Skip to content

Resource: awsSecurityhubStandardsControl

Disable/enable Security Hub standards control in the current region.

The awsSecurityhubStandardsControl behaves differently from normal resources, in that Terraform does not create this resource, but instead "adopts" it into management. When you delete this resource configuration, Terraform "abandons" resource as is and just removes it from the state.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsSecurityhubAccountExample =
  new aws.securityhubAccount.SecurityhubAccount(this, "example", {});
const awsSecurityhubStandardsSubscriptionCisAwsFoundationsBenchmark =
  new aws.securityhubStandardsSubscription.SecurityhubStandardsSubscription(
    this,
    "cis_aws_foundations_benchmark",
    {
      depends_on: [`\${${awsSecurityhubAccountExample.fqn}}`],
      standardsArn:
        "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
    }
  );
new aws.securityhubStandardsControl.SecurityhubStandardsControl(
  this,
  "ensure_iam_password_policy_prevents_password_reuse",
  {
    controlStatus: "DISABLED",
    depends_on: [
      `\${${awsSecurityhubStandardsSubscriptionCisAwsFoundationsBenchmark.fqn}}`,
    ],
    disabledReason: "We handle password policies within Okta",
    standardsControlArn:
      "arn:aws:securityhub:us-east-1:111111111111:control/cis-aws-foundations-benchmark/v/1.2.0/1.10",
  }
);

Argument Reference

The following arguments are supported:

  • standardsControlArn - (Required) The standards control ARN.
  • controlStatus – (Required) The control status could be enabled or disabled. You have to specify disabledReason argument for disabled control status.
  • disabledReason – (Optional) A description of the reason why you are disabling a security standard control. If you specify this attribute, controlStatus will be set to disabled automatically.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The standard control ARN.
  • controlId – The identifier of the security standard control.
  • controlStatusUpdatedAt – The date and time that the status of the security standard control was most recently updated.
  • description – The standard control longer description. Provides information about what the control is checking for.
  • relatedRequirements – The list of requirements that are related to this control.
  • remediationUrl – A link to remediation information for the control in the Security Hub user documentation.
  • severityRating – The severity of findings generated from this security standard control.
  • title – The standard control title.