awscc_securityhub_standard (Resource)

The AWS::SecurityHub::Standard resource specifies the enablement of a security standard. The standard is identified by the StandardsArn property. To view a list of ASH standards and their Amazon Resource Names (ARNs), use the DescribeStandards API operation. You must create a separate AWS::SecurityHub::Standard resource for each standard that you want to enable. For more information about ASH standards, see standards reference in the User Guide.

Example Usage

A complete list of available standard ARNS can be found using the describe-standards CLI command.

AWS Foundational Security Best Practices v1.0.0

Enables the AWS Foundational Security Best Practices v1.0.0. This is a default standard.

data "aws_region" "current" {}

resource "aws_securityhub_account" "example" {
  enable_default_standards = false
}

resource "awscc_securityhub_standard" "foundational" {
  depends_on    = [aws_securityhub_account.example]
  standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/aws-foundational-security-best-practices/v/1.0.0"
}

CIS AWS Foundations Benchmark v1.2.0

Enables the CIS AWS Foundations Benchmark v1.2.0. This is default standard.

resource "aws_securityhub_account" "example" {
  enable_default_standards = false
}

resource "awscc_securityhub_standard" "cis_1_2" {
  depends_on    = [aws_securityhub_account.example]
  standards_arn = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"
}

CIS AWS Foundations Benchmark v1.4.0

Enables the CIS AWS Foundations Benchmark v1.4.0 standard.

data "aws_region" "current" {}

resource "aws_securityhub_account" "example" {}

resource "awscc_securityhub_standard" "cis_1_4" {
  depends_on    = [aws_securityhub_account.example]
  standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/cis-aws-foundations-benchmark/v/1.4.0"
}

NIST Special Publication 800-53 Revision 5

Enables the NIST Special Publication 800-53 Revision 5 standard.

data "aws_region" "current" {}

resource "aws_securityhub_account" "example" {}

resource "awscc_securityhub_standard" "nist" {
  depends_on    = [aws_securityhub_account.example]
  standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/nist-800-53/v/5.0.0"
}

PCI DSS v3.2.1

Enables the PCI DSS v3.2.1 standard.

data "aws_region" "current" {}

resource "aws_securityhub_account" "example" {}

resource "awscc_securityhub_standard" "pci_dss" {
  depends_on    = [aws_securityhub_account.example]
  standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/pci-dss/v/3.2.1"
}

Disabling Controls

Enables the NIST Special Publication 800-53 Revision 5 with one of the controls disabled. See the AWS documentation for how to list control ARNs using the get-enabled-standards and describe-standards-controls CLI commands. The standard must first be enabled before you can use these commands.

data "aws_region" "current" {}

data "aws_caller_identity" "current" {}

resource "aws_securityhub_account" "example" {}

resource "awscc_securityhub_standard" "nist" {
  depends_on    = [aws_securityhub_account.example]
  standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/nist-800-53/v/5.0.0"

  disabled_standards_controls = [
    {
      standards_control_arn = "arn:aws:securityhub:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:control/nist-800-53/v/5.0.0/SSM.3"
      reason                = "Not using SSM for system inventory"
    }
  ]
}

Schema

Required

Optional

Read-Only

Nested Schema for disabled_standards_controls

Required:

Optional:

Import

Import is supported using the following syntax:

$ terraform import awscc_securityhub_standard.example <resource ID>