SecurityControl - Amazon Security Hub
ContentsSee Also
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

SecurityControl

A security control in Security Hub describes a security best practice related to a specific resource.

Contents

Description

The description of a security control across standards. This typically summarizes how Security Hub evaluates the control and the conditions under which it produces a failed finding. This parameter doesn't reference a specific standard.

Type: String

Pattern: .*\S.*

Required: Yes

RemediationUrl

A link to Security Hub documentation that explains how to remediate a failed finding for a security control.

Type: String

Pattern: .*\S.*

Required: Yes

SecurityControlArn

The Amazon Resource Name (ARN) for a security control across standards, such as arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1. This parameter doesn't mention a specific standard.

Type: String

Pattern: .*\S.*

Required: Yes

SecurityControlId

The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Service name and a number, such as APIGateway.3.

Type: String

Pattern: .*\S.*

Required: Yes

SecurityControlStatus

The enablement status of a security control in a specific standard.

Type: String

Valid Values: ENABLED | DISABLED

Required: Yes

SeverityRating

The severity of a security control. For more information about how Security Hub determines control severity, see Assigning severity to control findings in the Security Hub User Guide.

Type: String

Valid Values: LOW | MEDIUM | HIGH | CRITICAL

Required: Yes

Title

The title of a security control.

Type: String

Pattern: .*\S.*

Required: Yes

LastUpdateReason

The most recent reason for updating the customizable properties of a security control. This differs from the UpdateReason field of the BatchUpdateStandardsControlAssociations API, which tracks the reason for updating the enablement status of a control. This field accepts alphanumeric characters in addition to white spaces, dashes, and underscores.

Type: String

Pattern: ^[-_ a-zA-Z0-9]+$

Required: No

Parameters

An object that identifies the name of a control parameter, its current value, and whether it has been customized.

Type: String to ParameterConfiguration object map

Key Pattern: .*\S.*

Required: No

UpdateStatus

Identifies whether customizable properties of a security control are reflected in Security Hub findings. A status of READY indicates findings include the current parameter values. A status of UPDATING indicates that all findings may not include the current parameter values.

Type: String

Valid Values: READY | UPDATING

Required: No

See Also

For more information about using this API in one of the language-specific Amazon SDKs, see the following: