standards
Creates, updates, deletes or gets a standard resource or lists standards in a region
Overview
| Name | standards |
| Type | Resource |
| Description | The ``AWS::SecurityHub::Standard`` resource specifies the enablement of a security standard. The standard is identified by the ``StandardsArn`` property. To view a list of ASH standards and their Amazon Resource Names (ARNs), use the [DescribeStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API operation. You must create a separate ``AWS::SecurityHub::Standard`` resource for each standard that you want to enable. For more information about ASH standards, see [standards reference](https://docs.aws.amazon.com/securityhub/latest/userguide/standards-reference.html) in the *User Guide*. |
| Id | awscc.securityhub.standards |
Fields
- get (all properties)
- list (identifiers only)
| Name | Datatype | Description |
|---|---|---|
standards_subscription_arn | string | |
standards_arn | string | The ARN of the standard that you want to enable. To view a list of available ASH standards and their ARNs, use the [DescribeStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API operation. |
disabled_standards_controls | array | Specifies which controls are to be disabled in a standard. <br />*Maximum*: ``100`` |
region | string | AWS region. |
| Name | Datatype | Description |
|---|---|---|
standards_subscription_arn | string | |
region | string | AWS region. |
For more information, see AWS::SecurityHub::Standard.
Methods
| Name | Resource | Accessible by | Required Params |
|---|---|---|---|
create_resource | standards | INSERT | StandardsArn, region |
delete_resource | standards | DELETE | Identifier, region |
update_resource | standards | UPDATE | Identifier, PatchDocument, region |
list_resources | standards_list_only | SELECT | region |
get_resource | standards | SELECT | Identifier, region |
SELECT examples
- get (all properties)
- list (identifiers only)
Gets all properties from an individual standard.
SELECT
region,
standards_subscription_arn,
standards_arn,
disabled_standards_controls
FROM awscc.securityhub.standards
WHERE
region = 'us-east-1' AND
Identifier = '{{ standards_subscription_arn }}';
Lists all standards in a region.
SELECT
region,
standards_subscription_arn
FROM awscc.securityhub.standards_list_only
WHERE
region = 'us-east-1';
INSERT example
Use the following StackQL query and manifest file to create a new standard resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO awscc.securityhub.standards (
StandardsArn,
region
)
SELECT
'{{ standards_arn }}',
'{{ region }}';
/*+ create */
INSERT INTO awscc.securityhub.standards (
StandardsArn,
DisabledStandardsControls,
region
)
SELECT
'{{ standards_arn }}',
'{{ disabled_standards_controls }}',
'{{ region }}';
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: standard
props:
- name: standards_arn
value: '{{ standards_arn }}'
- name: disabled_standards_controls
value:
- standards_control_arn: '{{ standards_control_arn }}'
reason: '{{ reason }}'
UPDATE example
Use the following StackQL query and manifest file to update a standard resource, using stack-deploy.
/*+ update */
UPDATE awscc.securityhub.standards
SET PatchDocument = string('{{ {
"DisabledStandardsControls": disabled_standards_controls
} | generate_patch_document }}')
WHERE
region = '{{ region }}' AND
Identifier = '{{ standards_subscription_arn }}';
DELETE example
/*+ delete */
DELETE FROM awscc.securityhub.standards
WHERE
Identifier = '{{ standards_subscription_arn }}' AND
region = 'us-east-1';
Permissions
To operate on the standards resource, the following permissions are required:
- Create
- Read
- Update
- Delete
- List
securityhub:GetEnabledStandards,
securityhub:BatchEnableStandards,
securityhub:UpdateStandardsControl
securityhub:GetEnabledStandards,
securityhub:DescribeStandardsControls
securityhub:GetEnabledStandards,
securityhub:UpdateStandardsControl
securityhub:GetEnabledStandards,
securityhub:BatchDisableStandards
securityhub:GetEnabledStandards