This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::SecurityHub::SecurityControl The `AWS::SecurityHub::SecurityControl` resource specifies custom parameter values for an AWS Security Hub CSPM control. For a list of controls that support custom parameters, see [Security Hub CSPM controls reference](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html). You can also use this resource to specify the use of default parameter values for a control. For more information about custom parameters, see [Custom control parameters](https://docs.aws.amazon.com/securityhub/latest/userguide/custom-control-parameters.html) in the *AWS Security Hub CSPM User Guide*. Tags aren't supported for this resource. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::SecurityHub::SecurityControl", "Properties" : { "[LastUpdateReason](#cfn-securityhub-securitycontrol-lastupdatereason)" : String, "[Parameters](#cfn-securityhub-securitycontrol-parameters)" : {Key: Value, ...}, "[SecurityControlArn](#cfn-securityhub-securitycontrol-securitycontrolarn)" : String, "[SecurityControlId](#cfn-securityhub-securitycontrol-securitycontrolid)" : String } } ``` ### YAML ``` Type: AWS::SecurityHub::SecurityControl Properties: [LastUpdateReason](#cfn-securityhub-securitycontrol-lastupdatereason): String [Parameters](#cfn-securityhub-securitycontrol-parameters): Key: Value [SecurityControlArn](#cfn-securityhub-securitycontrol-securitycontrolarn): String [SecurityControlId](#cfn-securityhub-securitycontrol-securitycontrolid): String ``` ## Properties `LastUpdateReason` The most recent reason for updating the customizable properties of a security control. This differs from the `UpdateReason` field of the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateStandardsControlAssociations.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateStandardsControlAssociations.html) API, which tracks the reason for updating the enablement status of a control. This field accepts alphanumeric characters in addition to white spaces, dashes, and underscores. *Required*: No *Type*: String *Pattern*: `^([^-]|[-_ a-zA-Z0-9])+$` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Parameters` An object that identifies the name of a control parameter, its current value, and whether it has been customized. *Required*: Yes *Type*: Object of [ParameterConfiguration](aws-properties-securityhub-securitycontrol-parameterconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SecurityControlArn` The Amazon Resource Name (ARN) for a security control across standards, such as `arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1`. This parameter doesn't mention a specific standard. *Required*: No *Type*: String *Pattern*: `.*\S.*` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SecurityControlId` The unique identifier of a security control across standards. Values for this field typically consist of an AWS service name and a number, such as APIGateway.3. *Required*: No *Type*: String *Pattern*: `.*\S.*` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the identifier of the security control. For example, `Config.1`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ## Examples ### Configuring control parameters This example configures a parameter for the control ACM.1. #### JSON ``` { "Description": "Example template to configure control parameters", "Resources": { "ExampleSecurityControl": { "Type": "AWS::SecurityHub::SecurityControl", "Properties": { "SecurityControlId": "ACM.1", "Parameters": { "daysToExpiration": { "ValueType": "CUSTOM", "Value": { "Integer": 15 } } }, "LastUpdateReason": "Internal compliance requirement" } } } } ``` #### YAML ``` Description: Example template to configure control parameters Resources: ExampleSecurityControl: Type: 'AWS::SecurityHub::SecurityControl' Properties: SecurityControlId: 'ACM.1' Parameters: daysToExpiration: ValueType: 'CUSTOM' Value: Integer: 15 LastUpdateReason: 'Internal compliance requirement' ``` # AWS::SecurityHub::SecurityControl ParameterConfiguration An object that provides the current value of a security control parameter and identifies whether it has been customized. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Value](#cfn-securityhub-securitycontrol-parameterconfiguration-value)" : ParameterValue, "[ValueType](#cfn-securityhub-securitycontrol-parameterconfiguration-valuetype)" : String } ``` ### YAML ``` [Value](#cfn-securityhub-securitycontrol-parameterconfiguration-value): ParameterValue [ValueType](#cfn-securityhub-securitycontrol-parameterconfiguration-valuetype): String ``` ## Properties `Value` The current value of a control parameter. *Required*: No *Type*: [ParameterValue](aws-properties-securityhub-securitycontrol-parametervalue.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ValueType` Identifies whether a control parameter uses a custom user-defined value or subscribes to the default AWS Security Hub CSPM behavior. When `ValueType` is set equal to `DEFAULT`, the default behavior can be a specific Security Hub CSPM default value, or the default behavior can be to ignore a specific parameter. When `ValueType` is set equal to `DEFAULT`, Security Hub CSPM ignores user-provided input for the `Value` field. When `ValueType` is set equal to `CUSTOM`, the `Value` field can't be empty. *Required*: Yes *Type*: String *Allowed values*: `DEFAULT | CUSTOM` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::SecurityControl ParameterValue An object that includes the data type of a security control parameter and its current value. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Boolean](#cfn-securityhub-securitycontrol-parametervalue-boolean)" : Boolean, "[Double](#cfn-securityhub-securitycontrol-parametervalue-double)" : Number, "[Enum](#cfn-securityhub-securitycontrol-parametervalue-enum)" : String, "[EnumList](#cfn-securityhub-securitycontrol-parametervalue-enumlist)" : [ String, ... ], "[Integer](#cfn-securityhub-securitycontrol-parametervalue-integer)" : Integer, "[IntegerList](#cfn-securityhub-securitycontrol-parametervalue-integerlist)" : [ Integer, ... ], "[String](#cfn-securityhub-securitycontrol-parametervalue-string)" : String, "[StringList](#cfn-securityhub-securitycontrol-parametervalue-stringlist)" : [ String, ... ] } ``` ### YAML ``` [Boolean](#cfn-securityhub-securitycontrol-parametervalue-boolean): Boolean [Double](#cfn-securityhub-securitycontrol-parametervalue-double): Number [Enum](#cfn-securityhub-securitycontrol-parametervalue-enum): String [EnumList](#cfn-securityhub-securitycontrol-parametervalue-enumlist): - String [Integer](#cfn-securityhub-securitycontrol-parametervalue-integer): Integer [IntegerList](#cfn-securityhub-securitycontrol-parametervalue-integerlist): - Integer [String](#cfn-securityhub-securitycontrol-parametervalue-string): String [StringList](#cfn-securityhub-securitycontrol-parametervalue-stringlist): - String ``` ## Properties `Boolean` A control parameter that is a boolean. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Double` A control parameter that is a double. *Required*: No *Type*: Number *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Enum` A control parameter that is an enum. *Required*: No *Type*: String *Pattern*: `.*\S.*` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `EnumList` A control parameter that is a list of enums. *Required*: No *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Integer` A control parameter that is an integer. *Required*: No *Type*: Integer *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `IntegerList` A control parameter that is a list of integers. *Required*: No *Type*: Array of Integer *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `String` A control parameter that is a string. *Required*: No *Type*: String *Pattern*: `.*\S.*` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `StringList` A control parameter that is a list of strings. *Required*: No *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)