security_controls
Creates, updates, deletes or gets a security_control resource or lists security_controls in a region
Overview
| Name | security_controls |
| Type | Resource |
| Description | A security control in Security Hub describes a security best practice related to a specific resource. |
| Id | awscc.securityhub.security_controls |
Fields
- get (all properties)
- list (identifiers only)
| Name | Datatype | Description |
|---|---|---|
security_control_id | string | The unique identifier of a security control across standards. Values for this field typically consist of an AWS service name and a number, such as APIGateway.3. |
last_update_reason | string | The most recent reason for updating the customizable properties of a security control. This differs from the UpdateReason field of the BatchUpdateStandardsControlAssociations API, which tracks the reason for updating the enablement status of a control. This field accepts alphanumeric characters in addition to white spaces, dashes, and underscores. |
parameters | object | An object that identifies the name of a control parameter, its current value, and whether it has been customized. |
region | string | AWS region. |
| Name | Datatype | Description |
|---|---|---|
security_control_id | string | The unique identifier of a security control across standards. Values for this field typically consist of an AWS service name and a number, such as APIGateway.3. |
region | string | AWS region. |
For more information, see AWS::SecurityHub::SecurityControl.
Methods
| Name | Resource | Accessible by | Required Params |
|---|---|---|---|
create_resource | security_controls | INSERT | Parameters, region |
delete_resource | security_controls | DELETE | Identifier, region |
update_resource | security_controls | UPDATE | Identifier, PatchDocument, region |
list_resources | security_controls_list_only | SELECT | region |
get_resource | security_controls | SELECT | Identifier, region |
SELECT examples
- get (all properties)
- list (identifiers only)
Gets all properties from an individual security_control.
SELECT
region,
security_control_id,
security_control_arn,
last_update_reason,
parameters
FROM awscc.securityhub.security_controls
WHERE
region = 'us-east-1' AND
Identifier = '{{ security_control_id }}';
Lists all security_controls in a region.
SELECT
region,
security_control_id
FROM awscc.securityhub.security_controls_list_only
WHERE
region = 'us-east-1';
INSERT example
Use the following StackQL query and manifest file to create a new security_control resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO awscc.securityhub.security_controls (
Parameters,
region
)
SELECT
'{{ parameters }}',
'{{ region }}';
/*+ create */
INSERT INTO awscc.securityhub.security_controls (
SecurityControlId,
SecurityControlArn,
LastUpdateReason,
Parameters,
region
)
SELECT
'{{ security_control_id }}',
'{{ security_control_arn }}',
'{{ last_update_reason }}',
'{{ parameters }}',
'{{ region }}';
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: security_control
props:
- name: security_control_id
value: '{{ security_control_id }}'
- name: security_control_arn
value: null
- name: last_update_reason
value: '{{ last_update_reason }}'
- name: parameters
value: {}
UPDATE example
Use the following StackQL query and manifest file to update a security_control resource, using stack-deploy.
/*+ update */
UPDATE awscc.securityhub.security_controls
SET PatchDocument = string('{{ {
"SecurityControlArn": security_control_arn,
"LastUpdateReason": last_update_reason,
"Parameters": parameters
} | generate_patch_document }}')
WHERE
region = '{{ region }}' AND
Identifier = '{{ security_control_id }}';
DELETE example
/*+ delete */
DELETE FROM awscc.securityhub.security_controls
WHERE
Identifier = '{{ security_control_id }}' AND
region = 'us-east-1';
Permissions
To operate on the security_controls resource, the following permissions are required:
- Create
- Read
- Update
- Delete
- List
securityhub:BatchGetSecurityControls,
securityhub:DescribeStandardsControls,
securityhub:UpdateSecurityControl,
securityhub:UpdateStandardsControl
securityhub:BatchGetSecurityControls,
securityhub:DescribeStandardsControls
securityhub:BatchGetSecurityControls,
securityhub:DescribeStandardsControls,
securityhub:UpdateSecurityControl,
securityhub:UpdateStandardsControl
securityhub:BatchGetSecurityControls,
securityhub:DescribeStandardsControls,
securityhub:UpdateSecurityControl,
securityhub:UpdateStandardsControl
securityhub:BatchGetSecurityControls,
securityhub:DescribeStandardsControls,
securityhub:ListSecurityControlDefinitions