This is the new AWS CloudFormation Template Reference Guide. Please update your bookmarks and links. For help getting started with CloudFormation, see the AWS CloudFormation User Guide.
AWS::SecurityHub::Standard
The AWS::SecurityHub::Standard resource specifies the enablement of a security standard.
The standard is identified by the StandardsArn property. To view a list of Security Hub
standards and their Amazon Resource Names (ARNs), use the DescribeStandards API operation.
You must create a separate AWS::SecurityHub::Standard resource for each
standard that you want to enable.
For more information about Security Hub standards, see Security Hub standards reference in the AWS Security Hub User Guide.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::SecurityHub::Standard", "Properties" : { "DisabledStandardsControls" :[ StandardsControl, ... ], "StandardsArn" :String} }
YAML
Type: AWS::SecurityHub::Standard Properties: DisabledStandardsControls:- StandardsControlStandardsArn:String
Properties
DisabledStandardsControls-
Specifies which controls are to be disabled in a standard.
Maximum:
100Required: No
Type: Array of StandardsControl
Minimum:
0Maximum:
100Update requires: No interruption
StandardsArn-
The ARN of the standard that you want to enable. To view a list of available Security Hub standards and their ARNs, use the
DescribeStandardsAPI operation.Required: Yes
Type: String
Pattern:
arn:aws\S*:securityhub:\SUpdate requires: Replacement
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returnsStandardsSubscriptionArn for the standard that you enable, such as
arn:aws:securityhub:us-east-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0.
For more information about using the Ref function, see Ref.
Fn::GetAtt
The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.
StandardsSubscriptionArn-
The ARN of a resource that represents your subscription to a supported standard.
Examples
The following examples show how to declare an
AWS::SecurityHub::Standard resource.
Enabling a standard with all controls enabled
The following example enables the AWS Foundational Security Best Practices (FSBP) standard and all controls that apply to it.
JSON
{ "Description": "Example template to enable a standard", "Resources": { "ExampleStandard": { "Type": "AWS::SecurityHub::Standard", "Properties": { "StandardsArn": { "Fn::Sub": "arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/aws-foundational-security-best-practices/v/1.0.0" } } } }, "Outputs": { "StandardsSubscriptionArn": { "Value": { "Ref": "ExampleStandard" } } } }
YAML
Description: Example template to enable a standard Resources: ExampleStandard: Type: 'AWS::SecurityHub::Standard' Properties: StandardsArn: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/aws-foundational-security-best-practices/v/1.0.0' Outputs: StandardsSubscriptionArn: Value: !Ref ExampleStandard
Enabling a standard with some controls disabled
The following example enables the FSBP standard. The controls specified in the example are disabled in this standard, and all other controls are enabled in this standard.
JSON
{ "Description": "Example template to enable a standard", "Resources": { "ExampleStandardWithDisabledControls": { "Type": "AWS::SecurityHub::Standard", "Properties": { "StandardsArn": { "Fn::Sub": "arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/aws-foundational-security-best-practices/v/1.0.0" }, "DisabledStandardsControls": [ { "StandardsControlArn": { "Fn::Sub": "arn:${AWS::Partition}:securityhub:${AWS::Region}:${AWS::AccountId}:control/aws-foundational-security-best-practices/v/1.0.0/APIGateway.1" }, "Reason": "Disabled reason text" }, { "StandardsControlArn": { "Fn::Sub": "arn:${AWS::Partition}:securityhub:${AWS::Region}:${AWS::AccountId}:control/aws-foundational-security-best-practices/v/1.0.0/APIGateway.2" }, "Reason": "Disabled reason text" } ] } } }, "Outputs": { "StandardsSubscriptionArn": { "Value": { "Ref": "ExampleStandardWithDisabledControls" } } } }
YAML
Description: Example template to enable a standard Resources: ExampleStandardWithDisabledControls: Type: 'AWS::SecurityHub::Standard' Properties: StandardsArn: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/aws-foundational-security-best-practices/v/1.0.0' DisabledStandardsControls: - StandardsControlArn: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}:${AWS::AccountId}:control/aws-foundational-security-best-practices/v/1.0.0/APIGateway.1' Reason: 'Disabled reason text' - StandardsControlArn: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}:${AWS::AccountId}:control/aws-foundational-security-best-practices/v/1.0.0/APIGateway.2' Reason: 'Disabled reason text' Outputs: StandardsSubscriptionArn: Value: !Ref ExampleStandardWithDisabledControls
