This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::SecurityHub::Standard The `AWS::SecurityHub::Standard` resource specifies the enablement of a security standard. The standard is identified by the `StandardsArn` property. To view a list of Security Hub CSPM standards and their Amazon Resource Names (ARNs), use the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API operation. You must create a separate `AWS::SecurityHub::Standard` resource for each standard that you want to enable. For more information about Security Hub CSPM standards, see [Security Hub CSPM standards reference](https://docs.aws.amazon.com/securityhub/latest/userguide/standards-reference.html) in the *AWS Security Hub CSPM User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::SecurityHub::Standard", "Properties" : { "[DisabledStandardsControls](#cfn-securityhub-standard-disabledstandardscontrols)" : [ StandardsControl, ... ], "[StandardsArn](#cfn-securityhub-standard-standardsarn)" : String } } ``` ### YAML ``` Type: AWS::SecurityHub::Standard Properties: [DisabledStandardsControls](#cfn-securityhub-standard-disabledstandardscontrols): - StandardsControl [StandardsArn](#cfn-securityhub-standard-standardsarn): String ``` ## Properties `DisabledStandardsControls` Specifies which controls are to be disabled in a standard. *Maximum*: `100` *Required*: No *Type*: Array of [StandardsControl](aws-properties-securityhub-standard-standardscontrol.md) *Minimum*: `0` *Maximum*: `100` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `StandardsArn` The ARN of the standard that you want to enable. To view a list of available Security Hub CSPM standards and their ARNs, use the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API operation. *Required*: Yes *Type*: String *Pattern*: `arn:aws\S*:securityhub:\S` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns`StandardsSubscriptionArn` for the standard that you enable, such as `arn:aws:securityhub:us-east-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `StandardsSubscriptionArn` The ARN of a resource that represents your subscription to a supported standard. ## Examples The following examples show how to declare an `AWS::SecurityHub::Standard` resource. **Topics** + [Enabling a standard with all controls enabled](#aws-resource-securityhub-standard--examples--Enabling_a_standard_with_all_controls_enabled) + [Enabling a standard with some controls disabled](#aws-resource-securityhub-standard--examples--Enabling_a_standard_with_some_controls_disabled) ### Enabling a standard with all controls enabled The following example enables the AWS Foundational Security Best Practices (FSBP) standard and all controls that apply to it. #### JSON ``` { "Description": "Example template to enable a standard", "Resources": { "ExampleStandard": { "Type": "AWS::SecurityHub::Standard", "Properties": { "StandardsArn": { "Fn::Sub": "arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/aws-foundational-security-best-practices/v/1.0.0" } } } }, "Outputs": { "StandardsSubscriptionArn": { "Value": { "Ref": "ExampleStandard" } } } } ``` #### YAML ``` Description: Example template to enable a standard Resources: ExampleStandard: Type: 'AWS::SecurityHub::Standard' Properties: StandardsArn: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/aws-foundational-security-best-practices/v/1.0.0' Outputs: StandardsSubscriptionArn: Value: !Ref ExampleStandard ``` ### Enabling a standard with some controls disabled The following example enables the FSBP standard. The controls specified in the example are disabled in this standard, and all other controls are enabled in this standard. #### JSON ``` { "Description": "Example template to enable a standard", "Resources": { "ExampleStandardWithDisabledControls": { "Type": "AWS::SecurityHub::Standard", "Properties": { "StandardsArn": { "Fn::Sub": "arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/aws-foundational-security-best-practices/v/1.0.0" }, "DisabledStandardsControls": [ { "StandardsControlArn": { "Fn::Sub": "arn:${AWS::Partition}:securityhub:${AWS::Region}:${AWS::AccountId}:control/aws-foundational-security-best-practices/v/1.0.0/APIGateway.1" }, "Reason": "Disabled reason text" }, { "StandardsControlArn": { "Fn::Sub": "arn:${AWS::Partition}:securityhub:${AWS::Region}:${AWS::AccountId}:control/aws-foundational-security-best-practices/v/1.0.0/APIGateway.2" }, "Reason": "Disabled reason text" } ] } } }, "Outputs": { "StandardsSubscriptionArn": { "Value": { "Ref": "ExampleStandardWithDisabledControls" } } } } ``` #### YAML ``` Description: Example template to enable a standard Resources: ExampleStandardWithDisabledControls: Type: 'AWS::SecurityHub::Standard' Properties: StandardsArn: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/aws-foundational-security-best-practices/v/1.0.0' DisabledStandardsControls: - StandardsControlArn: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}:${AWS::AccountId}:control/aws-foundational-security-best-practices/v/1.0.0/APIGateway.1' Reason: 'Disabled reason text' - StandardsControlArn: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}:${AWS::AccountId}:control/aws-foundational-security-best-practices/v/1.0.0/APIGateway.2' Reason: 'Disabled reason text' Outputs: StandardsSubscriptionArn: Value: !Ref ExampleStandardWithDisabledControls ```