object of ParameterConfiguration

Update requires: No interruption

SecurityControlArn

The Amazon Resource Name (ARN) for a security control across standards, such as arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1. This parameter doesn't mention a specific standard.

Required: No

Type: String

Pattern: .*\S.*

Update requires: No interruption

SecurityControlId

The unique identifier of a security control across standards. Values for this field typically consist of an AWS service name and a number, such as APIGateway.3.

Required: No

Type: String

Pattern: .*\S.*

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the identifier of the security control. For example, Config.1.

For more information about using the Ref function, see Ref.

Examples

Configuring control parameters

This example configures a parameter for the control ACM.1.

JSON

{
  "Description": "Example template to configure control parameters",
  "Resources": {
    "ExampleSecurityControl": {
      "Type": "AWS::SecurityHub::SecurityControl",
      "Properties": {
        "SecurityControlId": "ACM.1",
        "Parameters": {
          "daysToExpiration": {
            "ValueType": "CUSTOM",
            "Value": {
              "Integer": 15
            }
          }
        },
        "LastUpdateReason": "Internal compliance requirement"
      }
    }
  }
}

YAML

Description: Example template to configure control parameters
Resources:
  ExampleSecurityControl:
    Type: 'AWS::SecurityHub::SecurityControl'
    Properties:
      SecurityControlId: 'ACM.1'
      Parameters:
        daysToExpiration:
          ValueType: 'CUSTOM'
          Value:
            Integer: 15
      LastUpdateReason: 'Internal compliance requirement'