Terraform resource for managing an AWS Security Hub Automation Rule.
resource "aws_securityhub_automation_rule" "example" {
description = "Elevate finding severity to CRITICAL when specific resources such as an S3 bucket is at risk"
rule_name = "Elevate severity of findings that relate to important resources"
rule_order = 1
actions {
finding_fields_update {
severity {
label = "CRITICAL"
product = "0.0"
}
note {
text = "This is a critical resource. Please review ASAP."
updated_by = "sechub-automation"
}
types = ["Software and Configuration Checks/Industry and Regulatory Standards"]
user_defined_fields = {
key = "value"
}
}
type = "FINDING_FIELDS_UPDATE"
}
criteria {
resource_id {
comparison = "EQUALS"
value = "arn:aws:s3:::examplebucket/*"
}
}
}
This resource supports the following arguments:
actions
- (Required) A block that specifies one or more actions to update finding fields if a finding matches the conditions specified in Criteria
. Documented below.criteria
- (Required) A block that specifies a set of ASFF finding field attributes and corresponding expected values that Security Hub uses to filter findings. Documented below.description
- (Required) The description of the rule.is_terminal
- (Optional) Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. Defaults to false
.rule_name
- (Required) The name of the rule.rule_order
- (Required) An integer ranging from 1 to 1000 that represents the order in which the rule action is applied to findings. Security Hub applies rules with lower values for this parameter first.rule_status
- (Optional) Whether the rule is active after it is created.actions
The actions
configuration block supports the following attributes:
finding_fields_update
- (Optional) A block that specifies that the automation rule action is an update to a finding field. Documented below.type
- (Optional) Specifies that the rule action should update the Types
finding field. The Types
finding field classifies findings in the format of namespace/category/classifier.criteria
The criteria
configuration block supports the following attributes:
aws_account_id
- (Optional) The AWS account ID in which a finding was generated. Documented below.aws_account_name
- (Optional) The name of the AWS account in which a finding was generated. Documented below.company_name
- (Optional) The name of the company for the product that generated the finding. For control-based findings, the company is AWS. Documented below.compliance_associated_standards_id
- (Optional) The unique identifier of a standard in which a control is enabled. Documented below.compliance_security_control_id
- (Optional) The security control ID for which a finding was generated. Security control IDs are the same across standards. Documented below.compliance_status
- (Optional) The result of a security check. This field is only used for findings generated from controls. Documented below.confidence
- (Optional) The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence
is scored on a 0–100 basis using a ratio scale. A value of 0
means 0 percent confidence, and a value of 100
means 100 percent confidence. Documented below.created_at
- (Optional) A timestamp that indicates when this finding record was created. Documented below.criticality
- (Optional) The level of importance that is assigned to the resources that are associated with a finding. Documented below.description
- (Optional) A finding's description. Documented below.first_observed_at
- (Optional) A timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings product. Documented below.generator_id
- (Optional) The identifier for the solution-specific component that generated a finding. Documented below.id
- (Optional) The product-specific identifier for a finding. Documented below.last_observed_at
- (Optional) A timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings product. Documented below.note_text
- (Optional) The text of a user-defined note that's added to a finding. Documented below.note_updated_at
- (Optional) The timestamp of when the note was updated. Documented below.note_updated_by
- (Optional) The principal that created a note. Documented below.product_arn
- (Optional) The Amazon Resource Name (ARN) for a third-party product that generated a finding in Security Hub. Documented below.product_name
- (Optional) Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub. Documented below.record_state
- (Optional) Provides the current state of a finding. Documented below.related_findings_id
- (Optional) The product-generated identifier for a related finding. Documented below.related_findings_product_arn
- (Optional) The ARN for the product that generated a related finding. Documented below.resource_application_arn
- (Optional) The Amazon Resource Name (ARN) of the application that is related to a finding. Documented below.resource_application_name
- (Optional) The name of the application that is related to a finding. Documented below.resource_details_other
- (Optional) Custom fields and values about the resource that a finding pertains to. Documented below.resource_id
- (Optional) The identifier for the given resource type. For AWS resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For AWS resources that lack ARNs, this is the identifier as defined by the AWS service that created the resource. For non-AWS resources, this is a unique identifier that is associated with the resource. Documented below.resource_partition
- (Optional) The partition in which the resource that the finding pertains to is located. A partition is a group of AWS Regions. Each AWS account is scoped to one partition. Documented below.resource_region
- (Optional) The AWS Region where the resource that a finding pertains to is located. Documented below.resource_tags
- (Optional) A list of AWS tags associated with a resource at the time the finding was processed. Documented below.resource_type
- (Optional) The type of resource that the finding pertains to. Documented below.severity_label
- (Optional) The severity value of the finding. Documented below.source_url
- (Optional) Provides a URL that links to a page about the current finding in the finding product. Documented below.title
- (Optional) A finding's title. Documented below.type
- (Optional) One or more finding types in the format of namespace/category/classifier that classify a finding. Documented below.updated_at
- (Optional) A timestamp that indicates when the finding record was most recently updated. Documented below.user_defined_fields
- (Optional) A list of user-defined name and value string pairs added to a finding. Documented below.verification_state
- (Optional) Provides the veracity of a finding. Documented below.workflow_status
- (Optional) Provides information about the status of the investigation into a finding. Documented below.The string filter configuration block supports the following arguments:
comparison
- (Required) The condition to apply to a string value when querying for findings. Valid values include: EQUALS
, PREFIX
, NOT_EQUALS
, PREFIX_NOT_EQUALS
.value
- (Required) The string filter value. Filter values are case sensitive.The number filter configuration block supports the following arguments:
eq
- (Optional) The equal-to condition to be applied to a single field when querying for findings, provided as a String.gte
- (Optional) The greater-than-equal condition to be applied to a single field when querying for findings, provided as a String.lte
- (Optional) The less-than-equal condition to be applied to a single field when querying for findings, provided as a String.The map filter configuration block supports the following arguments:
comparison
- (Required) The condition to apply to a string value when querying for findings. Valid values include: EQUALS
and NOT_EQUALS
.key
- (Required) The key of the map filter.value
- (Required) The value for the key in the map filter. Filter values are case sensitive.The date filter configuration block supports the following arguments:
date_range
- (Optional) A configuration block of the date range for the date filter. See date_range below for more details.end
- (Optional) An end date for the date filter. Required with start
if date_range
is not specified.start
- (Optional) A start date for the date filter. Required with end
if date_range
is not specified.The date_range
configuration block supports the following arguments:
unit
- (Required) A date range unit for the date filter. Valid values: DAYS
.value
- (Required) A date range value for the date filter, provided as an Integer.The finding_fields_update
configuration block supports the following arguments:
confidence
- (Optional) The rule action updates the Confidence
field of a finding.criticality
- (Optional) The rule action updates the Criticality
field of a finding.note
- (Optional) A resource block that updates the note. Documented below.related_findings
- (Optional) A resource block that the rule action updates the RelatedFindings
field of a finding. Documented below.severity
- (Optional) A resource block that updates to the severity information for a finding. Documented below.types
- (Optional) The rule action updates the Types
field of a finding.user_defined_fields
- (Optional) The rule action updates the UserDefinedFields
field of a finding.verification_state
- (Optional) The rule action updates the VerificationState
field of a finding. The allowed values are the following UNKNOWN
, TRUE_POSITIVE
, FALSE_POSITIVE
and BENIGN_POSITIVE
.workflow
- (Optional) A resource block that is used to update information about the investigation into the finding. Documented below.The note
configuration block supports the following arguments:
text
- (Required) The updated note text.updated_by
- (Required) The principal that updated the note.The related_findings
configuration block supports the following arguments:
id
- (Required) The product-generated identifier for a related finding.product_arn
- (Required) The ARN of the product that generated a related finding.The severity
configuration block supports the following arguments:
label
- (Optional) The severity value of the finding. The allowed values are the following INFORMATIONAL
, LOW
, MEDIUM
, HIGH
and CRITICAL
.product
- (Optional) The native severity as defined by the AWS service or integrated partner product that generated the finding.The workflow
configuration block supports the following arguments:
status
- (Optional) The status of the investigation into the finding. The allowed values are the following NEW
, NOTIFIED
, RESOLVED
and SUPPRESSED
.This resource exports the following attributes in addition to the arguments above:
id
- The ID of the Security Hub automation rule (matches arn
).arn
- The ARN of the Security Hub automation rule.In Terraform v1.5.0 and later, use an import
block to import Security Hub Automation Rule using their ARN. For example:
import {
to = aws_securityhub_automation_rule.example
id = "arn:aws:securityhub:us-west-2:123456789012:automation-rule/473eddde-f5c4-4ae5-85c7-e922f271fffc"
}
Using terraform import
, import Security Hub automation rule using their ARN. For example:
% terraform import aws_securityhub_automation_rule.example arn:aws:securityhub:us-west-2:123456789012:automation-rule/473eddde-f5c4-4ae5-85c7-e922f271fffc