Skip to main content

configuration_policies

Creates, updates, deletes or gets a configuration_policy resource or lists configuration_policies in a region

Overview

Nameconfiguration_policies
TypeResource
DescriptionThe AWS::SecurityHub::ConfigurationPolicy resource represents the Central Configuration Policy in your account.
Idawscc.securityhub.configuration_policies

Fields

NameDatatypeDescription
arnstringThe Amazon Resource Name (ARN) of the configuration policy.
namestringThe name of the configuration policy.
descriptionstringThe description of the configuration policy.
configuration_policyobjectAn object that defines how Security Hub is configured.
idstringThe universally unique identifier (UUID) of the configuration policy.
created_atstringThe date and time, in UTC and ISO 8601 format.
updated_atstringThe date and time, in UTC and ISO 8601 format.
service_enabledbooleanIndicates whether the service that the configuration policy applies to is enabled in the policy.
tagsobjectA key-value pair to associate with the Security Hub V2 resource. You can specify a key that is 1 to 128 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.
regionstringAWS region.

For more information, see AWS::SecurityHub::ConfigurationPolicy.

Methods

NameResourceAccessible byRequired Params
create_resourceconfiguration_policiesINSERTConfigurationPolicy, Name, region
delete_resourceconfiguration_policiesDELETEIdentifier, region
update_resourceconfiguration_policiesUPDATEIdentifier, PatchDocument, region
list_resourcesconfiguration_policies_list_onlySELECTregion
get_resourceconfiguration_policiesSELECTIdentifier, region

SELECT examples

Gets all properties from an individual configuration_policy.

SELECT
  region,
  arn,
  name,
  description,
  configuration_policy,
  id,
  created_at,
  updated_at,
  service_enabled,
  tags
FROM awscc.securityhub.configuration_policies
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ arn }}';

INSERT example

Use the following StackQL query and manifest file to create a new configuration_policy resource, using stack-deploy.

/*+ create */
INSERT INTO awscc.securityhub.configuration_policies (
  Name,
  ConfigurationPolicy,
  region
)
SELECT
  '{{ name }}',
  '{{ configuration_policy }}',
  '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

UPDATE example

Use the following StackQL query and manifest file to update a configuration_policy resource, using stack-deploy.

/*+ update */
UPDATE awscc.securityhub.configuration_policies
SET PatchDocument = string('{{ {
    "Name": name,
    "Description": description,
    "ConfigurationPolicy": configuration_policy,
    "Tags": tags
} | generate_patch_document }}')
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ arn }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

DELETE example

/*+ delete */
DELETE FROM awscc.securityhub.configuration_policies
WHERE
  Identifier = '{{ arn }}' AND
  region = '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

Additional Parameters

Mutable resources in the Cloud Control provider support additional optional parameters which can be supplied with INSERT, UPDATE, or DELETE operations. These include:

ParameterDescription
ClientToken
A unique identifier to ensure the idempotency of the resource request.This allows the provider to accurately distinguish between retries and new requests.
A client token is valid for 36 hours once used.
After that, a resource request with the same client token is treated as a new request.
If you do not specify a client token, one is generated for inclusion in the request.
RoleArn
The ARN of the IAM role used to perform this resource operation.The role specified must have the permissions required for this operation.
If you do not specify a role, a temporary session is created using your AWS user credentials.
TypeVersionId
For private resource types, the type version to use in this resource operation.If you do not specify a resource version, the default version is used.

Permissions

To operate on the configuration_policies resource, the following permissions are required:

securityhub:CreateConfigurationPolicy,
securityhub:TagResource,
securityhub:ListTagsForResource