This is the new *Amazon CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [Amazon CloudFormation User Guide](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::SecurityHub::AutomationRule The `AWS::SecurityHub::AutomationRule` resource specifies an automation rule based on input parameters. For more information, see [Automation rules](https://docs.amazonaws.cn/securityhub/latest/userguide/automation-rules.html) in the *Amazon Security Hub CSPM User Guide*. ## Syntax To declare this entity in your Amazon CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::SecurityHub::AutomationRule", "Properties" : { "[Actions](#cfn-securityhub-automationrule-actions)" : [ AutomationRulesAction, ... ], "[Criteria](#cfn-securityhub-automationrule-criteria)" : AutomationRulesFindingFilters, "[Description](#cfn-securityhub-automationrule-description)" : String, "[IsTerminal](#cfn-securityhub-automationrule-isterminal)" : Boolean, "[RuleName](#cfn-securityhub-automationrule-rulename)" : String, "[RuleOrder](#cfn-securityhub-automationrule-ruleorder)" : Integer, "[RuleStatus](#cfn-securityhub-automationrule-rulestatus)" : String, "[Tags](#cfn-securityhub-automationrule-tags)" : {Key: Value, ...} } } ``` ### YAML ``` Type: AWS::SecurityHub::AutomationRule Properties: [Actions](#cfn-securityhub-automationrule-actions): - AutomationRulesAction [Criteria](#cfn-securityhub-automationrule-criteria): AutomationRulesFindingFilters [Description](#cfn-securityhub-automationrule-description): String [IsTerminal](#cfn-securityhub-automationrule-isterminal): Boolean [RuleName](#cfn-securityhub-automationrule-rulename): String [RuleOrder](#cfn-securityhub-automationrule-ruleorder): Integer [RuleStatus](#cfn-securityhub-automationrule-rulestatus): String [Tags](#cfn-securityhub-automationrule-tags): Key: Value ``` ## Properties `Actions` One or more actions to update finding fields if a finding matches the conditions specified in `Criteria`. *Required*: Yes *Type*: Array of [AutomationRulesAction](aws-properties-securityhub-automationrule-automationrulesaction.md) *Minimum*: `1` *Maximum*: `1` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Criteria` A set of [Amazon Security Finding Format (ASFF)](https://docs.amazonaws.cn/securityhub/latest/userguide/securityhub-findings-format.html) finding field attributes and corresponding expected values that Security Hub CSPM uses to filter findings. If a rule is enabled and a finding matches the criteria specified in this parameter, Security Hub CSPM applies the rule action to the finding. *Required*: Yes *Type*: [AutomationRulesFindingFilters](aws-properties-securityhub-automationrule-automationrulesfindingfilters.md) *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Description` A description of the rule. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `1024` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `IsTerminal` Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If a rule is terminal, Security Hub CSPM applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. By default, a rule isn't terminal. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RuleName` The name of the rule. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `256` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RuleOrder` An integer ranging from 1 to 1000 that represents the order in which the rule action is applied to findings. Security Hub CSPM applies rules with lower values for this parameter first. *Required*: Yes *Type*: Integer *Minimum*: `1` *Maximum*: `1000` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RuleStatus` Whether the rule is active after it is created. If this parameter is equal to `ENABLED`, Security Hub CSPM applies the rule to findings and finding updates after the rule is created. *Required*: No *Type*: String *Allowed values*: `ENABLED | DISABLED` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` User-defined tags associated with an automation rule. *Required*: No *Type*: Object of String *Pattern*: `^[a-zA-Z0-9]{1,128}$` *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns`RuleArn`. For example, `arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111`. For more information about using the `Ref` function, see [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `CreatedAt` A timestamp that indicates when the rule was created. Uses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://tools.ietf.org/html/rfc3339#section-5.6). The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z`. `CreatedBy` The principal that created the rule. For example, `arn:aws:sts::123456789012:assumed-role/Developer-Role/JaneDoe`. `RuleArn` The Amazon Resource Name (ARN) of the automation rule that you create. For example, `arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111`. `UpdatedAt` A timestamp that indicates when the rule was most recently updated. Uses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://tools.ietf.org/html/rfc3339#section-5.6). The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z`. ## Examples The following examples demonstrate how to declare an `AWS::SecurityHub::AutomationRule` resource. ### Creating an automation rule This example creates a Security Hub CSPM automation rule. This example contains all available fields for `Actions` and `Criteria` for demonstration purposes. #### JSON ``` { "Description": "Example template to create a Security Hub automation rule", "Resources": { "RuleWithCriteriaActionsTags": { "Type": "AWS::SecurityHub::AutomationRule", "Properties": { "RuleName": "Example rule name", "RuleOrder": 5, "Description": "Example rule description.", "IsTerminal": false, "RuleStatus": "ENABLED", "Criteria": { "ProductName": [ { "Comparison": "EQUALS", "Value": "GuardDuty" }, { "Comparison": "PREFIX", "Value": "SecurityHub" } ], "CompanyName": [ { "Comparison": "EQUALS", "Value": "AWS" }, { "Comparison": "PREFIX", "Value": "Private" } ], "ProductArn": [ { "Comparison": "EQUALS", "Value": "arn:aws:securityhub:us-west-2:123456789012:product/123456789012/default" }, { "Comparison": "PREFIX", "Value": "arn:aws:securityhub:us-west-2:123456789012:product/aws" } ], "AwsAccountId": [ { "Comparison": "EQUALS", "Value": 123456789012 } ], "Id": [ { "Comparison": "EQUALS", "Value": "example-finding-id" } ], "GeneratorId": [ { "Comparison": "EQUALS", "Value": "example-generator-id" } ], "Type": [ { "Comparison": "EQUALS", "Value": "type-1" }, { "Comparison": "EQUALS", "Value": "type-2" } ], "Description": [ { "Comparison": "EQUALS", "Value": "description1" }, { "Comparison": "EQUALS", "Value": "description2" } ], "SourceUrl": [ { "Comparison": "PREFIX", "Value": "https" }, { "Comparison": "PREFIX", "Value": "ftp" } ], "Title": [ { "Comparison": "EQUALS", "Value": "title-1" }, { "Comparison": "PREFIX", "Value": "title-2" } ], "SeverityLabel": [ { "Comparison": "EQUALS", "Value": "LOW" }, { "Comparison": "EQUALS", "Value": "HIGH" } ], "ResourceType": [ { "Comparison": "EQUALS", "Value": "AwsEc2Instance" } ], "ResourcePartition": [ { "Comparison": "EQUALS", "Value": "aws" } ], "ResourceId": [ { "Comparison": "PREFIX", "Value": "i-1234567890" } ], "ResourceRegion": [ { "Comparison": "PREFIX", "Value": "us-west" } ], "ComplianceStatus": [ { "Comparison": "EQUALS", "Value": "FAILED" } ], "ComplianceSecurityControlId": [ { "Comparison": "EQUALS", "Value": "EC2.3" } ], "ComplianceAssociatedStandardsId": [ { "Comparison": "EQUALS", "Value": "ruleset/cis-aws-foundations-benchmark/v/1.2.0" } ], "VerificationState": [ { "Comparison": "EQUALS", "Value": "BENIGN_POSITIVE" } ], "RecordState": [ { "Comparison": "EQUALS", "Value": "ACTIVE" } ], "RelatedFindingsProductArn": [ { "Comparison": "EQUALS", "Value": "arn:aws:securityhub:eu-central-1::product/aws/securityhub" } ], "RelatedFindingsId": [ { "Comparison": "EQUALS", "Value": "example-finding-id-2" } ], "NoteText": [ { "Comparison": "EQUALS", "Value": "example-note-text" } ], "NoteUpdatedAt": [ { "DateRange": { "Unit": "DAYS", "Value": 5 } } ], "NoteUpdatedBy": [ { "Comparison": "PREFIX", "Value": "sechub" } ], "WorkflowStatus": [ { "Comparison": "EQUALS", "Value": "NEW" } ], "FirstObservedAt": [ { "DateRange": { "Unit": "DAYS", "Value": 5 } } ], "LastObservedAt": [ { "DateRange": { "Unit": "DAYS", "Value": 5 } } ], "CreatedAt": [ { "DateRange": { "Unit": "DAYS", "Value": 5 } } ], "UpdatedAt": [ { "Start": "2023-04-25T17:05:54.832Z", "End": "2023-05-25T17:05:54.832Z" } ], "ResourceTags": [ { "Comparison": "NOT_EQUALS", "Key": "department", "Value": "security" }, { "Comparison": "NOT_EQUALS", "Key": "department", "Value": "operations" } ], "UserDefinedFields": [ { "Comparison": "EQUALS", "Key": "key1", "Value": "security" }, { "Comparison": "EQUALS", "Key": "key2", "Value": "operations" } ], "ResourceDetailsOther": [ { "Comparison": "NOT_EQUALS", "Key": "area", "Value": "na" }, { "Comparison": "NOT_EQUALS", "Key": "department", "Value": "sales" } ], "Confidence": [ { "Gte": 50, "Lte": 95 } ], "Criticality": [ { "Gte": 50, "Lte": 95 } ] }, "Actions": [ { "Type": "FINDING_FIELDS_UPDATE", "FindingFieldsUpdate": { "Severity": { "Product": 50, "Label": "MEDIUM", "Normalized": 60 }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices", "Industry Compliance" ], "Confidence": 98, "Criticality": 95, "UserDefinedFields": { "key1": "value1", "key2": "value2" }, "RelatedFindings": [ { "ProductArn": "arn:aws:securityhub:us-west-2:123456789012:product/123456789012/default", "Id": "sample-finding-id-1" }, { "ProductArn": "arn:aws:securityhub:us-west-2:123456789012:product/123456789012/default", "Id": "sample-finding-id-2" } ], "Note": { "Text": "sample-note-text", "UpdatedBy": "sechub" }, "VerificationState": "TRUE_POSITIVE", "Workflow": { "Status": "NOTIFIED" } } } ], "Tags": { "sampleTag": "sampleValue", "organizationUnit": "pnw" } } } } } ``` #### YAML ``` Description: Example template to create a Security Hub automation rule Resources: RuleWithCriteriaActionsTags: Type: "AWS::SecurityHub::AutomationRule" Properties: RuleName: "Example rule name" RuleOrder: 5 Description: "Example rule description." IsTerminal: false RuleStatus: "ENABLED" Criteria: ProductName: - Comparison: EQUALS Value: GuardDuty - Comparison: PREFIX Value: SecurityHub CompanyName: - Comparison: EQUALS Value: AWS - Comparison: PREFIX Value: Private ProductArn: - Comparison: EQUALS Value: arn:aws:securityhub:us-west-2:123456789012:product/123456789012/default - Comparison: PREFIX Value: arn:aws:securityhub:us-west-2:123456789012:product/aws AwsAccountId: - Comparison: EQUALS Value: 123456789012 Id: - Comparison: EQUALS Value: example-finding-id GeneratorId: - Comparison: EQUALS Value: example-generator-id Type: - Comparison: EQUALS Value: type-1 - Comparison: EQUALS Value: type-2 Description: - Comparison: EQUALS Value: description1 - Comparison: EQUALS Value: description2 SourceUrl: - Comparison: PREFIX Value: https - Comparison: PREFIX Value: ftp Title: - Comparison: EQUALS Value: title-1 - Comparison: PREFIX Value: title-2 SeverityLabel: - Comparison: EQUALS Value: LOW - Comparison: EQUALS Value: HIGH ResourceType: - Comparison: EQUALS Value: AwsEc2Instance ResourcePartition: - Comparison: EQUALS Value: aws ResourceId: - Comparison: PREFIX Value: i-1234567890 ResourceRegion: - Comparison: PREFIX Value: us-west ComplianceStatus: - Comparison: EQUALS Value: FAILED ComplianceSecurityControlId: - Comparison: EQUALS Value: EC2.3 ComplianceAssociatedStandardsId: - Comparison: EQUALS Value: ruleset/cis-aws-foundations-benchmark/v/1.2.0 VerificationState: - Comparison: EQUALS Value: BENIGN_POSITIVE RecordState: - Comparison: EQUALS Value: ACTIVE RelatedFindingsProductArn: - Comparison: EQUALS Value: arn:aws:securityhub:eu-central-1::product/aws/securityhub RelatedFindingsId: - Comparison: EQUALS Value: example-finding-id-2 NoteText: - Comparison: EQUALS Value: example-note-text NoteUpdatedAt: - DateRange: Unit: DAYS Value: 5 NoteUpdatedBy: - Comparison: PREFIX Value: sechub WorkflowStatus: - Comparison: EQUALS Value: NEW FirstObservedAt: - DateRange: Unit: DAYS Value: 5 LastObservedAt: - DateRange: Unit: DAYS Value: 5 CreatedAt: - DateRange: Unit: DAYS Value: 5 UpdatedAt: - Start: "2023-04-25T17:05:54.832Z" End: "2023-05-25T17:05:54.832Z" ResourceTags: - Comparison: NOT_EQUALS Key: department Value: security - Comparison: NOT_EQUALS Key: department Value: operations UserDefinedFields: - Comparison: EQUALS Key: key1 Value: security - Comparison: EQUALS Key: key2 Value: operations ResourceDetailsOther: - Comparison: NOT_EQUALS Key: area Value: na - Comparison: NOT_EQUALS Key: department Value: sales Confidence: - Gte: 50 Lte: 95 Criticality: - Gte: 50 Lte: 95 Actions: - Type: FINDING_FIELDS_UPDATE FindingFieldsUpdate: Severity: Product: 50 Label: MEDIUM Normalized: 60 Types: - Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices - Industry Compliance Confidence: 98 Criticality: 95 UserDefinedFields: key1: value1 key2: value2 RelatedFindings: - ProductArn: arn:aws:securityhub:us-west-2:123456789012:product/123456789012/default Id: sample-finding-id-1 - ProductArn: arn:aws:securityhub:us-west-2:123456789012:product/123456789012/default Id: sample-finding-id-2 Note: Text: sample-note-text UpdatedBy: sechub VerificationState: TRUE_POSITIVE Workflow: Status: NOTIFIED Tags: sampleTag: sampleValue organizationUnit: pnw ``` # AWS::SecurityHub::AutomationRule AutomationRulesAction One or more actions that Amazon Security Hub CSPM takes when a finding matches the defined criteria of a rule. ## Syntax To declare this entity in your Amazon CloudFormation template, use the following syntax: ### JSON ``` { "[FindingFieldsUpdate](#cfn-securityhub-automationrule-automationrulesaction-findingfieldsupdate)" : AutomationRulesFindingFieldsUpdate, "[Type](#cfn-securityhub-automationrule-automationrulesaction-type)" : String } ``` ### YAML ``` [FindingFieldsUpdate](#cfn-securityhub-automationrule-automationrulesaction-findingfieldsupdate): AutomationRulesFindingFieldsUpdate [Type](#cfn-securityhub-automationrule-automationrulesaction-type): String ``` ## Properties `FindingFieldsUpdate` Specifies that the automation rule action is an update to a finding field. *Required*: Yes *Type*: [AutomationRulesFindingFieldsUpdate](aws-properties-securityhub-automationrule-automationrulesfindingfieldsupdate.md) *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Type` Specifies the type of action that Security Hub CSPM takes when a finding matches the defined criteria of a rule. *Required*: Yes *Type*: String *Allowed values*: `FINDING_FIELDS_UPDATE` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::AutomationRule AutomationRulesFindingFieldsUpdate Identifies the finding fields that the automation rule action updates when a finding matches the defined criteria. ## Syntax To declare this entity in your Amazon CloudFormation template, use the following syntax: ### JSON ``` { "[Confidence](#cfn-securityhub-automationrule-automationrulesfindingfieldsupdate-confidence)" : Integer, "[Criticality](#cfn-securityhub-automationrule-automationrulesfindingfieldsupdate-criticality)" : Integer, "[Note](#cfn-securityhub-automationrule-automationrulesfindingfieldsupdate-note)" : NoteUpdate, "[RelatedFindings](#cfn-securityhub-automationrule-automationrulesfindingfieldsupdate-relatedfindings)" : [ RelatedFinding, ... ], "[Severity](#cfn-securityhub-automationrule-automationrulesfindingfieldsupdate-severity)" : SeverityUpdate, "[Types](#cfn-securityhub-automationrule-automationrulesfindingfieldsupdate-types)" : [ String, ... ], "[UserDefinedFields](#cfn-securityhub-automationrule-automationrulesfindingfieldsupdate-userdefinedfields)" : {Key: Value, ...}, "[VerificationState](#cfn-securityhub-automationrule-automationrulesfindingfieldsupdate-verificationstate)" : String, "[Workflow](#cfn-securityhub-automationrule-automationrulesfindingfieldsupdate-workflow)" : WorkflowUpdate } ``` ### YAML ``` [Confidence](#cfn-securityhub-automationrule-automationrulesfindingfieldsupdate-confidence): Integer [Criticality](#cfn-securityhub-automationrule-automationrulesfindingfieldsupdate-criticality): Integer [Note](#cfn-securityhub-automationrule-automationrulesfindingfieldsupdate-note): NoteUpdate [RelatedFindings](#cfn-securityhub-automationrule-automationrulesfindingfieldsupdate-relatedfindings): - RelatedFinding [Severity](#cfn-securityhub-automationrule-automationrulesfindingfieldsupdate-severity): SeverityUpdate [Types](#cfn-securityhub-automationrule-automationrulesfindingfieldsupdate-types): - String [UserDefinedFields](#cfn-securityhub-automationrule-automationrulesfindingfieldsupdate-userdefinedfields): Key: Value [VerificationState](#cfn-securityhub-automationrule-automationrulesfindingfieldsupdate-verificationstate): String [Workflow](#cfn-securityhub-automationrule-automationrulesfindingfieldsupdate-workflow): WorkflowUpdate ``` ## Properties `Confidence` The rule action updates the `Confidence` field of a finding. *Required*: No *Type*: Integer *Minimum*: `0` *Maximum*: `100` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Criticality` The rule action updates the `Criticality` field of a finding. *Required*: No *Type*: Integer *Minimum*: `0` *Maximum*: `100` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Note` The rule action will update the `Note` field of a finding. *Required*: No *Type*: [NoteUpdate](aws-properties-securityhub-automationrule-noteupdate.md) *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RelatedFindings` The rule action will update the `RelatedFindings` field of a finding. *Required*: No *Type*: Array of [RelatedFinding](aws-properties-securityhub-automationrule-relatedfinding.md) *Minimum*: `1` *Maximum*: `10` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Severity` The rule action will update the `Severity` field of a finding. *Required*: No *Type*: [SeverityUpdate](aws-properties-securityhub-automationrule-severityupdate.md) *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Types` The rule action updates the `Types` field of a finding. *Required*: No *Type*: Array of String *Maximum*: `50` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `UserDefinedFields` The rule action updates the `UserDefinedFields` field of a finding. *Required*: No *Type*: Object of String *Pattern*: `^[-_+=.:/@\w\s]{1,128}$` *Minimum*: `0` *Maximum*: `1024` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `VerificationState` The rule action updates the `VerificationState` field of a finding. *Required*: No *Type*: String *Allowed values*: `UNKNOWN | TRUE_POSITIVE | FALSE_POSITIVE | BENIGN_POSITIVE` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Workflow` The rule action will update the `Workflow` field of a finding. *Required*: No *Type*: [WorkflowUpdate](aws-properties-securityhub-automationrule-workflowupdate.md) *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::AutomationRule AutomationRulesFindingFilters The criteria that determine which findings a rule applies to. ## Syntax To declare this entity in your Amazon CloudFormation template, use the following syntax: ### JSON ``` { "[AwsAccountId](#cfn-securityhub-automationrule-automationrulesfindingfilters-awsaccountid)" : [ StringFilter, ... ], "[CompanyName](#cfn-securityhub-automationrule-automationrulesfindingfilters-companyname)" : [ StringFilter, ... ], "[ComplianceAssociatedStandardsId](#cfn-securityhub-automationrule-automationrulesfindingfilters-complianceassociatedstandardsid)" : [ StringFilter, ... ], "[ComplianceSecurityControlId](#cfn-securityhub-automationrule-automationrulesfindingfilters-compliancesecuritycontrolid)" : [ StringFilter, ... ], "[ComplianceStatus](#cfn-securityhub-automationrule-automationrulesfindingfilters-compliancestatus)" : [ StringFilter, ... ], "[Confidence](#cfn-securityhub-automationrule-automationrulesfindingfilters-confidence)" : [ NumberFilter, ... ], "[CreatedAt](#cfn-securityhub-automationrule-automationrulesfindingfilters-createdat)" : [ DateFilter, ... ], "[Criticality](#cfn-securityhub-automationrule-automationrulesfindingfilters-criticality)" : [ NumberFilter, ... ], "[Description](#cfn-securityhub-automationrule-automationrulesfindingfilters-description)" : [ StringFilter, ... ], "[FirstObservedAt](#cfn-securityhub-automationrule-automationrulesfindingfilters-firstobservedat)" : [ DateFilter, ... ], "[GeneratorId](#cfn-securityhub-automationrule-automationrulesfindingfilters-generatorid)" : [ StringFilter, ... ], "[Id](#cfn-securityhub-automationrule-automationrulesfindingfilters-id)" : [ StringFilter, ... ], "[LastObservedAt](#cfn-securityhub-automationrule-automationrulesfindingfilters-lastobservedat)" : [ DateFilter, ... ], "[NoteText](#cfn-securityhub-automationrule-automationrulesfindingfilters-notetext)" : [ StringFilter, ... ], "[NoteUpdatedAt](#cfn-securityhub-automationrule-automationrulesfindingfilters-noteupdatedat)" : [ DateFilter, ... ], "[NoteUpdatedBy](#cfn-securityhub-automationrule-automationrulesfindingfilters-noteupdatedby)" : [ StringFilter, ... ], "[ProductArn](#cfn-securityhub-automationrule-automationrulesfindingfilters-productarn)" : [ StringFilter, ... ], "[ProductName](#cfn-securityhub-automationrule-automationrulesfindingfilters-productname)" : [ StringFilter, ... ], "[RecordState](#cfn-securityhub-automationrule-automationrulesfindingfilters-recordstate)" : [ StringFilter, ... ], "[RelatedFindingsId](#cfn-securityhub-automationrule-automationrulesfindingfilters-relatedfindingsid)" : [ StringFilter, ... ], "[RelatedFindingsProductArn](#cfn-securityhub-automationrule-automationrulesfindingfilters-relatedfindingsproductarn)" : [ StringFilter, ... ], "[ResourceDetailsOther](#cfn-securityhub-automationrule-automationrulesfindingfilters-resourcedetailsother)" : [ MapFilter, ... ], "[ResourceId](#cfn-securityhub-automationrule-automationrulesfindingfilters-resourceid)" : [ StringFilter, ... ], "[ResourcePartition](#cfn-securityhub-automationrule-automationrulesfindingfilters-resourcepartition)" : [ StringFilter, ... ], "[ResourceRegion](#cfn-securityhub-automationrule-automationrulesfindingfilters-resourceregion)" : [ StringFilter, ... ], "[ResourceTags](#cfn-securityhub-automationrule-automationrulesfindingfilters-resourcetags)" : [ MapFilter, ... ], "[ResourceType](#cfn-securityhub-automationrule-automationrulesfindingfilters-resourcetype)" : [ StringFilter, ... ], "[SeverityLabel](#cfn-securityhub-automationrule-automationrulesfindingfilters-severitylabel)" : [ StringFilter, ... ], "[SourceUrl](#cfn-securityhub-automationrule-automationrulesfindingfilters-sourceurl)" : [ StringFilter, ... ], "[Title](#cfn-securityhub-automationrule-automationrulesfindingfilters-title)" : [ StringFilter, ... ], "[Type](#cfn-securityhub-automationrule-automationrulesfindingfilters-type)" : [ StringFilter, ... ], "[UpdatedAt](#cfn-securityhub-automationrule-automationrulesfindingfilters-updatedat)" : [ DateFilter, ... ], "[UserDefinedFields](#cfn-securityhub-automationrule-automationrulesfindingfilters-userdefinedfields)" : [ MapFilter, ... ], "[VerificationState](#cfn-securityhub-automationrule-automationrulesfindingfilters-verificationstate)" : [ StringFilter, ... ], "[WorkflowStatus](#cfn-securityhub-automationrule-automationrulesfindingfilters-workflowstatus)" : [ StringFilter, ... ] } ``` ### YAML ``` [AwsAccountId](#cfn-securityhub-automationrule-automationrulesfindingfilters-awsaccountid): - StringFilter [CompanyName](#cfn-securityhub-automationrule-automationrulesfindingfilters-companyname): - StringFilter [ComplianceAssociatedStandardsId](#cfn-securityhub-automationrule-automationrulesfindingfilters-complianceassociatedstandardsid): - StringFilter [ComplianceSecurityControlId](#cfn-securityhub-automationrule-automationrulesfindingfilters-compliancesecuritycontrolid): - StringFilter [ComplianceStatus](#cfn-securityhub-automationrule-automationrulesfindingfilters-compliancestatus): - StringFilter [Confidence](#cfn-securityhub-automationrule-automationrulesfindingfilters-confidence): - NumberFilter [CreatedAt](#cfn-securityhub-automationrule-automationrulesfindingfilters-createdat): - DateFilter [Criticality](#cfn-securityhub-automationrule-automationrulesfindingfilters-criticality): - NumberFilter [Description](#cfn-securityhub-automationrule-automationrulesfindingfilters-description): - StringFilter [FirstObservedAt](#cfn-securityhub-automationrule-automationrulesfindingfilters-firstobservedat): - DateFilter [GeneratorId](#cfn-securityhub-automationrule-automationrulesfindingfilters-generatorid): - StringFilter [Id](#cfn-securityhub-automationrule-automationrulesfindingfilters-id): - StringFilter [LastObservedAt](#cfn-securityhub-automationrule-automationrulesfindingfilters-lastobservedat): - DateFilter [NoteText](#cfn-securityhub-automationrule-automationrulesfindingfilters-notetext): - StringFilter [NoteUpdatedAt](#cfn-securityhub-automationrule-automationrulesfindingfilters-noteupdatedat): - DateFilter [NoteUpdatedBy](#cfn-securityhub-automationrule-automationrulesfindingfilters-noteupdatedby): - StringFilter [ProductArn](#cfn-securityhub-automationrule-automationrulesfindingfilters-productarn): - StringFilter [ProductName](#cfn-securityhub-automationrule-automationrulesfindingfilters-productname): - StringFilter [RecordState](#cfn-securityhub-automationrule-automationrulesfindingfilters-recordstate): - StringFilter [RelatedFindingsId](#cfn-securityhub-automationrule-automationrulesfindingfilters-relatedfindingsid): - StringFilter [RelatedFindingsProductArn](#cfn-securityhub-automationrule-automationrulesfindingfilters-relatedfindingsproductarn): - StringFilter [ResourceDetailsOther](#cfn-securityhub-automationrule-automationrulesfindingfilters-resourcedetailsother): - MapFilter [ResourceId](#cfn-securityhub-automationrule-automationrulesfindingfilters-resourceid): - StringFilter [ResourcePartition](#cfn-securityhub-automationrule-automationrulesfindingfilters-resourcepartition): - StringFilter [ResourceRegion](#cfn-securityhub-automationrule-automationrulesfindingfilters-resourceregion): - StringFilter [ResourceTags](#cfn-securityhub-automationrule-automationrulesfindingfilters-resourcetags): - MapFilter [ResourceType](#cfn-securityhub-automationrule-automationrulesfindingfilters-resourcetype): - StringFilter [SeverityLabel](#cfn-securityhub-automationrule-automationrulesfindingfilters-severitylabel): - StringFilter [SourceUrl](#cfn-securityhub-automationrule-automationrulesfindingfilters-sourceurl): - StringFilter [Title](#cfn-securityhub-automationrule-automationrulesfindingfilters-title): - StringFilter [Type](#cfn-securityhub-automationrule-automationrulesfindingfilters-type): - StringFilter [UpdatedAt](#cfn-securityhub-automationrule-automationrulesfindingfilters-updatedat): - DateFilter [UserDefinedFields](#cfn-securityhub-automationrule-automationrulesfindingfilters-userdefinedfields): - MapFilter [VerificationState](#cfn-securityhub-automationrule-automationrulesfindingfilters-verificationstate): - StringFilter [WorkflowStatus](#cfn-securityhub-automationrule-automationrulesfindingfilters-workflowstatus): - StringFilter ``` ## Properties `AwsAccountId` The Amazon Web Services account ID in which a finding was generated. Array Members: Minimum number of 1 item. Maximum number of 100 items. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-automationrule-stringfilter.md) *Maximum*: `100` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `CompanyName` The name of the company for the product that generated the finding. For control-based findings, the company is Amazon. Array Members: Minimum number of 1 item. Maximum number of 20 items. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-automationrule-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ComplianceAssociatedStandardsId` The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the [DescribeStandards](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_DescribeStandards.html) API response. Array Members: Minimum number of 1 item. Maximum number of 20 items. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-automationrule-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ComplianceSecurityControlId` The security control ID for which a finding was generated. Security control IDs are the same across standards. Array Members: Minimum number of 1 item. Maximum number of 20 items. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-automationrule-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ComplianceStatus` The result of a security check. This field is only used for findings generated from controls. Array Members: Minimum number of 1 item. Maximum number of 20 items. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-automationrule-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Confidence` The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. `Confidence` is scored on a 0–100 basis using a ratio scale. A value of `0` means 0 percent confidence, and a value of `100` means 100 percent confidence. For example, a data exfiltration detection based on a statistical deviation of network traffic has low confidence because an actual exfiltration hasn't been verified. For more information, see [Confidence](https://docs.amazonaws.cn/securityhub/latest/userguide/asff-top-level-attributes.html#asff-confidence) in the *Amazon Security Hub CSPM User Guide*. Array Members: Minimum number of 1 item. Maximum number of 20 items. *Required*: No *Type*: Array of [NumberFilter](aws-properties-securityhub-automationrule-numberfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `CreatedAt` A timestamp that indicates when this finding record was created. For more information about the validation and formatting of timestamp fields in Amazon Security Hub CSPM, see [Timestamps](https://docs.amazonaws.cn/securityhub/1.0/APIReference/Welcome.html#timestamps). Array Members: Minimum number of 1 item. Maximum number of 20 items. *Required*: No *Type*: Array of [DateFilter](aws-properties-securityhub-automationrule-datefilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Criticality` The level of importance that is assigned to the resources that are associated with a finding. `Criticality` is scored on a 0–100 basis, using a ratio scale that supports only full integers. A score of `0` means that the underlying resources have no criticality, and a score of `100` is reserved for the most critical resources. For more information, see [Criticality](https://docs.amazonaws.cn/securityhub/latest/userguide/asff-top-level-attributes.html#asff-criticality) in the *Amazon Security Hub CSPM User Guide*. Array Members: Minimum number of 1 item. Maximum number of 20 items. *Required*: No *Type*: Array of [NumberFilter](aws-properties-securityhub-automationrule-numberfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Description` A finding's description. Array Members: Minimum number of 1 item. Maximum number of 20 items. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-automationrule-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `FirstObservedAt` A timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings product. For more information about the validation and formatting of timestamp fields in Amazon Security Hub CSPM, see [Timestamps](https://docs.amazonaws.cn/securityhub/1.0/APIReference/Welcome.html#timestamps). Array Members: Minimum number of 1 item. Maximum number of 20 items. *Required*: No *Type*: Array of [DateFilter](aws-properties-securityhub-automationrule-datefilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `GeneratorId` The identifier for the solution-specific component that generated a finding. Array Members: Minimum number of 1 item. Maximum number of 100 items. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-automationrule-stringfilter.md) *Maximum*: `100` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Id` The product-specific identifier for a finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-automationrule-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `LastObservedAt` A timestamp that indicates when the security findings provider most recently observed a change in the resource that is involved in the finding. For more information about the validation and formatting of timestamp fields in Amazon Security Hub CSPM, see [Timestamps](https://docs.amazonaws.cn/securityhub/1.0/APIReference/Welcome.html#timestamps). Array Members: Minimum number of 1 item. Maximum number of 20 items. *Required*: No *Type*: Array of [DateFilter](aws-properties-securityhub-automationrule-datefilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NoteText` The text of a user-defined note that's added to a finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-automationrule-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NoteUpdatedAt` The timestamp of when the note was updated. For more information about the validation and formatting of timestamp fields in Amazon Security Hub CSPM, see [Timestamps](https://docs.amazonaws.cn/securityhub/1.0/APIReference/Welcome.html#timestamps). Array Members: Minimum number of 1 item. Maximum number of 20 items. *Required*: No *Type*: Array of [DateFilter](aws-properties-securityhub-automationrule-datefilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NoteUpdatedBy` The principal that created a note. Array Members: Minimum number of 1 item. Maximum number of 20 items. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-automationrule-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ProductArn` The Amazon Resource Name (ARN) for a third-party product that generated a finding in Security Hub CSPM. Array Members: Minimum number of 1 item. Maximum number of 20 items. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-automationrule-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ProductName` Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub CSPM. Array Members: Minimum number of 1 item. Maximum number of 20 items. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-automationrule-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RecordState` Provides the current state of a finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-automationrule-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RelatedFindingsId` The product-generated identifier for a related finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-automationrule-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RelatedFindingsProductArn` The ARN for the product that generated a related finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-automationrule-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceDetailsOther` Custom fields and values about the resource that a finding pertains to. Array Members: Minimum number of 1 item. Maximum number of 20 items. *Required*: No *Type*: Array of [MapFilter](aws-properties-securityhub-automationrule-mapfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceId` The identifier for the given resource type. For Amazon resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For Amazon resources that lack ARNs, this is the identifier as defined by the Amazon Web Services service that created the resource. For non-Amazon resources, this is a unique identifier that is associated with the resource. Array Members: Minimum number of 1 item. Maximum number of 100 items. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-automationrule-stringfilter.md) *Maximum*: `100` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourcePartition` The partition in which the resource that the finding pertains to is located. A partition is a group of Amazon Web Services Regions. Each Amazon Web Services account is scoped to one partition. Array Members: Minimum number of 1 item. Maximum number of 20 items. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-automationrule-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceRegion` The Amazon Web Services Region where the resource that a finding pertains to is located. Array Members: Minimum number of 1 item. Maximum number of 20 items. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-automationrule-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceTags` A list of Amazon tags associated with a resource at the time the finding was processed. Array Members: Minimum number of 1 item. Maximum number of 20 items. *Required*: No *Type*: Array of [MapFilter](aws-properties-securityhub-automationrule-mapfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceType` A finding's title. Array Members: Minimum number of 1 item. Maximum number of 100 items. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-automationrule-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SeverityLabel` The severity value of the finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-automationrule-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SourceUrl` Provides a URL that links to a page about the current finding in the finding product. Array Members: Minimum number of 1 item. Maximum number of 20 items. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-automationrule-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Title` A finding's title. Array Members: Minimum number of 1 item. Maximum number of 100 items. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-automationrule-stringfilter.md) *Maximum*: `100` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Type` One or more finding types in the format of namespace/category/classifier that classify a finding. For a list of namespaces, classifiers, and categories, see [Types taxonomy for ASFF](https://docs.amazonaws.cn/securityhub/latest/userguide/securityhub-findings-format-type-taxonomy.html) in the *Amazon Security Hub CSPM User Guide*. Array Members: Minimum number of 1 item. Maximum number of 20 items. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-automationrule-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `UpdatedAt` A timestamp that indicates when the finding record was most recently updated. For more information about the validation and formatting of timestamp fields in Amazon Security Hub CSPM, see [Timestamps](https://docs.amazonaws.cn/securityhub/1.0/APIReference/Welcome.html#timestamps). Array Members: Minimum number of 1 item. Maximum number of 20 items. *Required*: No *Type*: Array of [DateFilter](aws-properties-securityhub-automationrule-datefilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `UserDefinedFields` A list of user-defined name and value string pairs added to a finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. *Required*: No *Type*: Array of [MapFilter](aws-properties-securityhub-automationrule-mapfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `VerificationState` Provides the veracity of a finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-automationrule-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `WorkflowStatus` Provides information about the status of the investigation into a finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-automationrule-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::AutomationRule DateFilter A date filter for querying findings. ## Syntax To declare this entity in your Amazon CloudFormation template, use the following syntax: ### JSON ``` { "[DateRange](#cfn-securityhub-automationrule-datefilter-daterange)" : DateRange, "[End](#cfn-securityhub-automationrule-datefilter-end)" : String, "[Start](#cfn-securityhub-automationrule-datefilter-start)" : String } ``` ### YAML ``` [DateRange](#cfn-securityhub-automationrule-datefilter-daterange): DateRange [End](#cfn-securityhub-automationrule-datefilter-end): String [Start](#cfn-securityhub-automationrule-datefilter-start): String ``` ## Properties `DateRange` A date range for the date filter. *Required*: No *Type*: [DateRange](aws-properties-securityhub-automationrule-daterange.md) *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `End` A timestamp that provides the end date for the date filter. For more information about the validation and formatting of timestamp fields in Amazon Security Hub CSPM, see [Timestamps](https://docs.amazonaws.cn/securityhub/1.0/APIReference/Welcome.html#timestamps). *Required*: No *Type*: String *Pattern*: `^(\d\d\d\d)-([0][1-9]|[1][0-2])-([0][1-9]|[1-2](\d)|[3][0-1])[T](?:([0-1](\d)|[2][0-3]):[0-5](\d):[0-5](\d)|23:59:60)(?:\.(\d)+)?([Z]|[+-](\d\d)(:?(\d\d))?)$` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Start` A timestamp that provides the start date for the date filter. For more information about the validation and formatting of timestamp fields in Amazon Security Hub CSPM, see [Timestamps](https://docs.amazonaws.cn/securityhub/1.0/APIReference/Welcome.html#timestamps). *Required*: No *Type*: String *Pattern*: `^(\d\d\d\d)-([0][1-9]|[1][0-2])-([0][1-9]|[1-2](\d)|[3][0-1])[T](?:([0-1](\d)|[2][0-3]):[0-5](\d):[0-5](\d)|23:59:60)(?:\.(\d)+)?([Z]|[+-](\d\d)(:?(\d\d))?)$` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::AutomationRule DateRange A date range for the date filter. ## Syntax To declare this entity in your Amazon CloudFormation template, use the following syntax: ### JSON ``` { "[Unit](#cfn-securityhub-automationrule-daterange-unit)" : String, "[Value](#cfn-securityhub-automationrule-daterange-value)" : Number } ``` ### YAML ``` [Unit](#cfn-securityhub-automationrule-daterange-unit): String [Value](#cfn-securityhub-automationrule-daterange-value): Number ``` ## Properties `Unit` A date range unit for the date filter. *Required*: Yes *Type*: String *Allowed values*: `DAYS` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` A date range value for the date filter. *Required*: Yes *Type*: Number *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::AutomationRule MapFilter A map filter for filtering Amazon Security Hub CSPM findings. Each map filter provides the field to check for, the value to check for, and the comparison operator. ## Syntax To declare this entity in your Amazon CloudFormation template, use the following syntax: ### JSON ``` { "[Comparison](#cfn-securityhub-automationrule-mapfilter-comparison)" : String, "[Key](#cfn-securityhub-automationrule-mapfilter-key)" : String, "[Value](#cfn-securityhub-automationrule-mapfilter-value)" : String } ``` ### YAML ``` [Comparison](#cfn-securityhub-automationrule-mapfilter-comparison): String [Key](#cfn-securityhub-automationrule-mapfilter-key): String [Value](#cfn-securityhub-automationrule-mapfilter-value): String ``` ## Properties `Comparison` The condition to apply to the key value when filtering Security Hub CSPM findings with a map filter. To search for values that have the filter value, use one of the following comparison operators: + To search for values that include the filter value, use `CONTAINS`. For example, for the `ResourceTags` field, the filter `Department CONTAINS Security` matches findings that include the value `Security` for the `Department` tag. In the same example, a finding with a value of `Security team` for the `Department` tag is a match. + To search for values that exactly match the filter value, use `EQUALS`. For example, for the `ResourceTags` field, the filter `Department EQUALS Security` matches findings that have the value `Security` for the `Department` tag. `CONTAINS` and `EQUALS` filters on the same field are joined by `OR`. A finding matches if it matches any one of those filters. For example, the filters `Department CONTAINS Security OR Department CONTAINS Finance` match a finding that includes either `Security`, `Finance`, or both values. To search for values that don't have the filter value, use one of the following comparison operators: + To search for values that exclude the filter value, use `NOT_CONTAINS`. For example, for the `ResourceTags` field, the filter `Department NOT_CONTAINS Finance` matches findings that exclude the value `Finance` for the `Department` tag. + To search for values other than the filter value, use `NOT_EQUALS`. For example, for the `ResourceTags` field, the filter `Department NOT_EQUALS Finance` matches findings that don’t have the value `Finance` for the `Department` tag. `NOT_CONTAINS` and `NOT_EQUALS` filters on the same field are joined by `AND`. A finding matches only if it matches all of those filters. For example, the filters `Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance` match a finding that excludes both the `Security` and `Finance` values. `CONTAINS` filters can only be used with other `CONTAINS` filters. `NOT_CONTAINS` filters can only be used with other `NOT_CONTAINS` filters. You can’t have both a `CONTAINS` filter and a `NOT_CONTAINS` filter on the same field. Similarly, you can’t have both an `EQUALS` filter and a `NOT_EQUALS` filter on the same field. Combining filters in this way returns an error. `CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules. For more information, see [Automation rules](https://docs.amazonaws.cn/securityhub/latest/userguide/automation-rules.html) in the *Amazon Security Hub CSPM User Guide*. *Required*: Yes *Type*: String *Allowed values*: `EQUALS | NOT_EQUALS | CONTAINS | NOT_CONTAINS` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Key` The key of the map filter. For example, for `ResourceTags`, `Key` identifies the name of the tag. For `UserDefinedFields`, `Key` is the name of the field. *Required*: Yes *Type*: String *Pattern*: `.*\S.*` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called `Department` might be `Security`. If you provide `security` as the filter value, then there's no match. *Required*: Yes *Type*: String *Pattern*: `.*\S.*` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::AutomationRule NoteUpdate The updated note. ## Syntax To declare this entity in your Amazon CloudFormation template, use the following syntax: ### JSON ``` { "[Text](#cfn-securityhub-automationrule-noteupdate-text)" : String, "[UpdatedBy](#cfn-securityhub-automationrule-noteupdate-updatedby)" : String } ``` ### YAML ``` [Text](#cfn-securityhub-automationrule-noteupdate-text): String [UpdatedBy](#cfn-securityhub-automationrule-noteupdate-updatedby): String ``` ## Properties `Text` The updated note text. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `512` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `UpdatedBy` The principal that updated the note. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `512` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::AutomationRule NumberFilter A number filter for querying findings. ## Syntax To declare this entity in your Amazon CloudFormation template, use the following syntax: ### JSON ``` { "[Eq](#cfn-securityhub-automationrule-numberfilter-eq)" : Number, "[Gte](#cfn-securityhub-automationrule-numberfilter-gte)" : Number, "[Lte](#cfn-securityhub-automationrule-numberfilter-lte)" : Number } ``` ### YAML ``` [Eq](#cfn-securityhub-automationrule-numberfilter-eq): Number [Gte](#cfn-securityhub-automationrule-numberfilter-gte): Number [Lte](#cfn-securityhub-automationrule-numberfilter-lte): Number ``` ## Properties `Eq` The equal-to condition to be applied to a single field when querying for findings. *Required*: No *Type*: Number *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Gte` The greater-than-equal condition to be applied to a single field when querying for findings. *Required*: No *Type*: Number *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Lte` The less-than-equal condition to be applied to a single field when querying for findings. *Required*: No *Type*: Number *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::AutomationRule RelatedFinding Provides details about a list of findings that the current finding relates to. ## Syntax To declare this entity in your Amazon CloudFormation template, use the following syntax: ### JSON ``` { "[Id](#cfn-securityhub-automationrule-relatedfinding-id)" : String, "[ProductArn](#cfn-securityhub-automationrule-relatedfinding-productarn)" : String } ``` ### YAML ``` [Id](#cfn-securityhub-automationrule-relatedfinding-id): String [ProductArn](#cfn-securityhub-automationrule-relatedfinding-productarn): String ``` ## Properties `Id` The product-generated identifier for a related finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `512` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ProductArn` The Amazon Resource Name (ARN) for the product that generated a related finding. *Required*: Yes *Type*: String *Pattern*: `^arn:(aws|aws-cn|aws-us-gov|aws-iso-?[a-z]{0,2}):[A-Za-z0-9]{1,63}:[a-z]+-([a-z]{1,10}-)?[a-z]+-[0-9]+:([0-9]{12})?:.+$` *Minimum*: `12` *Maximum*: `2048` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::AutomationRule SeverityUpdate Updates to the severity information for a finding. ## Syntax To declare this entity in your Amazon CloudFormation template, use the following syntax: ### JSON ``` { "[Label](#cfn-securityhub-automationrule-severityupdate-label)" : String, "[Normalized](#cfn-securityhub-automationrule-severityupdate-normalized)" : Integer, "[Product](#cfn-securityhub-automationrule-severityupdate-product)" : Number } ``` ### YAML ``` [Label](#cfn-securityhub-automationrule-severityupdate-label): String [Normalized](#cfn-securityhub-automationrule-severityupdate-normalized): Integer [Product](#cfn-securityhub-automationrule-severityupdate-product): Number ``` ## Properties `Label` The severity value of the finding. The allowed values are the following. + `INFORMATIONAL` - No issue was found. + `LOW` - The issue does not require action on its own. + `MEDIUM` - The issue must be addressed but not urgently. + `HIGH` - The issue must be addressed as a priority. + `CRITICAL` - The issue must be remediated immediately to avoid it escalating. *Required*: No *Type*: String *Allowed values*: `INFORMATIONAL | LOW | MEDIUM | HIGH | CRITICAL` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Normalized` The normalized severity for the finding. This attribute is to be deprecated in favor of `Label`. If you provide `Normalized` and don't provide `Label`, `Label` is set automatically as follows. + 0 - `INFORMATIONAL` + 1–39 - `LOW` + 40–69 - `MEDIUM` + 70–89 - `HIGH` + 90–100 - `CRITICAL` *Required*: No *Type*: Integer *Minimum*: `0` *Maximum*: `100` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Product` The native severity as defined by the Amazon service or integrated partner product that generated the finding. *Required*: No *Type*: Number *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::AutomationRule StringFilter A string filter for filtering Amazon Security Hub CSPM findings. ## Syntax To declare this entity in your Amazon CloudFormation template, use the following syntax: ### JSON ``` { "[Comparison](#cfn-securityhub-automationrule-stringfilter-comparison)" : String, "[Value](#cfn-securityhub-automationrule-stringfilter-value)" : String } ``` ### YAML ``` [Comparison](#cfn-securityhub-automationrule-stringfilter-comparison): String [Value](#cfn-securityhub-automationrule-stringfilter-value): String ``` ## Properties `Comparison` The condition to apply to a string value when filtering Security Hub CSPM findings. To search for values that have the filter value, use one of the following comparison operators: + To search for values that include the filter value, use `CONTAINS`. For example, the filter `Title CONTAINS CloudFront` matches findings that have a `Title` that includes the string CloudFront. + To search for values that exactly match the filter value, use `EQUALS`. For example, the filter `AwsAccountId EQUALS 123456789012` only matches findings that have an account ID of `123456789012`. + To search for values that start with the filter value, use `PREFIX`. For example, the filter `ResourceRegion PREFIX us` matches findings that have a `ResourceRegion` that starts with `us`. A `ResourceRegion` that starts with a different value, such as `af`, `ap`, or `ca`, doesn't match. `CONTAINS`, `EQUALS`, and `PREFIX` filters on the same field are joined by `OR`. A finding matches if it matches any one of those filters. For example, the filters `Title CONTAINS CloudFront OR Title CONTAINS CloudWatch` match a finding that includes either `CloudFront`, `CloudWatch`, or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: + To search for values that exclude the filter value, use `NOT_CONTAINS`. For example, the filter `Title NOT_CONTAINS CloudFront` matches findings that have a `Title` that excludes the string CloudFront. + To search for values other than the filter value, use `NOT_EQUALS`. For example, the filter `AwsAccountId NOT_EQUALS 123456789012` only matches findings that have an account ID other than `123456789012`. + To search for values that don't start with the filter value, use `PREFIX_NOT_EQUALS`. For example, the filter `ResourceRegion PREFIX_NOT_EQUALS us` matches findings with a `ResourceRegion` that starts with a value other than `us`. `NOT_CONTAINS`, `NOT_EQUALS`, and `PREFIX_NOT_EQUALS` filters on the same field are joined by `AND`. A finding matches only if it matches all of those filters. For example, the filters `Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch` match a finding that excludes both `CloudFront` and `CloudWatch` in the title. You can’t have both a `CONTAINS` filter and a `NOT_CONTAINS` filter on the same field. Similarly, you can't provide both an `EQUALS` filter and a `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filter on the same field. Combining filters in this way returns an error. `CONTAINS` filters can only be used with other `CONTAINS` filters. `NOT_CONTAINS` filters can only be used with other `NOT_CONTAINS` filters. You can combine `PREFIX` filters with `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters for the same field. Security Hub CSPM first processes the `PREFIX` filters, and then the `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters. For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either `AwsIam` or `AwsEc2`. It then excludes findings that have a resource type of `AwsIamPolicy` and findings that have a resource type of `AwsEc2NetworkInterface`. + `ResourceType PREFIX AwsIam` + `ResourceType PREFIX AwsEc2` + `ResourceType NOT_EQUALS AwsIamPolicy` + `ResourceType NOT_EQUALS AwsEc2NetworkInterface` `CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules V1. `CONTAINS_WORD` operator is only supported in `GetFindingsV2`, `GetFindingStatisticsV2`, `GetResourcesV2`, and `GetResourcesStatisticsV2` APIs. For more information, see [Automation rules](https://docs.amazonaws.cn/securityhub/latest/userguide/automation-rules.html) in the *Amazon Security Hub CSPM User Guide*. *Required*: Yes *Type*: String *Allowed values*: `EQUALS | PREFIX | NOT_EQUALS | PREFIX_NOT_EQUALS | CONTAINS | NOT_CONTAINS` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is `Security Hub CSPM`. If you provide `security hub` as the filter value, there's no match. *Required*: Yes *Type*: String *Pattern*: `.*\S.*` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::AutomationRule WorkflowUpdate Used to update information about the investigation into the finding. ## Syntax To declare this entity in your Amazon CloudFormation template, use the following syntax: ### JSON ``` { "[Status](#cfn-securityhub-automationrule-workflowupdate-status)" : String } ``` ### YAML ``` [Status](#cfn-securityhub-automationrule-workflowupdate-status): String ``` ## Properties `Status` The status of the investigation into the finding. The workflow status is specific to an individual finding. It does not affect the generation of new findings. For example, setting the workflow status to `SUPPRESSED` or `RESOLVED` does not prevent a new finding for the same issue. The allowed values are the following. + `NEW` - The initial state of a finding, before it is reviewed. Security Hub CSPM also resets `WorkFlowStatus` from `NOTIFIED` or `RESOLVED` to `NEW` in the following cases: + The record state changes from `ARCHIVED` to `ACTIVE`. + The compliance status changes from `PASSED` to either `WARNING`, `FAILED`, or `NOT_AVAILABLE`. + `NOTIFIED` - Indicates that you notified the resource owner about the security issue. Used when the initial reviewer is not the resource owner, and needs intervention from the resource owner. + `RESOLVED` - The finding was reviewed and remediated and is now considered resolved. + `SUPPRESSED` - Indicates that you reviewed the finding and don't believe that any action is needed. The finding is no longer updated. *Required*: Yes *Type*: String *Allowed values*: `NEW | NOTIFIED | RESOLVED | SUPPRESSED` *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)