AWS::SecurityHub::AutomationRule StringFilter
A string filter for filtering AWS Security Hub findings.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Comparison" :
String
, "Value" :String
}
YAML
Comparison:
String
Value:String
Properties
Comparison
-
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
-
To search for values that include the filter value, use
CONTAINS
. For example, the filterTitle CONTAINS CloudFront
matches findings that have aTitle
that includes the string CloudFront. -
To search for values that exactly match the filter value, use
EQUALS
. For example, the filterAwsAccountId EQUALS 123456789012
only matches findings that have an account ID of123456789012
. -
To search for values that start with the filter value, use
PREFIX
. For example, the filterResourceRegion PREFIX us
matches findings that have aResourceRegion
that starts withus
. AResourceRegion
that starts with a different value, such asaf
,ap
, orca
, doesn't match.
CONTAINS
,EQUALS
, andPREFIX
filters on the same field are joined byOR
. A finding matches if it matches any one of those filters. For example, the filtersTitle CONTAINS CloudFront OR Title CONTAINS CloudWatch
match a finding that includes eitherCloudFront
,CloudWatch
, or both strings in the title.To search for values that don’t have the filter value, use one of the following comparison operators:
-
To search for values that exclude the filter value, use
NOT_CONTAINS
. For example, the filterTitle NOT_CONTAINS CloudFront
matches findings that have aTitle
that excludes the string CloudFront. -
To search for values other than the filter value, use
NOT_EQUALS
. For example, the filterAwsAccountId NOT_EQUALS 123456789012
only matches findings that have an account ID other than123456789012
. -
To search for values that don't start with the filter value, use
PREFIX_NOT_EQUALS
. For example, the filterResourceRegion PREFIX_NOT_EQUALS us
matches findings with aResourceRegion
that starts with a value other thanus
.
NOT_CONTAINS
,NOT_EQUALS
, andPREFIX_NOT_EQUALS
filters on the same field are joined byAND
. A finding matches only if it matches all of those filters. For example, the filtersTitle NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch
match a finding that excludes bothCloudFront
andCloudWatch
in the title.You can’t have both a
CONTAINS
filter and aNOT_CONTAINS
filter on the same field. Similarly, you can't provide both anEQUALS
filter and aNOT_EQUALS
orPREFIX_NOT_EQUALS
filter on the same field. Combining filters in this way returns an error.CONTAINS
filters can only be used with otherCONTAINS
filters.NOT_CONTAINS
filters can only be used with otherNOT_CONTAINS
filters.You can combine
PREFIX
filters withNOT_EQUALS
orPREFIX_NOT_EQUALS
filters for the same field. Security Hub first processes thePREFIX
filters, and then theNOT_EQUALS
orPREFIX_NOT_EQUALS
filters.For example, for the following filters, Security Hub first identifies findings that have resource types that start with either
AwsIam
orAwsEc2
. It then excludes findings that have a resource type ofAwsIamPolicy
and findings that have a resource type ofAwsEc2NetworkInterface
.-
ResourceType PREFIX AwsIam
-
ResourceType PREFIX AwsEc2
-
ResourceType NOT_EQUALS AwsIamPolicy
-
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS
andNOT_CONTAINS
operators can be used only with automation rules. For more information, see Automation rules in the AWS Security Hub User Guide.Required: Yes
Type: String
Allowed values:
EQUALS | PREFIX | NOT_EQUALS | PREFIX_NOT_EQUALS | CONTAINS | NOT_CONTAINS
Update requires: No interruption
-
Value
-
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is
Security Hub
. If you providesecurity hub
as the filter value, there's no match.Required: Yes
Type: String
Pattern:
.*\S.*
Update requires: No interruption