AWS::SecurityHub::Standard
The AWS::SecurityHub::Standard
resource specifies the enablement of a security standard.
The standard is identified by the StandardsArn
property. To view a list of Security Hub
standards and their Amazon Resource Names (ARNs), use the DescribeStandards
API operation.
You must create a separate AWS::SecurityHub::Standard
resource for each
standard that you want to enable.
For more information about Security Hub standards, see Security Hub standards reference in the AWS Security Hub User Guide.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::SecurityHub::Standard", "Properties" : { "DisabledStandardsControls" :
[ StandardsControl, ... ]
, "StandardsArn" :String
} }
YAML
Type: AWS::SecurityHub::Standard Properties: DisabledStandardsControls:
- StandardsControl
StandardsArn:String
Properties
DisabledStandardsControls
-
Specifies which controls are to be disabled in a standard.
Maximum:
100
Required: No
Type: Array of StandardsControl
Minimum:
0
Maximum:
100
Update requires: No interruption
StandardsArn
-
The ARN of the standard that you want to enable. To view a list of available Security Hub standards and their ARNs, use the
DescribeStandards
API operation.Required: Yes
Type: String
Pattern:
arn:aws\S*:securityhub:\S
Update requires: Replacement
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref
function, Ref
returns
StandardsSubscriptionArn
for the standard that you enable, such as
arn:aws:securityhub:us-east-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0
.
For more information about using the Ref
function, see Ref
.
Fn::GetAtt
The Fn::GetAtt
intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAtt
intrinsic function, see Fn::GetAtt
.
StandardsSubscriptionArn
-
The ARN of a resource that represents your subscription to a supported standard.
Examples
The following examples show how to declare an
AWS::SecurityHub::Standard
resource.
Enabling a standard with all controls enabled
The following example enables the AWS Foundational Security Best Practices (FSBP) standard and all controls that apply to it.
JSON
{ "Description": "Example template to enable a standard", "Resources": { "ExampleStandard": { "Type": "AWS::SecurityHub::Standard", "Properties": { "StandardsArn": { "Fn::Sub": "arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/aws-foundational-security-best-practices/v/1.0.0" } } } }, "Outputs": { "StandardsSubscriptionArn": { "Value": { "Ref": "ExampleStandard" } } } }
YAML
Description: Example template to enable a standard Resources: ExampleStandard: Type: 'AWS::SecurityHub::Standard' Properties: StandardsArn: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/aws-foundational-security-best-practices/v/1.0.0' Outputs: StandardsSubscriptionArn: Value: !Ref ExampleStandard
Enabling a standard with some controls disabled
The following example enables the FSBP standard. The controls specified in the example are disabled in this standard, and all other controls are enabled in this standard.
JSON
{ "Description": "Example template to enable a standard", "Resources": { "ExampleStandardWithDisabledControls": { "Type": "AWS::SecurityHub::Standard", "Properties": { "StandardsArn": { "Fn::Sub": "arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/aws-foundational-security-best-practices/v/1.0.0" }, "DisabledStandardsControls": [ { "StandardsControlArn": { "Fn::Sub": "arn:${AWS::Partition}:securityhub:${AWS::Region}:${AWS::AccountId}:control/aws-foundational-security-best-practices/v/1.0.0/APIGateway.1" }, "Reason": "Disabled reason text" }, { "StandardsControlArn": { "Fn::Sub": "arn:${AWS::Partition}:securityhub:${AWS::Region}:${AWS::AccountId}:control/aws-foundational-security-best-practices/v/1.0.0/APIGateway.2" }, "Reason": "Disabled reason text" } ] } } }, "Outputs": { "StandardsSubscriptionArn": { "Value": { "Ref": "ExampleStandardWithDisabledControls" } } } }
YAML
Description: Example template to enable a standard Resources: ExampleStandardWithDisabledControls: Type: 'AWS::SecurityHub::Standard' Properties: StandardsArn: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/aws-foundational-security-best-practices/v/1.0.0' DisabledStandardsControls: - StandardsControlArn: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}:${AWS::AccountId}:control/aws-foundational-security-best-practices/v/1.0.0/APIGateway.1' Reason: 'Disabled reason text' - StandardsControlArn: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}:${AWS::AccountId}:control/aws-foundational-security-best-practices/v/1.0.0/APIGateway.2' Reason: 'Disabled reason text' Outputs: StandardsSubscriptionArn: Value: !Ref ExampleStandardWithDisabledControls