AWS::SecurityHub::ConfigurationPolicy - Amazon CloudFormation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).


The AWS::SecurityHub::ConfigurationPolicy resource creates a central configuration policy with the defined settings. Only the Amazon Security Hub delegated administrator can create this resource in the home Region. For more information, see Central configuration in Security Hub in the Amazon Security Hub User Guide.


To declare this entity in your Amazon CloudFormation template, use the following syntax:


{ "Type" : "AWS::SecurityHub::ConfigurationPolicy", "Properties" : { "ConfigurationPolicy" : Policy, "Description" : String, "Name" : String, "Tags" : {Key: Value, ...} } }


Type: AWS::SecurityHub::ConfigurationPolicy Properties: ConfigurationPolicy: Policy Description: String Name: String Tags: Key: Value



An object that defines how Amazon Security Hub is configured. It includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If you provide a list of security controls that are enabled in the configuration policy, Security Hub disables all other controls (including newly released controls). If you provide a list of security controls that are disabled in the configuration policy, Security Hub enables all other controls (including newly released controls).

Required: Yes

Type: Policy

Update requires: No interruption


The description of the configuration policy.

Required: No

Type: String

Minimum: 0

Maximum: 512

Update requires: No interruption


The name of the configuration policy. Alphanumeric characters and the following ASCII characters are permitted: -, ., !, *, /.

Required: Yes

Type: String

Minimum: 1

Maximum: 128

Update requires: No interruption


User-defined tags associated with a configuration policy. For more information, see Tagging Amazon Security Hub resources in the Security Hub user guide.

Required: No

Type: Object of String

Pattern: ^[a-zA-Z0-9]{1,128}$

Minimum: 0

Maximum: 256

Update requires: No interruption

Return values


When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the Amazon Resource Name (ARN) of the configuration policy. For example, arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111.


The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.


The ARN of the configuration policy.


Property description not available.


The universally unique identifier (UUID) of the configuration policy. A self-managed configuration has no UUID. The identifier of a self-managed configuration is SELF_MANAGED_SECURITY_HUB.


Indicates whether the service that the configuration policy applies to is enabled in the policy.


The date and time, in UTC and ISO 8601 format, that the configuration policy was last updated.


Creating a Security Hub central configuration policy

The following example creates a configuration policy with the specified settings. Only the delegated Security Hub administrator can create a configuration policy from the home Region.


{ "Description": "Example template to create a SecurityHub configuration policy", "Resources": { "SecurityHubConfigurationPolicy": { "Type": "AWS::SecurityHub::ConfigurationPolicy", "Properties": { "Tags": { "key1": "value1" }, "Name": "SecurityHubConfigurationPolicyExample", "Description": "Example template to create SecurityHub Configuration Policy", "ConfigurationPolicy" : { "SecurityHub": { "ServiceEnabled": true, "EnabledStandardIdentifiers": [ "arn:aws:securityhub:us-west-2::standards/aws-foundational-security-best-practices/v/1.0.0" ], "SecurityControlsConfiguration": { "EnabledSecurityControlIdentifiers": [ "APIGateway.1", "IAM.7", "RDS.14", "CloudFront.5", "EC2.18","S3.11", "CloudFront.6" ], "SecurityControlCustomParameters": [ { "SecurityControlId": "APIGateway.1", "Parameters": { "loggingLevel": { "ValueType": "CUSTOM", "Value": { "Enum": "ERROR" } } } } ] } } } } } } }


Description: Example template to create a Security Hub configuration policy Resources: SecurityHubConfigurationPolicy: Type: "AWS::SecurityHub::ConfigurationPolicy" Properties: Tags: key1: value1 Name: "SecurityHubConfigurationPolicyExample" Description: "Example template to create SecurityHub Configuration Policy" ConfigurationPolicy: SecurityHub: ServiceEnabled: true EnabledStandardIdentifiers: - !Sub "arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/aws-foundational-security-best-practices/v/1.0.0" SecurityControlsConfiguration: EnabledSecurityControlIdentifiers: - "APIGateway.1" - "IAM.7" - "RDS.14" - "CloudFront.5" - "EC2.18" - "S3.11" - "CloudFront.6" SecurityControlCustomParameters: - SecurityControlId: "APIGateway.1" Parameters: loggingLevel: ValueType: "CUSTOM" Value: Enum: "ERROR"