Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account
SecurityControl - AWS Security Hub
ContentsSee Also

SecurityControl

PDF

A security control in Security Hub describes a security best practice related to a specific resource.

Contents

Description

The description of a security control across standards. This typically summarizes how Security Hub evaluates the control and the conditions under which it produces a failed finding. This parameter doesn't reference a specific standard.

Type: String

Pattern: .*\S.*

Required: Yes

RemediationUrl

A link to Security Hub documentation that explains how to remediate a failed finding for a security control.

Type: String

Pattern: .*\S.*

Required: Yes

SecurityControlArn

The Amazon Resource Name (ARN) for a security control across standards, such as arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1. This parameter doesn't mention a specific standard.

Type: String

Pattern: .*\S.*

Required: Yes

SecurityControlId

The unique identifier of a security control across standards. Values for this field typically consist of an AWS service name and a number, such as APIGateway.3.

Type: String

Pattern: .*\S.*

Required: Yes

SecurityControlStatus

The enablement status of a security control in a specific standard.

Type: String

Valid Values: ENABLED | DISABLED

Required: Yes

SeverityRating

The severity of a security control. For more information about how Security Hub determines control severity, see Assigning severity to control findings in the Security Hub User Guide.

Type: String

Valid Values: LOW | MEDIUM | HIGH | CRITICAL

Required: Yes

Title

The title of a security control.

Type: String

Pattern: .*\S.*

Required: Yes

LastUpdateReason

The most recent reason for updating the customizable properties of a security control. This differs from the UpdateReason field of the BatchUpdateStandardsControlAssociations API, which tracks the reason for updating the enablement status of a control. This field accepts alphanumeric characters in addition to white spaces, dashes, and underscores.

Type: String

Pattern: ^([^\u0000-\u007F]|[-_ a-zA-Z0-9])+$

Required: No

Parameters

An object that identifies the name of a control parameter, its current value, and whether it has been customized.

Type: String to ParameterConfiguration object map

Key Pattern: .*\S.*

Required: No

UpdateStatus

Identifies whether customizable properties of a security control are reflected in Security Hub findings. A status of READY indicates that Security Hub uses the current control parameter values when running security checks of the control. A status of UPDATING indicates that all security checks might not use the current parameter values.

Type: String

Valid Values: READY | UPDATING

Required: No

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following:

Previous topic:

Result

Need help?

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.