Skip to main content

automation_rules

Creates, updates, deletes or gets an automation_rule resource or lists automation_rules in a region

Overview

Nameautomation_rules
TypeResource
DescriptionThe AWS::SecurityHub::AutomationRule resource specifies an automation rule based on input parameters. For more information, see Automation rules in the User Guide.
Idawscc.securityhub.automation_rules

Fields

NameDatatypeDescription
rule_arnstring
rule_statusstringWhether the rule is active after it is created. If this parameter is equal to ENABLED, ASH applies the rule to findings and finding updates after the rule is created.
rule_orderintegerAn integer ranging from 1 to 1000 that represents the order in which the rule action is applied to findings. Security Hub applies rules with lower values for this parameter first.
descriptionstringA description of the rule.
rule_namestringThe name of the rule.
created_atstringThe date and time, in UTC and ISO 8601 format.
created_bystring
is_terminalbooleanSpecifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If a rule is terminal, Security Hub applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. By default, a rule isn't terminal.
actionsarrayOne or more actions to update finding fields if a finding matches the conditions specified in Criteria.
criteriaobjectA set of Security Finding Format (ASFF) finding field attributes and corresponding expected values that ASH uses to filter findings. If a rule is enabled and a finding matches the criteria specified in this parameter, ASH applies the rule action to the finding.
tagsobjectUser-defined tags associated with an automation rule.
regionstringAWS region.

For more information, see AWS::SecurityHub::AutomationRule.

Methods

NameResourceAccessible byRequired Params
create_resourceautomation_rulesINSERTRuleOrder, RuleName, Description, Criteria, Actions, region
delete_resourceautomation_rulesDELETEIdentifier, region
update_resourceautomation_rulesUPDATEIdentifier, PatchDocument, region
list_resourcesautomation_rules_list_onlySELECTregion
get_resourceautomation_rulesSELECTIdentifier, region

SELECT examples

Gets all properties from an individual automation_rule.

SELECT
  region,
  rule_arn,
  rule_status,
  rule_order,
  description,
  rule_name,
  created_at,
  updated_at,
  created_by,
  is_terminal,
  actions,
  criteria,
  tags
FROM awscc.securityhub.automation_rules
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ rule_arn }}';

INSERT example

Use the following StackQL query and manifest file to create a new automation_rule resource, using stack-deploy.

/*+ create */
INSERT INTO awscc.securityhub.automation_rules (
  RuleOrder,
  Description,
  RuleName,
  Actions,
  Criteria,
  region
)
SELECT
  '{{ rule_order }}',
  '{{ description }}',
  '{{ rule_name }}',
  '{{ actions }}',
  '{{ criteria }}',
  '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

UPDATE example

Use the following StackQL query and manifest file to update a automation_rule resource, using stack-deploy.

/*+ update */
UPDATE awscc.securityhub.automation_rules
SET PatchDocument = string('{{ {
    "RuleStatus": rule_status,
    "RuleOrder": rule_order,
    "Description": description,
    "RuleName": rule_name,
    "IsTerminal": is_terminal,
    "Actions": actions,
    "Criteria": criteria,
    "Tags": tags
} | generate_patch_document }}')
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ rule_arn }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

DELETE example

/*+ delete */
DELETE FROM awscc.securityhub.automation_rules
WHERE
  Identifier = '{{ rule_arn }}' AND
  region = '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

Additional Parameters

Mutable resources in the Cloud Control provider support additional optional parameters which can be supplied with INSERT, UPDATE, or DELETE operations. These include:

ParameterDescription
ClientToken
A unique identifier to ensure the idempotency of the resource request.This allows the provider to accurately distinguish between retries and new requests.
A client token is valid for 36 hours once used.
After that, a resource request with the same client token is treated as a new request.
If you do not specify a client token, one is generated for inclusion in the request.
RoleArn
The ARN of the IAM role used to perform this resource operation.The role specified must have the permissions required for this operation.
If you do not specify a role, a temporary session is created using your AWS user credentials.
TypeVersionId
For private resource types, the type version to use in this resource operation.If you do not specify a resource version, the default version is used.

Permissions

To operate on the automation_rules resource, the following permissions are required:

securityhub:CreateAutomationRule,
securityhub:TagResource,
securityhub:ListTagsForResource