The AWS::SecurityHub::Standard
resource specifies the enablement of a security standard. The standard is identified by the StandardsArn
property. To view a list of ASH standards and their Amazon Resource Names (ARNs), use the DescribeStandards API operation.
You must create a separate AWS::SecurityHub::Standard
resource for each standard that you want to enable.
For more information about ASH standards, see standards reference in the User Guide.
A complete list of available standard ARNS can be found using the describe-standards
CLI command.
Enables the AWS Foundational Security Best Practices v1.0.0. This is a default standard.
data "aws_region" "current" {}
resource "aws_securityhub_account" "example" {
enable_default_standards = false
}
resource "awscc_securityhub_standard" "foundational" {
depends_on = [aws_securityhub_account.example]
standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/aws-foundational-security-best-practices/v/1.0.0"
}
Enables the CIS AWS Foundations Benchmark v1.2.0. This is default standard.
resource "aws_securityhub_account" "example" {
enable_default_standards = false
}
resource "awscc_securityhub_standard" "cis_1_2" {
depends_on = [aws_securityhub_account.example]
standards_arn = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"
}
Enables the CIS AWS Foundations Benchmark v1.4.0 standard.
data "aws_region" "current" {}
resource "aws_securityhub_account" "example" {}
resource "awscc_securityhub_standard" "cis_1_4" {
depends_on = [aws_securityhub_account.example]
standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/cis-aws-foundations-benchmark/v/1.4.0"
}
Enables the NIST Special Publication 800-53 Revision 5 standard.
data "aws_region" "current" {}
resource "aws_securityhub_account" "example" {}
resource "awscc_securityhub_standard" "nist" {
depends_on = [aws_securityhub_account.example]
standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/nist-800-53/v/5.0.0"
}
Enables the PCI DSS v3.2.1 standard.
data "aws_region" "current" {}
resource "aws_securityhub_account" "example" {}
resource "awscc_securityhub_standard" "pci_dss" {
depends_on = [aws_securityhub_account.example]
standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/pci-dss/v/3.2.1"
}
Enables the NIST Special Publication 800-53 Revision 5 with one of the controls disabled.
See the AWS documentation for how to list control ARNs using the get-enabled-standards
and describe-standards-controls
CLI commands. The standard must first be enabled before
you can use these commands.
data "aws_region" "current" {}
data "aws_caller_identity" "current" {}
resource "aws_securityhub_account" "example" {}
resource "awscc_securityhub_standard" "nist" {
depends_on = [aws_securityhub_account.example]
standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/nist-800-53/v/5.0.0"
disabled_standards_controls = [
{
standards_control_arn = "arn:aws:securityhub:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:control/nist-800-53/v/5.0.0/SSM.3"
reason = "Not using SSM for system inventory"
}
]
}
standards_arn
(String) The ARN of the standard that you want to enable. To view a list of available ASH standards and their ARNs, use the DescribeStandards API operation.disabled_standards_controls
(Attributes List) Specifies which controls are to be disabled in a standard.
Maximum: 100
(see below for nested schema)id
(String) Uniquely identifies the resource.standards_subscription_arn
(String)disabled_standards_controls
Required:
standards_control_arn
(String) The Amazon Resource Name (ARN) of the control.Optional:
reason
(String) A user-defined reason for changing a control's enablement status in a specified standard. If you are disabling a control, then this property is required.Import is supported using the following syntax:
$ terraform import awscc_securityhub_standard.example <resource ID>