AWS::SecurityHub::ConfigurationPolicy - AWS CloudFormation

AWS::SecurityHub::ConfigurationPolicy

The AWS::SecurityHub::ConfigurationPolicy resource creates a central configuration policy with the defined settings. Only the AWS Security Hub delegated administrator can create this resource in the home Region. For more information, see Central configuration in Security Hub in the AWS Security Hub User Guide.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::SecurityHub::ConfigurationPolicy", "Properties" : { "ConfigurationPolicy" : Policy, "Description" : String, "Name" : String, "Tags" : {Key: Value, ...} } }

YAML

Type: AWS::SecurityHub::ConfigurationPolicy Properties: ConfigurationPolicy: Policy Description: String Name: String Tags: Key: Value

Properties

ConfigurationPolicy

An object that defines how AWS Security Hub is configured. It includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If you provide a list of security controls that are enabled in the configuration policy, Security Hub disables all other controls (including newly released controls). If you provide a list of security controls that are disabled in the configuration policy, Security Hub enables all other controls (including newly released controls).

Required: Yes

Type: Policy

Update requires: No interruption

Description

The description of the configuration policy.

Required: No

Type: String

Minimum: 0

Maximum: 512

Update requires: No interruption

Name

The name of the configuration policy. Alphanumeric characters and the following ASCII characters are permitted: -, ., !, *, /.

Required: Yes

Type: String

Minimum: 1

Maximum: 128

Update requires: No interruption

Tags

User-defined tags associated with a configuration policy. For more information, see Tagging AWS Security Hub resources in the Security Hub user guide.

Required: No

Type: Object of String

Pattern: ^(?!aws:)[a-zA-Z+-=._:/]{1,128}$

Minimum: 0

Maximum: 256

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the Amazon Resource Name (ARN) of the configuration policy. For example, arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

Arn

The ARN of the configuration policy.

CreatedAt

Property description not available.

Id

The universally unique identifier (UUID) of the configuration policy. A self-managed configuration has no UUID. The identifier of a self-managed configuration is SELF_MANAGED_SECURITY_HUB.

ServiceEnabled

Indicates whether the service that the configuration policy applies to is enabled in the policy.

UpdatedAt

The date and time, in UTC and ISO 8601 format, that the configuration policy was last updated.

Examples

Creating a Security Hub central configuration policy

The following example creates a configuration policy with the specified settings. Only the delegated Security Hub administrator can create a configuration policy from the home Region.

JSON

{ "Description": "Example template to create a SecurityHub configuration policy", "Resources": { "SecurityHubConfigurationPolicy": { "Type": "AWS::SecurityHub::ConfigurationPolicy", "Properties": { "Tags": { "key1": "value1" }, "Name": "SecurityHubConfigurationPolicyExample", "Description": "Example template to create SecurityHub Configuration Policy", "ConfigurationPolicy" : { "SecurityHub": { "ServiceEnabled": true, "EnabledStandardIdentifiers": [ "arn:aws:securityhub:us-west-2::standards/aws-foundational-security-best-practices/v/1.0.0" ], "SecurityControlsConfiguration": { "EnabledSecurityControlIdentifiers": [ "APIGateway.1", "IAM.7", "RDS.14", "CloudFront.5", "EC2.18","S3.11", "CloudFront.6" ], "SecurityControlCustomParameters": [ { "SecurityControlId": "APIGateway.1", "Parameters": { "loggingLevel": { "ValueType": "CUSTOM", "Value": { "Enum": "ERROR" } } } } ] } } } } } } }

YAML

Description: Example template to create a Security Hub configuration policy Resources: SecurityHubConfigurationPolicy: Type: "AWS::SecurityHub::ConfigurationPolicy" Properties: Tags: key1: value1 Name: "SecurityHubConfigurationPolicyExample" Description: "Example template to create SecurityHub Configuration Policy" ConfigurationPolicy: SecurityHub: ServiceEnabled: true EnabledStandardIdentifiers: - !Sub "arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/aws-foundational-security-best-practices/v/1.0.0" SecurityControlsConfiguration: EnabledSecurityControlIdentifiers: - "APIGateway.1" - "IAM.7" - "RDS.14" - "CloudFront.5" - "EC2.18" - "S3.11" - "CloudFront.6" SecurityControlCustomParameters: - SecurityControlId: "APIGateway.1" Parameters: loggingLevel: ValueType: "CUSTOM" Value: Enum: "ERROR"