This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::SecurityHub::SecurityControl The `AWS::SecurityHub::SecurityControl` resource specifies custom parameter values for an AWS Security Hub CSPM control. For a list of controls that support custom parameters, see [Security Hub CSPM controls reference](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html). You can also use this resource to specify the use of default parameter values for a control. For more information about custom parameters, see [Custom control parameters](https://docs.aws.amazon.com/securityhub/latest/userguide/custom-control-parameters.html) in the *AWS Security Hub CSPM User Guide*. Tags aren't supported for this resource. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::SecurityHub::SecurityControl", "Properties" : { "[LastUpdateReason](#cfn-securityhub-securitycontrol-lastupdatereason)" : String, "[Parameters](#cfn-securityhub-securitycontrol-parameters)" : {Key: Value, ...}, "[SecurityControlArn](#cfn-securityhub-securitycontrol-securitycontrolarn)" : String, "[SecurityControlId](#cfn-securityhub-securitycontrol-securitycontrolid)" : String } } ``` ### YAML ``` Type: AWS::SecurityHub::SecurityControl Properties: [LastUpdateReason](#cfn-securityhub-securitycontrol-lastupdatereason): String [Parameters](#cfn-securityhub-securitycontrol-parameters): Key: Value [SecurityControlArn](#cfn-securityhub-securitycontrol-securitycontrolarn): String [SecurityControlId](#cfn-securityhub-securitycontrol-securitycontrolid): String ``` ## Properties `LastUpdateReason` The most recent reason for updating the customizable properties of a security control. This differs from the `UpdateReason` field of the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateStandardsControlAssociations.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateStandardsControlAssociations.html) API, which tracks the reason for updating the enablement status of a control. This field accepts alphanumeric characters in addition to white spaces, dashes, and underscores. *Required*: No *Type*: String *Pattern*: `^([^-]|[-_ a-zA-Z0-9])+$` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Parameters` An object that identifies the name of a control parameter, its current value, and whether it has been customized. *Required*: Yes *Type*: Object of [ParameterConfiguration](aws-properties-securityhub-securitycontrol-parameterconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SecurityControlArn` The Amazon Resource Name (ARN) for a security control across standards, such as `arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1`. This parameter doesn't mention a specific standard. *Required*: No *Type*: String *Pattern*: `.*\S.*` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SecurityControlId` The unique identifier of a security control across standards. Values for this field typically consist of an AWS service name and a number, such as APIGateway.3. *Required*: No *Type*: String *Pattern*: `.*\S.*` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the identifier of the security control. For example, `Config.1`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ## Examples ### Configuring control parameters This example configures a parameter for the control ACM.1. #### JSON ``` { "Description": "Example template to configure control parameters", "Resources": { "ExampleSecurityControl": { "Type": "AWS::SecurityHub::SecurityControl", "Properties": { "SecurityControlId": "ACM.1", "Parameters": { "daysToExpiration": { "ValueType": "CUSTOM", "Value": { "Integer": 15 } } }, "LastUpdateReason": "Internal compliance requirement" } } } } ``` #### YAML ``` Description: Example template to configure control parameters Resources: ExampleSecurityControl: Type: 'AWS::SecurityHub::SecurityControl' Properties: SecurityControlId: 'ACM.1' Parameters: daysToExpiration: ValueType: 'CUSTOM' Value: Integer: 15 LastUpdateReason: 'Internal compliance requirement' ```