The AWS::SecurityHub::SecurityControl resource specifies custom parameter values for
an AWS Security Hub control. For a list of controls that support custom
parameters, see Security Hub controls reference. You can also use this resource to specify the use of default parameter values for
a control. For more information about custom parameters,
see Custom control
parameters in the
AWS Security Hub User Guide.
Tags aren't supported for this resource.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{
"Type" : "AWS::SecurityHub::SecurityControl",
"Properties" : {
"LastUpdateReason" : String,
"Parameters" : {Key: Value, ...},
"SecurityControlArn" : String,
"SecurityControlId" : String
}
}
YAML
Type: AWS::SecurityHub::SecurityControl
Properties:
LastUpdateReason: String
Parameters:
Key: Value
SecurityControlArn: String
SecurityControlId: String
Properties
LastUpdateReason-
The most recent reason for updating the customizable properties of a security control. This differs from the
UpdateReasonfield of theBatchUpdateStandardsControlAssociationsAPI, which tracks the reason for updating the enablement status of a control. This field accepts alphanumeric characters in addition to white spaces, dashes, and underscores.Required: No
Type: String
Pattern:
^([^-]|[-_ a-zA-Z0-9])+$Update requires: No interruption
Parameters-
An object that identifies the name of a control parameter, its current value, and whether it has been customized.
Required: Yes
Type: Object of ParameterConfiguration
Update requires: No interruption
SecurityControlArn-
The Amazon Resource Name (ARN) for a security control across standards, such as
arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1. This parameter doesn't mention a specific standard.Required: No
Type: String
Pattern:
.*\S.*Update requires: No interruption
SecurityControlId-
The unique identifier of a security control across standards. Values for this field typically consist of an AWS service name and a number, such as APIGateway.3.
Required: No
Type: String
Pattern:
.*\S.*Update requires: Replacement
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the identifier of the security control. For example, Config.1.
For more information about using the Ref function, see Ref.
Examples
Configuring control parameters
This example configures a parameter for the control ACM.1.
JSON
{
"Description": "Example template to configure control parameters",
"Resources": {
"ExampleSecurityControl": {
"Type": "AWS::SecurityHub::SecurityControl",
"Properties": {
"SecurityControlId": "ACM.1",
"Parameters": {
"daysToExpiration": {
"ValueType": "CUSTOM",
"Value": {
"Integer": 15
}
}
},
"LastUpdateReason": "Internal compliance requirement"
}
}
}
}YAML
Description: Example template to configure control parameters
Resources:
ExampleSecurityControl:
Type: 'AWS::SecurityHub::SecurityControl'
Properties:
SecurityControlId: 'ACM.1'
Parameters:
daysToExpiration:
ValueType: 'CUSTOM'
Value:
Integer: 15
LastUpdateReason: 'Internal compliance requirement'