AWS::SecurityHub::Standard - Amazon CloudFormation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).


The AWS::SecurityHub::Standard resource specifies the enablement of a security standard. The standard is identified by the StandardsArn property. To view a list of Security Hub standards and their Amazon Resource Names (ARNs), use the DescribeStandards API operation.

You must create a separate AWS::SecurityHub::Standard resource for each standard that you want to enable.

For more information about Security Hub standards, see Security Hub standards reference in the Amazon Security Hub User Guide.


To declare this entity in your Amazon CloudFormation template, use the following syntax:


{ "Type" : "AWS::SecurityHub::Standard", "Properties" : { "DisabledStandardsControls" : [ StandardsControl, ... ], "StandardsArn" : String } }


Type: AWS::SecurityHub::Standard Properties: DisabledStandardsControls: - StandardsControl StandardsArn: String



Specifies which controls are to be disabled in a standard.

Maximum: 100

Required: No

Type: Array of StandardsControl

Minimum: 0

Maximum: 100

Update requires: No interruption


The ARN of the standard that you want to enable. To view a list of available Security Hub standards and their ARNs, use the DescribeStandards API operation.

Required: Yes

Type: String

Pattern: arn:aws\S*:securityhub:\S

Update requires: Replacement

Return values


When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns StandardsSubscriptionArn for the standard that you enable, such as arn:aws:securityhub:us-east-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0.

For more information about using the Ref function, see Ref.


The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.


The ARN of a resource that represents your subscription to a supported standard.


The following examples show how to declare an AWS::SecurityHub::Standard resource.

Enabling a standard with all controls enabled

The following example enables the Amazon Foundational Security Best Practices (FSBP) standard and all controls that apply to it.


{ "Description": "Example Standard", "Resources": { "ExampleStandard": { "Type": "AWS::SecurityHub::Standard", "Properties": { "StandardsArn": { "Fn::Sub": "arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/aws-foundational-security-best-practices/v/1.0.0" } } } }, "Outputs": { "StandardsSubscriptionArn": { "Value": { "Ref": "ExampleStandard" } } } }


--- Description: Example Standard Resources: ExampleStandard: Type: 'AWS::SecurityHub::Standard' Properties: StandardsArn: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/aws-foundational-security-best-practices/v/1.0.0' Outputs: StandardsSubscriptionArn: Value: !Ref ExampleStandard

Enabling a standard with some controls disabled

The following example enables the FSBP standard. The controls specified in the example are disabled in this standard, and all other controls are enabled in this standard.


{ "Description": "Example Standard", "Resources": { "ExampleStandardWithDisabledControls": { "Type": "AWS::SecurityHub::Standard", "Properties": { "StandardsArn": { "Fn::Sub": "arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/aws-foundational-security-best-practices/v/1.0.0" }, "DisabledStandardsControls": [ { "StandardsControlArn": { "Fn::Sub": "arn:${AWS::Partition}:securityhub:${AWS::Region}:${AWS::AccountId}:control/aws-foundational-security-best-practices/v/1.0.0/APIGateway.1" }, "Reason": "Disabled reason text" }, { "StandardsControlArn": { "Fn::Sub": "arn:${AWS::Partition}:securityhub:${AWS::Region}:${AWS::AccountId}:control/aws-foundational-security-best-practices/v/1.0.0/APIGateway.2" }, "Reason": "Disabled reason text" } ] } } }, "Outputs": { "StandardsSubscriptionArn": { "Value": { "Ref": "ExampleStandardWithDisabledControls" } } } }


--- Description: Example Standard Resources: ExampleStandardWithDisabledControls: Type: 'AWS::SecurityHub::Standard' Properties: StandardsArn: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/aws-foundational-security-best-practices/v/1.0.0' DisabledStandardsControls: - StandardsControlArn: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}:${AWS::AccountId}:control/aws-foundational-security-best-practices/v/1.0.0/APIGateway.1' Reason: 'Disabled reason text' - StandardsControlArn: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}:${AWS::AccountId}:control/aws-foundational-security-best-practices/v/1.0.0/APIGateway.2' Reason: 'Disabled reason text' Outputs: StandardsSubscriptionArn: Value: !Ref ExampleStandardWithDisabledControls