AWS::SecurityHub::Standard - Amazon CloudFormation
SyntaxPropertiesReturn valuesExamples
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AWS::SecurityHub::Standard

The AWS::SecurityHub::Standard resource specifies the enablement of a security standard. The standard is identified by the StandardsArn property. To view a list of Security Hub standards and their Amazon Resource Names (ARNs), use the DescribeStandards API operation.

You must create a separate AWS::SecurityHub::Standard resource for each standard that you want to enable.

For more information about Security Hub standards, see Security Hub standards reference in the Amazon Security Hub User Guide.

Syntax

To declare this entity in your Amazon CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::SecurityHub::Standard",
  "Properties" : {
      "DisabledStandardsControls" : [ StandardsControl, ... ],
      "StandardsArn" : String
    }
}

YAML

Type: AWS::SecurityHub::Standard
Properties:
  DisabledStandardsControls: 
    - StandardsControl
  StandardsArn: String

Properties

DisabledStandardsControls

Specifies which controls are to be disabled in a standard.

Maximum: 100

Required: No

Type: Array of StandardsControl

Minimum: 0

Maximum: 100

Update requires: No interruption

StandardsArn

The ARN of the standard that you want to enable. To view a list of available Security Hub standards and their ARNs, use the DescribeStandards API operation.

Required: Yes

Type: String

Pattern: arn:aws\S*:securityhub:\S

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns StandardsSubscriptionArn for the standard that you enable, such as arn:aws:securityhub:us-east-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0.

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

StandardsSubscriptionArn

The ARN of a resource that represents your subscription to a supported standard.

Examples

The following examples show how to declare an AWS::SecurityHub::Standard resource.

Enabling a standard with all controls enabled

The following example enables the Amazon Foundational Security Best Practices (FSBP) standard and all controls that apply to it.

JSON

{
    "Description": "Example template to enable a standard",
    "Resources": {
        "ExampleStandard": {
            "Type": "AWS::SecurityHub::Standard",
            "Properties": {
                "StandardsArn": {
                   "Fn::Sub": "arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/aws-foundational-security-best-practices/v/1.0.0"
                }
            }
        }
    },
    "Outputs": {
        "StandardsSubscriptionArn": {
            "Value": {
                "Ref": "ExampleStandard"
            }
        }
    }
}

YAML

Description: Example template to enable a standard
Resources:
  ExampleStandard:
    Type: 'AWS::SecurityHub::Standard'
    Properties:
      StandardsArn: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/aws-foundational-security-best-practices/v/1.0.0'
Outputs:
  StandardsSubscriptionArn:
    Value: !Ref ExampleStandard

Enabling a standard with some controls disabled

The following example enables the FSBP standard. The controls specified in the example are disabled in this standard, and all other controls are enabled in this standard.

JSON

{
    "Description": "Example template to enable a standard",
    "Resources": {
        "ExampleStandardWithDisabledControls": {
            "Type": "AWS::SecurityHub::Standard",
            "Properties": {
                "StandardsArn": {
                    "Fn::Sub": "arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/aws-foundational-security-best-practices/v/1.0.0"
                },
                "DisabledStandardsControls": [
                    {
                        "StandardsControlArn": {
                            "Fn::Sub": "arn:${AWS::Partition}:securityhub:${AWS::Region}:${AWS::AccountId}:control/aws-foundational-security-best-practices/v/1.0.0/APIGateway.1"
                        },
                        "Reason": "Disabled reason text"
                    },
                    {
                        "StandardsControlArn": {
                            "Fn::Sub": "arn:${AWS::Partition}:securityhub:${AWS::Region}:${AWS::AccountId}:control/aws-foundational-security-best-practices/v/1.0.0/APIGateway.2"
                        },
                        "Reason": "Disabled reason text"
                    }
                ]
            }
        }
    },
    "Outputs": {
        "StandardsSubscriptionArn": {
            "Value": {
                "Ref": "ExampleStandardWithDisabledControls"
            }
        }
    }
}

YAML

Description: Example template to enable a standard
Resources:
  ExampleStandardWithDisabledControls:
    Type: 'AWS::SecurityHub::Standard'
    Properties:
      StandardsArn: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/aws-foundational-security-best-practices/v/1.0.0'
      DisabledStandardsControls:
        - StandardsControlArn: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}:${AWS::AccountId}:control/aws-foundational-security-best-practices/v/1.0.0/APIGateway.1'
          Reason: 'Disabled reason text'
        - StandardsControlArn: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}:${AWS::AccountId}:control/aws-foundational-security-best-practices/v/1.0.0/APIGateway.2'
          Reason: 'Disabled reason text'
Outputs:
  StandardsSubscriptionArn:
    Value: !Ref ExampleStandardWithDisabledControls