Configuration
Manages Security Hub configuration policy
NOTE: This resource requires
aws.securityhub.OrganizationConfigurationto be configured of typeCENTRAL. More information about Security Hub central configuration and configuration policies can be found in the How Security Hub configuration policies work documentation.
Example Usage
Default standards enabled
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.securityhub.FindingAggregator("example", {linkingMode: "ALL_REGIONS"});
const exampleOrganizationConfiguration = new aws.securityhub.OrganizationConfiguration("example", {
autoEnable: false,
autoEnableStandards: "NONE",
organizationConfiguration: {
configurationType: "CENTRAL",
},
}, {
dependsOn: [example],
});
const exampleConfigurationPolicy = new aws.securityhub.ConfigurationPolicy("example", {
name: "Example",
description: "This is an example configuration policy",
configurationPolicy: {
serviceEnabled: true,
enabledStandardArns: [
"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
],
securityControlsConfiguration: {
disabledControlIdentifiers: [],
},
},
}, {
dependsOn: [exampleOrganizationConfiguration],
});Content copied to clipboard
import pulumi
import pulumi_aws as aws
example = aws.securityhub.FindingAggregator("example", linking_mode="ALL_REGIONS")
example_organization_configuration = aws.securityhub.OrganizationConfiguration("example",
auto_enable=False,
auto_enable_standards="NONE",
organization_configuration=aws.securityhub.OrganizationConfigurationOrganizationConfigurationArgs(
configuration_type="CENTRAL",
),
opts=pulumi.ResourceOptions(depends_on=[example]))
example_configuration_policy = aws.securityhub.ConfigurationPolicy("example",
name="Example",
description="This is an example configuration policy",
configuration_policy=aws.securityhub.ConfigurationPolicyConfigurationPolicyArgs(
service_enabled=True,
enabled_standard_arns=[
"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
],
security_controls_configuration=aws.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationArgs(
disabled_control_identifiers=[],
),
),
opts=pulumi.ResourceOptions(depends_on=[example_organization_configuration]))Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.SecurityHub.FindingAggregator("example", new()
{
LinkingMode = "ALL_REGIONS",
});
var exampleOrganizationConfiguration = new Aws.SecurityHub.OrganizationConfiguration("example", new()
{
AutoEnable = false,
AutoEnableStandards = "NONE",
OrganizationConfigurationDetails = new Aws.SecurityHub.Inputs.OrganizationConfigurationOrganizationConfigurationArgs
{
ConfigurationType = "CENTRAL",
},
}, new CustomResourceOptions
{
DependsOn =
{
example,
},
});
var exampleConfigurationPolicy = new Aws.SecurityHub.ConfigurationPolicy("example", new()
{
Name = "Example",
Description = "This is an example configuration policy",
ConfigurationPolicyDetails = new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicyArgs
{
ServiceEnabled = true,
EnabledStandardArns = new[]
{
"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
},
SecurityControlsConfiguration = new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationArgs
{
DisabledControlIdentifiers = new() { },
},
},
}, new CustomResourceOptions
{
DependsOn =
{
exampleOrganizationConfiguration,
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/securityhub"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := securityhub.NewFindingAggregator(ctx, "example", &securityhub.FindingAggregatorArgs{
LinkingMode: pulumi.String("ALL_REGIONS"),
})
if err != nil {
return err
}
exampleOrganizationConfiguration, err := securityhub.NewOrganizationConfiguration(ctx, "example", &securityhub.OrganizationConfigurationArgs{
AutoEnable: pulumi.Bool(false),
AutoEnableStandards: pulumi.String("NONE"),
OrganizationConfiguration: &securityhub.OrganizationConfigurationOrganizationConfigurationArgs{
ConfigurationType: pulumi.String("CENTRAL"),
},
}, pulumi.DependsOn([]pulumi.Resource{
example,
}))
if err != nil {
return err
}
_, err = securityhub.NewConfigurationPolicy(ctx, "example", &securityhub.ConfigurationPolicyArgs{
Name: pulumi.String("Example"),
Description: pulumi.String("This is an example configuration policy"),
ConfigurationPolicy: &securityhub.ConfigurationPolicyConfigurationPolicyArgs{
ServiceEnabled: pulumi.Bool(true),
EnabledStandardArns: pulumi.StringArray{
pulumi.String("arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"),
pulumi.String("arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"),
},
SecurityControlsConfiguration: &securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationArgs{
DisabledControlIdentifiers: pulumi.StringArray{},
},
},
}, pulumi.DependsOn([]pulumi.Resource{
exampleOrganizationConfiguration,
}))
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.securityhub.FindingAggregator;
import com.pulumi.aws.securityhub.FindingAggregatorArgs;
import com.pulumi.aws.securityhub.OrganizationConfiguration;
import com.pulumi.aws.securityhub.OrganizationConfigurationArgs;
import com.pulumi.aws.securityhub.inputs.OrganizationConfigurationOrganizationConfigurationArgs;
import com.pulumi.aws.securityhub.ConfigurationPolicy;
import com.pulumi.aws.securityhub.ConfigurationPolicyArgs;
import com.pulumi.aws.securityhub.inputs.ConfigurationPolicyConfigurationPolicyArgs;
import com.pulumi.aws.securityhub.inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new FindingAggregator("example", FindingAggregatorArgs.builder()
.linkingMode("ALL_REGIONS")
.build());
var exampleOrganizationConfiguration = new OrganizationConfiguration("exampleOrganizationConfiguration", OrganizationConfigurationArgs.builder()
.autoEnable(false)
.autoEnableStandards("NONE")
.organizationConfiguration(OrganizationConfigurationOrganizationConfigurationArgs.builder()
.configurationType("CENTRAL")
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(example)
.build());
var exampleConfigurationPolicy = new ConfigurationPolicy("exampleConfigurationPolicy", ConfigurationPolicyArgs.builder()
.name("Example")
.description("This is an example configuration policy")
.configurationPolicy(ConfigurationPolicyConfigurationPolicyArgs.builder()
.serviceEnabled(true)
.enabledStandardArns(
"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0")
.securityControlsConfiguration(ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationArgs.builder()
.disabledControlIdentifiers()
.build())
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(exampleOrganizationConfiguration)
.build());
}
}Content copied to clipboard
resources:
example:
type: aws:securityhub:FindingAggregator
properties:
linkingMode: ALL_REGIONS
exampleOrganizationConfiguration:
type: aws:securityhub:OrganizationConfiguration
name: example
properties:
autoEnable: false
autoEnableStandards: NONE
organizationConfiguration:
configurationType: CENTRAL
options:
dependson:
- ${example}
exampleConfigurationPolicy:
type: aws:securityhub:ConfigurationPolicy
name: example
properties:
name: Example
description: This is an example configuration policy
configurationPolicy:
serviceEnabled: true
enabledStandardArns:
- arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0
- arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0
securityControlsConfiguration:
disabledControlIdentifiers: []
options:
dependson:
- ${exampleOrganizationConfiguration}Content copied to clipboard
Disabled Policy
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const disabled = new aws.securityhub.ConfigurationPolicy("disabled", {
name: "Disabled",
description: "This is an example of disabled configuration policy",
configurationPolicy: {
serviceEnabled: false,
},
}, {
dependsOn: [example],
});Content copied to clipboard
import pulumi
import pulumi_aws as aws
disabled = aws.securityhub.ConfigurationPolicy("disabled",
name="Disabled",
description="This is an example of disabled configuration policy",
configuration_policy=aws.securityhub.ConfigurationPolicyConfigurationPolicyArgs(
service_enabled=False,
),
opts=pulumi.ResourceOptions(depends_on=[example]))Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var disabled = new Aws.SecurityHub.ConfigurationPolicy("disabled", new()
{
Name = "Disabled",
Description = "This is an example of disabled configuration policy",
ConfigurationPolicyDetails = new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicyArgs
{
ServiceEnabled = false,
},
}, new CustomResourceOptions
{
DependsOn =
{
example,
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/securityhub"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securityhub.NewConfigurationPolicy(ctx, "disabled", &securityhub.ConfigurationPolicyArgs{
Name: pulumi.String("Disabled"),
Description: pulumi.String("This is an example of disabled configuration policy"),
ConfigurationPolicy: &securityhub.ConfigurationPolicyConfigurationPolicyArgs{
ServiceEnabled: pulumi.Bool(false),
},
}, pulumi.DependsOn([]pulumi.Resource{
example,
}))
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.securityhub.ConfigurationPolicy;
import com.pulumi.aws.securityhub.ConfigurationPolicyArgs;
import com.pulumi.aws.securityhub.inputs.ConfigurationPolicyConfigurationPolicyArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var disabled = new ConfigurationPolicy("disabled", ConfigurationPolicyArgs.builder()
.name("Disabled")
.description("This is an example of disabled configuration policy")
.configurationPolicy(ConfigurationPolicyConfigurationPolicyArgs.builder()
.serviceEnabled(false)
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(example)
.build());
}
}Content copied to clipboard
resources:
disabled:
type: aws:securityhub:ConfigurationPolicy
properties:
name: Disabled
description: This is an example of disabled configuration policy
configurationPolicy:
serviceEnabled: false
options:
dependson:
- ${example}Content copied to clipboard
Custom Control Configuration
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const disabled = new aws.securityhub.ConfigurationPolicy("disabled", {
name: "Custom Controls",
description: "This is an example of configuration policy with custom control settings",
configurationPolicy: {
serviceEnabled: true,
enabledStandardArns: [
"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
],
securityControlsConfiguration: {
enabledControlIdentifiers: [
"APIGateway.1",
"IAM.7",
],
securityControlCustomParameters: [
{
securityControlId: "APIGateway.1",
parameters: [{
name: "loggingLevel",
valueType: "CUSTOM",
"enum": {
value: "INFO",
},
}],
},
{
securityControlId: "IAM.7",
parameters: [
{
name: "RequireLowercaseCharacters",
valueType: "CUSTOM",
bool: {
value: false,
},
},
{
name: "MaxPasswordAge",
valueType: "CUSTOM",
int: {
value: 60,
},
},
],
},
],
},
},
}, {
dependsOn: [example],
});Content copied to clipboard
import pulumi
import pulumi_aws as aws
disabled = aws.securityhub.ConfigurationPolicy("disabled",
name="Custom Controls",
description="This is an example of configuration policy with custom control settings",
configuration_policy=aws.securityhub.ConfigurationPolicyConfigurationPolicyArgs(
service_enabled=True,
enabled_standard_arns=[
"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
],
security_controls_configuration=aws.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationArgs(
enabled_control_identifiers=[
"APIGateway.1",
"IAM.7",
],
security_control_custom_parameters=[
aws.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterArgs(
security_control_id="APIGateway.1",
parameters=[aws.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArgs(
name="loggingLevel",
value_type="CUSTOM",
enum=aws.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterEnumArgs(
value="INFO",
),
)],
),
aws.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterArgs(
security_control_id="IAM.7",
parameters=[
aws.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArgs(
name="RequireLowercaseCharacters",
value_type="CUSTOM",
bool=aws.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterBoolArgs(
value=False,
),
),
aws.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArgs(
name="MaxPasswordAge",
value_type="CUSTOM",
int=aws.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterIntArgs(
value=60,
),
),
],
),
],
),
),
opts=pulumi.ResourceOptions(depends_on=[example]))Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var disabled = new Aws.SecurityHub.ConfigurationPolicy("disabled", new()
{
Name = "Custom Controls",
Description = "This is an example of configuration policy with custom control settings",
ConfigurationPolicyDetails = new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicyArgs
{
ServiceEnabled = true,
EnabledStandardArns = new[]
{
"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
},
SecurityControlsConfiguration = new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationArgs
{
EnabledControlIdentifiers = new[]
{
"APIGateway.1",
"IAM.7",
},
SecurityControlCustomParameters = new[]
{
new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterArgs
{
SecurityControlId = "APIGateway.1",
Parameters = new[]
{
new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArgs
{
Name = "loggingLevel",
ValueType = "CUSTOM",
Enum = new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterEnumArgs
{
Value = "INFO",
},
},
},
},
new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterArgs
{
SecurityControlId = "IAM.7",
Parameters = new[]
{
new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArgs
{
Name = "RequireLowercaseCharacters",
ValueType = "CUSTOM",
Bool = new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterBoolArgs
{
Value = false,
},
},
new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArgs
{
Name = "MaxPasswordAge",
ValueType = "CUSTOM",
Int = new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterIntArgs
{
Value = 60,
},
},
},
},
},
},
},
}, new CustomResourceOptions
{
DependsOn =
{
example,
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/securityhub"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securityhub.NewConfigurationPolicy(ctx, "disabled", &securityhub.ConfigurationPolicyArgs{
Name: pulumi.String("Custom Controls"),
Description: pulumi.String("This is an example of configuration policy with custom control settings"),
ConfigurationPolicy: &securityhub.ConfigurationPolicyConfigurationPolicyArgs{
ServiceEnabled: pulumi.Bool(true),
EnabledStandardArns: pulumi.StringArray{
pulumi.String("arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"),
pulumi.String("arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"),
},
SecurityControlsConfiguration: &securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationArgs{
EnabledControlIdentifiers: pulumi.StringArray{
pulumi.String("APIGateway.1"),
pulumi.String("IAM.7"),
},
SecurityControlCustomParameters: securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterArray{
&securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterArgs{
SecurityControlId: pulumi.String("APIGateway.1"),
Parameters: securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArray{
&securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArgs{
Name: pulumi.String("loggingLevel"),
ValueType: pulumi.String("CUSTOM"),
Enum: &securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterEnumArgs{
Value: pulumi.String("INFO"),
},
},
},
},
&securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterArgs{
SecurityControlId: pulumi.String("IAM.7"),
Parameters: securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArray{
&securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArgs{
Name: pulumi.String("RequireLowercaseCharacters"),
ValueType: pulumi.String("CUSTOM"),
Bool: &securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterBoolArgs{
Value: pulumi.Bool(false),
},
},
&securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArgs{
Name: pulumi.String("MaxPasswordAge"),
ValueType: pulumi.String("CUSTOM"),
Int: &securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterIntArgs{
Value: pulumi.Int(60),
},
},
},
},
},
},
},
}, pulumi.DependsOn([]pulumi.Resource{
example,
}))
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.securityhub.ConfigurationPolicy;
import com.pulumi.aws.securityhub.ConfigurationPolicyArgs;
import com.pulumi.aws.securityhub.inputs.ConfigurationPolicyConfigurationPolicyArgs;
import com.pulumi.aws.securityhub.inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var disabled = new ConfigurationPolicy("disabled", ConfigurationPolicyArgs.builder()
.name("Custom Controls")
.description("This is an example of configuration policy with custom control settings")
.configurationPolicy(ConfigurationPolicyConfigurationPolicyArgs.builder()
.serviceEnabled(true)
.enabledStandardArns(
"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0")
.securityControlsConfiguration(ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationArgs.builder()
.enabledControlIdentifiers(
"APIGateway.1",
"IAM.7")
.securityControlCustomParameters(
ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterArgs.builder()
.securityControlId("APIGateway.1")
.parameters(ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArgs.builder()
.name("loggingLevel")
.valueType("CUSTOM")
.enum_(ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterEnumArgs.builder()
.value("INFO")
.build())
.build())
.build(),
ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterArgs.builder()
.securityControlId("IAM.7")
.parameters(
ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArgs.builder()
.name("RequireLowercaseCharacters")
.valueType("CUSTOM")
.bool(ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterBoolArgs.builder()
.value(false)
.build())
.build(),
ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArgs.builder()
.name("MaxPasswordAge")
.valueType("CUSTOM")
.int_(ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterIntArgs.builder()
.value(60)
.build())
.build())
.build())
.build())
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(example)
.build());
}
}Content copied to clipboard
resources:
disabled:
type: aws:securityhub:ConfigurationPolicy
properties:
name: Custom Controls
description: This is an example of configuration policy with custom control settings
configurationPolicy:
serviceEnabled: true
enabledStandardArns:
- arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0
- arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0
securityControlsConfiguration:
enabledControlIdentifiers:
- APIGateway.1
- IAM.7
securityControlCustomParameters:
- securityControlId: APIGateway.1
parameters:
- name: loggingLevel
valueType: CUSTOM
enum:
value: INFO
- securityControlId: IAM.7
parameters:
- name: RequireLowercaseCharacters
valueType: CUSTOM
bool:
value: false
- name: MaxPasswordAge
valueType: CUSTOM
int:
value: 60
options:
dependson:
- ${example}Content copied to clipboard
Import
Using pulumi import, import an existing Security Hub enabled account using the universally unique identifier (UUID) of the policy. For example:
$ pulumi import aws:securityhub/configurationPolicy:ConfigurationPolicy example "00000000-1111-2222-3333-444444444444"Content copied to clipboard