Skip to content

Resource: awsSecurityhubInsight

Provides a Security Hub custom insight resource. See the Managing custom insights section of the AWS User Guide for more information.

Example Usage

Filter by AWS account ID

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsSecurityhubAccountExample =
  new aws.securityhubAccount.SecurityhubAccount(this, "example", {});
const awsSecurityhubInsightExample =
  new aws.securityhubInsight.SecurityhubInsight(this, "example_1", {
    depends_on: [`\${${awsSecurityhubAccountExample.fqn}}`],
    filters: {
      awsAccountId: [
        {
          comparison: "EQUALS",
          value: "1234567890",
        },
        {
          comparison: "EQUALS",
          value: "09876543210",
        },
      ],
    },
    groupByAttribute: "AwsAccountId",
    name: "example-insight",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsSecurityhubInsightExample.overrideLogicalId("example");

Filter by date range

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsSecurityhubAccountExample =
  new aws.securityhubAccount.SecurityhubAccount(this, "example", {});
const awsSecurityhubInsightExample =
  new aws.securityhubInsight.SecurityhubInsight(this, "example_1", {
    depends_on: [`\${${awsSecurityhubAccountExample.fqn}}`],
    filters: {
      createdAt: [
        {
          dateRange: {
            unit: "DAYS",
            value: 5,
          },
        },
      ],
    },
    groupByAttribute: "CreatedAt",
    name: "example-insight",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsSecurityhubInsightExample.overrideLogicalId("example");

Filter by destination IPv4 address

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsSecurityhubAccountExample =
  new aws.securityhubAccount.SecurityhubAccount(this, "example", {});
const awsSecurityhubInsightExample =
  new aws.securityhubInsight.SecurityhubInsight(this, "example_1", {
    depends_on: [`\${${awsSecurityhubAccountExample.fqn}}`],
    filters: {
      networkDestinationIpv4: [
        {
          cidr: "10.0.0.0/16",
        },
      ],
    },
    groupByAttribute: "NetworkDestinationIpV4",
    name: "example-insight",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsSecurityhubInsightExample.overrideLogicalId("example");

Filter by finding's confidence

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsSecurityhubAccountExample =
  new aws.securityhubAccount.SecurityhubAccount(this, "example", {});
const awsSecurityhubInsightExample =
  new aws.securityhubInsight.SecurityhubInsight(this, "example_1", {
    depends_on: [`\${${awsSecurityhubAccountExample.fqn}}`],
    filters: {
      confidence: [
        {
          gte: "80",
        },
      ],
    },
    groupByAttribute: "Confidence",
    name: "example-insight",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsSecurityhubInsightExample.overrideLogicalId("example");

Filter by resource tags

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsSecurityhubAccountExample =
  new aws.securityhubAccount.SecurityhubAccount(this, "example", {});
const awsSecurityhubInsightExample =
  new aws.securityhubInsight.SecurityhubInsight(this, "example_1", {
    depends_on: [`\${${awsSecurityhubAccountExample.fqn}}`],
    filters: {
      resourceTags: [
        {
          comparison: "EQUALS",
          key: "Environment",
          value: "Production",
        },
      ],
    },
    groupByAttribute: "ResourceTags",
    name: "example-insight",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsSecurityhubInsightExample.overrideLogicalId("example");

Argument Reference

The following arguments are required:

  • filters - (Required) A configuration block including one or more (up to 10 distinct) attributes used to filter the findings included in the insight. The insight only includes findings that match criteria defined in the filters. See filters below for more details.
  • groupByAttribute - (Required) The attribute used to group the findings for the insight e.g., if an insight is grouped by resourceId, then the insight produces a list of resource identifiers.
  • name - (Required) The name of the custom insight.

filters

The filters configuration block supports the following arguments:

\~> NOTE: For each argument below, up to 20 can be provided.

  • awsAccountId - (Optional) AWS account ID that a finding is generated in. See String_Filter below for more details.
  • companyName - (Optional) The name of the findings provider (company) that owns the solution (product) that generates findings. See String_Filter below for more details.
  • complianceStatus - (Optional) Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard, such as CIS AWS Foundations. Contains security standard-related finding details. See String Filter below for more details.
  • confidence - (Optional) A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence. See Number Filter below for more details.
  • createdAt - (Optional) An ISO8601-formatted timestamp that indicates when the security-findings provider captured the potential security issue that a finding captured. See Date Filter below for more details.
  • criticality - (Optional) The level of importance assigned to the resources associated with the finding. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources. See Number Filter below for more details.
  • description - (Optional) A finding's description. See String Filter below for more details.
  • findingProviderFieldsConfidence - (Optional) The finding provider value for the finding confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence. See Number Filter below for more details.
  • findingProviderFieldsCriticality - (Optional) The finding provider value for the level of importance assigned to the resources associated with the findings. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources. See Number Filter below for more details.
  • findingProviderFieldsRelatedFindingsId - (Optional) The finding identifier of a related finding that is identified by the finding provider. See String Filter below for more details.
  • findingProviderFieldsRelatedFindingsProductArn - (Optional) The ARN of the solution that generated a related finding that is identified by the finding provider. See String Filter below for more details.
  • findingProviderFieldsSeverityLabel - (Optional) The finding provider value for the severity label. See String Filter below for more details.
  • findingProviderFieldsSeverityOriginal - (Optional) The finding provider's original value for the severity. See String Filter below for more details.
  • findingProviderFieldsTypes - (Optional) One or more finding types that the finding provider assigned to the finding. Uses the format of namespace/category/classifier that classify a finding. Valid namespace values include: softwareAndConfigurationChecks, ttPs, effects, unusualBehaviors, and sensitiveDataIdentifications. See String Filter below for more details.
  • firstObservedAt - (Optional) An ISO8601-formatted timestamp that indicates when the security-findings provider first observed the potential security issue that a finding captured. See Date Filter below for more details.
  • generatorId - (Optional) The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. See String Filter below for more details.
  • id - (Optional) The security findings provider-specific identifier for a finding. See String Filter below for more details.
  • keyword - (Optional) A keyword for a finding. See Keyword Filter below for more details.
  • lastObservedAt - (Optional) An ISO8601-formatted timestamp that indicates when the security-findings provider most recently observed the potential security issue that a finding captured. See Date Filter below for more details.
  • malwareName - (Optional) The name of the malware that was observed. See String Filter below for more details.
  • malwarePath - (Optional) The filesystem path of the malware that was observed. See String Filter below for more details.
  • malwareState - (Optional) The state of the malware that was observed. See String Filter below for more details.
  • malwareType - (Optional) The type of the malware that was observed. See String Filter below for more details.
  • networkDestinationDomain - (Optional) The destination domain of network-related information about a finding. See String Filter below for more details.
  • networkDestinationIpv4 - (Optional) The destination IPv4 address of network-related information about a finding. See Ip Filter below for more details.
  • networkDestinationIpv6 - (Optional) The destination IPv6 address of network-related information about a finding. See Ip Filter below for more details.
  • networkDestinationPort - (Optional) The destination port of network-related information about a finding. See Number Filter below for more details.
  • networkDirection - (Optional) Indicates the direction of network traffic associated with a finding. See String Filter below for more details.
  • networkProtocol - (Optional) The protocol of network-related information about a finding. See String Filter below for more details.
  • networkSourceDomain - (Optional) The source domain of network-related information about a finding. See String Filter below for more details.
  • networkSourceIpv4 - (Optional) The source IPv4 address of network-related information about a finding. See Ip Filter below for more details.
  • networkSourceIpv6 - (Optional) The source IPv6 address of network-related information about a finding. See Ip Filter below for more details.
  • networkSourceMac - (Optional) The source media access control (MAC) address of network-related information about a finding. See String Filter below for more details.
  • networkSourcePort - (Optional) The source port of network-related information about a finding. See Number Filter below for more details.
  • noteText - (Optional) The text of a note. See String Filter below for more details.
  • noteUpdatedAt - (Optional) The timestamp of when the note was updated. See Date Filter below for more details.
  • noteUpdatedBy - (Optional) The principal that created a note. See String Filter below for more details.
  • processLaunchedAt - (Optional) The date/time that the process was launched. See Date Filter below for more details.
  • processName - (Optional) The name of the process. See String Filter below for more details.
  • processParentPid - (Optional) The parent process ID. See Number Filter below for more details.
  • processPath - (Optional) The path to the process executable. See String Filter below for more details.
  • processPid - (Optional) The process ID. See Number Filter below for more details.
  • processTerminatedAt - (Optional) The date/time that the process was terminated. See Date Filter below for more details.
  • productArn - (Optional) The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) after this provider's product (solution that generates findings) is registered with Security Hub. See String Filter below for more details.
  • productFields - (Optional) A data type where security-findings providers can include additional solution-specific details that aren't part of the defined awsSecurityFinding format. See Map Filter below for more details.
  • productName - (Optional) The name of the solution (product) that generates findings. See String Filter below for more details.
  • recommendationText - (Optional) The recommendation of what to do about the issue described in a finding. See String Filter below for more details.
  • recordState - (Optional) The updated record state for the finding. See String Filter below for more details.
  • relatedFindingsId - (Optional) The solution-generated identifier for a related finding. See String Filter below for more details.
  • relatedFindingsProductArn - (Optional) The ARN of the solution that generated a related finding. See String Filter below for more details.
  • resourceAwsEc2InstanceIamInstanceProfileArn - (Optional) The IAM profile ARN of the instance. See String Filter below for more details.
  • resourceAwsEc2InstanceImageId - (Optional) The Amazon Machine Image (AMI) ID of the instance. See String Filter below for more details.
  • resourceAwsEc2InstanceIpv4Addresses - (Optional) The IPv4 addresses associated with the instance. See Ip Filter below for more details.
  • resourceAwsEc2InstanceIpv6Addresses - (Optional) The IPv6 addresses associated with the instance. See Ip Filter below for more details.
  • resourceAwsEc2InstanceKeyName - (Optional) The key name associated with the instance. See String Filter below for more details.
  • resourceAwsEc2InstanceLaunchedAt - (Optional) The date and time the instance was launched. See Date Filter below for more details.
  • resourceAwsEc2InstanceSubnetId - (Optional) The identifier of the subnet that the instance was launched in. See String Filter below for more details.
  • resourceAwsEc2InstanceType - (Optional) The instance type of the instance. See String Filter below for more details.
  • resourceAwsEc2InstanceVpcId - (Optional) The identifier of the VPC that the instance was launched in. See String Filter below for more details.
  • resourceAwsIamAccessKeyCreatedAt - (Optional) The creation date/time of the IAM access key related to a finding. See Date Filter below for more details.
  • resourceAwsIamAccessKeyStatus - (Optional) The status of the IAM access key related to a finding. See String Filter below for more details.
  • resourceAwsIamAccessKeyUserName - (Optional) The user associated with the IAM access key related to a finding. See String Filter below for more details.
  • resourceAwsS3BucketOwnerId - (Optional) The canonical user ID of the owner of the S3 bucket. See String Filter below for more details.
  • resourceAwsS3BucketOwnerName - (Optional) The display name of the owner of the S3 bucket. See String Filter below for more details.
  • resourceContainerImageId - (Optional) The identifier of the image related to a finding. See String Filter below for more details.
  • resourceContainerImageName - (Optional) The name of the image related to a finding. See String Filter below for more details.
  • resourceContainerLaunchedAt - (Optional) The date/time that the container was started. See Date Filter below for more details.
  • resourceContainerName - (Optional) The name of the container related to a finding. See String Filter below for more details.
  • resourceDetailsOther - (Optional) The details of a resource that doesn't have a specific subfield for the resource type defined. See Map Filter below for more details.
  • resourceId - (Optional) The canonical identifier for the given resource type. See String Filter below for more details.
  • resourcePartition - (Optional) The canonical AWS partition name that the Region is assigned to. See String Filter below for more details.
  • resourceRegion - (Optional) The canonical AWS external Region name where this resource is located. See String Filter below for more details.
  • resourceTags - (Optional) A list of AWS tags associated with a resource at the time the finding was processed. See Map Filter below for more details.
  • resourceType - (Optional) Specifies the type of the resource that details are provided for. See String Filter below for more details.
  • severityLabel - (Optional) The label of a finding's severity. See String Filter below for more details.
  • sourceUrl - (Optional) A URL that links to a page about the current finding in the security-findings provider's solution. See String Filter below for more details.
  • threatIntelIndicatorCategory - (Optional) The category of a threat intelligence indicator. See String Filter below for more details.
  • threatIntelIndicatorLastObservedAt - (Optional) The date/time of the last observation of a threat intelligence indicator. See Date Filter below for more details.
  • threatIntelIndicatorSource - (Optional) The source of the threat intelligence. See String Filter below for more details.
  • threatIntelIndicatorSourceUrl - (Optional) The URL for more details from the source of the threat intelligence. See String Filter below for more details.
  • threatIntelIndicatorType - (Optional) The type of a threat intelligence indicator. See String Filter below for more details.
  • threatIntelIndicatorValue - (Optional) The value of a threat intelligence indicator. See String Filter below for more details.
  • title - (Optional) A finding's title. See String Filter below for more details.
  • type - (Optional) A finding type in the format of namespace/category/classifier that classifies a finding. See String Filter below for more details.
  • updatedAt - (Optional) An ISO8601-formatted timestamp that indicates when the security-findings provider last updated the finding record. See Date Filter below for more details.
  • userDefinedValues - (Optional) A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding. See Map Filter below for more details.
  • verificationState - (Optional) The veracity of a finding. See String Filter below for more details.
  • workflowStatus - (Optional) The status of the investigation into a finding. See Workflow Status Filter below for more details.

Date Filter Argument reference

The date filter configuration block supports the following arguments:

  • dateRange - (Optional) A configuration block of the date range for the date filter. See date_range below for more details.
  • end - (Optional) An end date for the date filter. Required with start if dateRange is not specified.
  • start - (Optional) A start date for the date filter. Required with end if dateRange is not specified.

date_range Argument reference

The dateRange configuration block supports the following arguments:

  • unit - (Required) A date range unit for the date filter. Valid values: days.
  • value - (Required) A date range value for the date filter, provided as an Integer.

Ip Filter Argument Reference

The Ip filter configuration block supports the following arguments:

  • cidr - (Required) A finding's CIDR value.

Keyword Filter Argument Reference

The keyword filter configuration block supports the following arguments:

  • value - (Required) A value for the keyword.

Map Filter Argument reference

The map filter configuration block supports the following arguments:

  • comparison - (Required) The condition to apply to a string value when querying for findings. Valid values include: equals and NOT_EQUALS.
  • key - (Required) The key of the map filter. For example, for resourceTags, key identifies the name of the tag. For userDefinedFields, key is the name of the field.
  • value - (Required) The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called department might be security. If you provide security as the filter value, then there is no match.

Number Filter Argument reference

The number filter configuration block supports the following arguments:

\~> NOTE: Only one of eg, gte, or lte must be specified.

  • eq - (Optional) The equal-to condition to be applied to a single field when querying for findings, provided as a String.
  • gte - (Optional) The greater-than-equal condition to be applied to a single field when querying for findings, provided as a String.
  • lte - (Optional) The less-than-equal condition to be applied to a single field when querying for findings, provided as a String.

String Filter Argument reference

The string filter configuration block supports the following arguments:

  • comparison - (Required) The condition to apply to a string value when querying for findings. Valid values include: equals, prefix, NOT_EQUALS, PREFIX_NOT_EQUALS.
  • value - (Required) The string filter value. Filter values are case sensitive.

Workflow Status Filter Argument reference

The workflow status filter configuration block supports the following arguments:

  • comparison - (Required) The condition to apply to a string value when querying for findings. Valid values include: equals, prefix, NOT_EQUALS, PREFIX_NOT_EQUALS.
  • value - (Required) The string filter value. Valid values include: new, notified, suppressed, and resolved.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - ARN of the insight.
  • arn - ARN of the insight.

Import

Security Hub insights can be imported using the ARN, e.g.,

$ terraform import aws_securityhub_insight.example arn:aws:securityhub:us-west-2:1234567890:insight/1234567890/custom/91299ed7-abd0-4e44-a858-d0b15e37141a