Skip to main content

hubs

Creates, updates, deletes or gets a hub resource or lists hubs in a region

Overview

Namehubs
TypeResource
DescriptionThe AWS::SecurityHub::Hub resource represents the implementation of the AWS Security Hub service in your account. One hub resource is created for each Region in which you enable Security Hub.
Idawscc.securityhub.hubs

Fields

NameDatatypeDescription
arnstringAn ARN is automatically created for the customer.
enable_default_standardsbooleanWhether to enable the security standards that Security Hub has designated as automatically enabled.
control_finding_generatorstringThis field, used when enabling Security Hub, specifies whether the calling account has consolidated control findings turned on. If the value for this field is set to SECURITY_CONTROL, Security Hub generates a single finding for a control check even when the check applies to multiple enabled standards. If the value for this field is set to STANDARD_CONTROL, Security Hub generates separate findings for a control check when the check applies to multiple enabled standards.
auto_enable_controlsbooleanWhether to automatically enable new controls when they are added to standards that are enabled
tagsobjectA key-value pair to associate with the Security Hub V2 resource. You can specify a key that is 1 to 128 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.
subscribed_atstringThe date and time when Security Hub was enabled in the account.
regionstringAWS region.

For more information, see AWS::SecurityHub::Hub.

Methods

NameResourceAccessible byRequired Params
create_resourcehubsINSERTregion
delete_resourcehubsDELETEIdentifier, region
update_resourcehubsUPDATEIdentifier, PatchDocument, region
list_resourceshubs_list_onlySELECTregion
get_resourcehubsSELECTIdentifier, region

SELECT examples

Gets all properties from an individual hub.

SELECT
  region,
  arn,
  enable_default_standards,
  control_finding_generator,
  auto_enable_controls,
  tags,
  subscribed_at
FROM awscc.securityhub.hubs
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ arn }}';

INSERT example

Use the following StackQL query and manifest file to create a new hub resource, using stack-deploy.

/*+ create */
INSERT INTO awscc.securityhub.hubs (
  EnableDefaultStandards,
  ControlFindingGenerator,
  AutoEnableControls,
  Tags,
  region
)
SELECT
  '{{ enable_default_standards }}',
  '{{ control_finding_generator }}',
  '{{ auto_enable_controls }}',
  '{{ tags }}',
  '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

UPDATE example

Use the following StackQL query and manifest file to update a hub resource, using stack-deploy.

/*+ update */
UPDATE awscc.securityhub.hubs
SET PatchDocument = string('{{ {
    "EnableDefaultStandards": enable_default_standards,
    "ControlFindingGenerator": control_finding_generator,
    "AutoEnableControls": auto_enable_controls,
    "Tags": tags
} | generate_patch_document }}')
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ arn }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

DELETE example

/*+ delete */
DELETE FROM awscc.securityhub.hubs
WHERE
  Identifier = '{{ arn }}' AND
  region = '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

Additional Parameters

Mutable resources in the Cloud Control provider support additional optional parameters which can be supplied with INSERT, UPDATE, or DELETE operations. These include:

ParameterDescription
ClientToken
A unique identifier to ensure the idempotency of the resource request.This allows the provider to accurately distinguish between retries and new requests.
A client token is valid for 36 hours once used.
After that, a resource request with the same client token is treated as a new request.
If you do not specify a client token, one is generated for inclusion in the request.
RoleArn
The ARN of the IAM role used to perform this resource operation.The role specified must have the permissions required for this operation.
If you do not specify a role, a temporary session is created using your AWS user credentials.
TypeVersionId
For private resource types, the type version to use in this resource operation.If you do not specify a resource version, the default version is used.

Permissions

To operate on the hubs resource, the following permissions are required:

securityhub:EnableSecurityHub,
securityhub:UpdateSecurityHubConfiguration,
securityhub:TagResource,
securityhub:ListTagsForResource