AWS v6.73.0, Mar 19 25

AWS v6.73.0 published on Wednesday, Mar 19, 2025 by Pulumi

aws.securityhub.StandardsControl

Explore with Pulumi AI

AWS v6.73.0 published on Wednesday, Mar 19, 2025 by Pulumi

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.securityhub.Account("example", {});
const cisAwsFoundationsBenchmark = new aws.securityhub.StandardsSubscription("cis_aws_foundations_benchmark", {standardsArn: "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"}, {
    dependsOn: [example],
});
const ensureIamPasswordPolicyPreventsPasswordReuse = new aws.securityhub.StandardsControl("ensure_iam_password_policy_prevents_password_reuse", {
    standardsControlArn: "arn:aws:securityhub:us-east-1:111111111111:control/cis-aws-foundations-benchmark/v/1.2.0/1.10",
    controlStatus: "DISABLED",
    disabledReason: "We handle password policies within Okta",
}, {
    dependsOn: [cisAwsFoundationsBenchmark],
});

import pulumi
import pulumi_aws as aws

example = aws.securityhub.Account("example")
cis_aws_foundations_benchmark = aws.securityhub.StandardsSubscription("cis_aws_foundations_benchmark", standards_arn="arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
opts = pulumi.ResourceOptions(depends_on=[example]))
ensure_iam_password_policy_prevents_password_reuse = aws.securityhub.StandardsControl("ensure_iam_password_policy_prevents_password_reuse",
    standards_control_arn="arn:aws:securityhub:us-east-1:111111111111:control/cis-aws-foundations-benchmark/v/1.2.0/1.10",
    control_status="DISABLED",
    disabled_reason="We handle password policies within Okta",
    opts = pulumi.ResourceOptions(depends_on=[cis_aws_foundations_benchmark]))

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/securityhub"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		example, err := securityhub.NewAccount(ctx, "example", nil)
		if err != nil {
			return err
		}
		cisAwsFoundationsBenchmark, err := securityhub.NewStandardsSubscription(ctx, "cis_aws_foundations_benchmark", &securityhub.StandardsSubscriptionArgs{
			StandardsArn: pulumi.String("arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"),
		}, pulumi.DependsOn([]pulumi.Resource{
			example,
		}))
		if err != nil {
			return err
		}
		_, err = securityhub.NewStandardsControl(ctx, "ensure_iam_password_policy_prevents_password_reuse", &securityhub.StandardsControlArgs{
			StandardsControlArn: pulumi.String("arn:aws:securityhub:us-east-1:111111111111:control/cis-aws-foundations-benchmark/v/1.2.0/1.10"),
			ControlStatus:       pulumi.String("DISABLED"),
			DisabledReason:      pulumi.String("We handle password policies within Okta"),
		}, pulumi.DependsOn([]pulumi.Resource{
			cisAwsFoundationsBenchmark,
		}))
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.SecurityHub.Account("example");

    var cisAwsFoundationsBenchmark = new Aws.SecurityHub.StandardsSubscription("cis_aws_foundations_benchmark", new()
    {
        StandardsArn = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
    }, new CustomResourceOptions
    {
        DependsOn =
        {
            example,
        },
    });

    var ensureIamPasswordPolicyPreventsPasswordReuse = new Aws.SecurityHub.StandardsControl("ensure_iam_password_policy_prevents_password_reuse", new()
    {
        StandardsControlArn = "arn:aws:securityhub:us-east-1:111111111111:control/cis-aws-foundations-benchmark/v/1.2.0/1.10",
        ControlStatus = "DISABLED",
        DisabledReason = "We handle password policies within Okta",
    }, new CustomResourceOptions
    {
        DependsOn =
        {
            cisAwsFoundationsBenchmark,
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.securityhub.Account;
import com.pulumi.aws.securityhub.StandardsSubscription;
import com.pulumi.aws.securityhub.StandardsSubscriptionArgs;
import com.pulumi.aws.securityhub.StandardsControl;
import com.pulumi.aws.securityhub.StandardsControlArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new Account("example");

        var cisAwsFoundationsBenchmark = new StandardsSubscription("cisAwsFoundationsBenchmark", StandardsSubscriptionArgs.builder()
            .standardsArn("arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0")
            .build(), CustomResourceOptions.builder()
                .dependsOn(example)
                .build());

        var ensureIamPasswordPolicyPreventsPasswordReuse = new StandardsControl("ensureIamPasswordPolicyPreventsPasswordReuse", StandardsControlArgs.builder()
            .standardsControlArn("arn:aws:securityhub:us-east-1:111111111111:control/cis-aws-foundations-benchmark/v/1.2.0/1.10")
            .controlStatus("DISABLED")
            .disabledReason("We handle password policies within Okta")
            .build(), CustomResourceOptions.builder()
                .dependsOn(cisAwsFoundationsBenchmark)
                .build());

    }
}

resources:
  example:
    type: aws:securityhub:Account
  cisAwsFoundationsBenchmark:
    type: aws:securityhub:StandardsSubscription
    name: cis_aws_foundations_benchmark
    properties:
      standardsArn: arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0
    options:
      dependsOn:
        - ${example}
  ensureIamPasswordPolicyPreventsPasswordReuse:
    type: aws:securityhub:StandardsControl
    name: ensure_iam_password_policy_prevents_password_reuse
    properties:
      standardsControlArn: arn:aws:securityhub:us-east-1:111111111111:control/cis-aws-foundations-benchmark/v/1.2.0/1.10
      controlStatus: DISABLED
      disabledReason: We handle password policies within Okta
    options:
      dependsOn:
        - ${cisAwsFoundationsBenchmark}

Create StandardsControl Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new StandardsControl(name: string, args: StandardsControlArgs, opts?: CustomResourceOptions);

@overload
def StandardsControl(resource_name: str,
                     args: StandardsControlArgs,
                     opts: Optional[ResourceOptions] = None)

@overload
def StandardsControl(resource_name: str,
                     opts: Optional[ResourceOptions] = None,
                     control_status: Optional[str] = None,
                     standards_control_arn: Optional[str] = None,
                     disabled_reason: Optional[str] = None)

func NewStandardsControl(ctx *Context, name string, args StandardsControlArgs, opts ...ResourceOption) (*StandardsControl, error)

public StandardsControl(string name, StandardsControlArgs args, CustomResourceOptions? opts = null)

public StandardsControl(String name, StandardsControlArgs args)
public StandardsControl(String name, StandardsControlArgs args, CustomResourceOptions options)

type: aws:securityhub:StandardsControl
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args StandardsControlArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args StandardsControlArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args StandardsControlArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args StandardsControlArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args StandardsControlArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var standardsControlResource = new Aws.SecurityHub.StandardsControl("standardsControlResource", new()
{
    ControlStatus = "string",
    StandardsControlArn = "string",
    DisabledReason = "string",
});

example, err := securityhub.NewStandardsControl(ctx, "standardsControlResource", &securityhub.StandardsControlArgs{
	ControlStatus:       pulumi.String("string"),
	StandardsControlArn: pulumi.String("string"),
	DisabledReason:      pulumi.String("string"),
})

var standardsControlResource = new StandardsControl("standardsControlResource", StandardsControlArgs.builder()
    .controlStatus("string")
    .standardsControlArn("string")
    .disabledReason("string")
    .build());

standards_control_resource = aws.securityhub.StandardsControl("standardsControlResource",
    control_status="string",
    standards_control_arn="string",
    disabled_reason="string")

const standardsControlResource = new aws.securityhub.StandardsControl("standardsControlResource", {
    controlStatus: "string",
    standardsControlArn: "string",
    disabledReason: "string",
});

type: aws:securityhub:StandardsControl
properties:
    controlStatus: string
    disabledReason: string
    standardsControlArn: string

StandardsControl Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The StandardsControl resource accepts the following input properties:

ControlStatus string: The control status could be ENABLED or DISABLED. You have to specify disabled_reason argument for DISABLED control status.
StandardsControlArn string: The standards control ARN. See the AWS documentation for how to list existing controls using get-enabled-standards and describe-standards-controls.
DisabledReason string: A description of the reason why you are disabling a security standard control. If you specify this attribute, control_status will be set to DISABLED automatically.

ControlStatus string: The control status could be ENABLED or DISABLED. You have to specify disabled_reason argument for DISABLED control status.
StandardsControlArn string: The standards control ARN. See the AWS documentation for how to list existing controls using get-enabled-standards and describe-standards-controls.
DisabledReason string: A description of the reason why you are disabling a security standard control. If you specify this attribute, control_status will be set to DISABLED automatically.

controlStatus String: The control status could be ENABLED or DISABLED. You have to specify disabled_reason argument for DISABLED control status.
standardsControlArn String: The standards control ARN. See the AWS documentation for how to list existing controls using get-enabled-standards and describe-standards-controls.
disabledReason String: A description of the reason why you are disabling a security standard control. If you specify this attribute, control_status will be set to DISABLED automatically.

controlStatus string: The control status could be ENABLED or DISABLED. You have to specify disabled_reason argument for DISABLED control status.
standardsControlArn string: The standards control ARN. See the AWS documentation for how to list existing controls using get-enabled-standards and describe-standards-controls.
disabledReason string: A description of the reason why you are disabling a security standard control. If you specify this attribute, control_status will be set to DISABLED automatically.

control_status str: The control status could be ENABLED or DISABLED. You have to specify disabled_reason argument for DISABLED control status.
standards_control_arn str: The standards control ARN. See the AWS documentation for how to list existing controls using get-enabled-standards and describe-standards-controls.
disabled_reason str: A description of the reason why you are disabling a security standard control. If you specify this attribute, control_status will be set to DISABLED automatically.

controlStatus String: The control status could be ENABLED or DISABLED. You have to specify disabled_reason argument for DISABLED control status.
standardsControlArn String: The standards control ARN. See the AWS documentation for how to list existing controls using get-enabled-standards and describe-standards-controls.
disabledReason String: A description of the reason why you are disabling a security standard control. If you specify this attribute, control_status will be set to DISABLED automatically.

Outputs

All input properties are implicitly available as output properties. Additionally, the StandardsControl resource produces the following output properties:

ControlId string: The identifier of the security standard control.
ControlStatusUpdatedAt string: The date and time that the status of the security standard control was most recently updated.
Description string: The standard control longer description. Provides information about what the control is checking for.
Id string: The provider-assigned unique ID for this managed resource.
RelatedRequirements List<string>: The list of requirements that are related to this control.
RemediationUrl string: A link to remediation information for the control in the Security Hub user documentation.
SeverityRating string: The severity of findings generated from this security standard control.
Title string: The standard control title.

ControlId string: The identifier of the security standard control.
ControlStatusUpdatedAt string: The date and time that the status of the security standard control was most recently updated.
Description string: The standard control longer description. Provides information about what the control is checking for.
Id string: The provider-assigned unique ID for this managed resource.
RelatedRequirements []string: The list of requirements that are related to this control.
RemediationUrl string: A link to remediation information for the control in the Security Hub user documentation.
SeverityRating string: The severity of findings generated from this security standard control.
Title string: The standard control title.

controlId String: The identifier of the security standard control.
controlStatusUpdatedAt String: The date and time that the status of the security standard control was most recently updated.
description String: The standard control longer description. Provides information about what the control is checking for.
id String: The provider-assigned unique ID for this managed resource.
relatedRequirements List<String>: The list of requirements that are related to this control.
remediationUrl String: A link to remediation information for the control in the Security Hub user documentation.
severityRating String: The severity of findings generated from this security standard control.
title String: The standard control title.

controlId string: The identifier of the security standard control.
controlStatusUpdatedAt string: The date and time that the status of the security standard control was most recently updated.
description string: The standard control longer description. Provides information about what the control is checking for.
id string: The provider-assigned unique ID for this managed resource.
relatedRequirements string[]: The list of requirements that are related to this control.
remediationUrl string: A link to remediation information for the control in the Security Hub user documentation.
severityRating string: The severity of findings generated from this security standard control.
title string: The standard control title.

control_id str: The identifier of the security standard control.
control_status_updated_at str: The date and time that the status of the security standard control was most recently updated.
description str: The standard control longer description. Provides information about what the control is checking for.
id str: The provider-assigned unique ID for this managed resource.
related_requirements Sequence[str]: The list of requirements that are related to this control.
remediation_url str: A link to remediation information for the control in the Security Hub user documentation.
severity_rating str: The severity of findings generated from this security standard control.
title str: The standard control title.

controlId String: The identifier of the security standard control.
controlStatusUpdatedAt String: The date and time that the status of the security standard control was most recently updated.
description String: The standard control longer description. Provides information about what the control is checking for.
id String: The provider-assigned unique ID for this managed resource.
relatedRequirements List<String>: The list of requirements that are related to this control.
remediationUrl String: A link to remediation information for the control in the Security Hub user documentation.
severityRating String: The severity of findings generated from this security standard control.
title String: The standard control title.

Look up Existing StandardsControl Resource

Get an existing StandardsControl resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: StandardsControlState, opts?: CustomResourceOptions): StandardsControl

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        control_id: Optional[str] = None,
        control_status: Optional[str] = None,
        control_status_updated_at: Optional[str] = None,
        description: Optional[str] = None,
        disabled_reason: Optional[str] = None,
        related_requirements: Optional[Sequence[str]] = None,
        remediation_url: Optional[str] = None,
        severity_rating: Optional[str] = None,
        standards_control_arn: Optional[str] = None,
        title: Optional[str] = None) -> StandardsControl

func GetStandardsControl(ctx *Context, name string, id IDInput, state *StandardsControlState, opts ...ResourceOption) (*StandardsControl, error)

public static StandardsControl Get(string name, Input<string> id, StandardsControlState? state, CustomResourceOptions? opts = null)

public static StandardsControl get(String name, Output<String> id, StandardsControlState state, CustomResourceOptions options)

resources:  _:    type: aws:securityhub:StandardsControl    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

ControlId string: The identifier of the security standard control.
ControlStatus string: The control status could be ENABLED or DISABLED. You have to specify disabled_reason argument for DISABLED control status.
ControlStatusUpdatedAt string: The date and time that the status of the security standard control was most recently updated.
Description string: The standard control longer description. Provides information about what the control is checking for.
DisabledReason string: A description of the reason why you are disabling a security standard control. If you specify this attribute, control_status will be set to DISABLED automatically.
RelatedRequirements List<string>: The list of requirements that are related to this control.
RemediationUrl string: A link to remediation information for the control in the Security Hub user documentation.
SeverityRating string: The severity of findings generated from this security standard control.
StandardsControlArn string: The standards control ARN. See the AWS documentation for how to list existing controls using get-enabled-standards and describe-standards-controls.
Title string: The standard control title.

ControlId string: The identifier of the security standard control.
ControlStatus string: The control status could be ENABLED or DISABLED. You have to specify disabled_reason argument for DISABLED control status.
ControlStatusUpdatedAt string: The date and time that the status of the security standard control was most recently updated.
Description string: The standard control longer description. Provides information about what the control is checking for.
DisabledReason string: A description of the reason why you are disabling a security standard control. If you specify this attribute, control_status will be set to DISABLED automatically.
RelatedRequirements []string: The list of requirements that are related to this control.
RemediationUrl string: A link to remediation information for the control in the Security Hub user documentation.
SeverityRating string: The severity of findings generated from this security standard control.
StandardsControlArn string: The standards control ARN. See the AWS documentation for how to list existing controls using get-enabled-standards and describe-standards-controls.
Title string: The standard control title.

controlId String: The identifier of the security standard control.
controlStatus String: The control status could be ENABLED or DISABLED. You have to specify disabled_reason argument for DISABLED control status.
controlStatusUpdatedAt String: The date and time that the status of the security standard control was most recently updated.
description String: The standard control longer description. Provides information about what the control is checking for.
disabledReason String: A description of the reason why you are disabling a security standard control. If you specify this attribute, control_status will be set to DISABLED automatically.
relatedRequirements List<String>: The list of requirements that are related to this control.
remediationUrl String: A link to remediation information for the control in the Security Hub user documentation.
severityRating String: The severity of findings generated from this security standard control.
standardsControlArn String: The standards control ARN. See the AWS documentation for how to list existing controls using get-enabled-standards and describe-standards-controls.
title String: The standard control title.

controlId string: The identifier of the security standard control.
controlStatus string: The control status could be ENABLED or DISABLED. You have to specify disabled_reason argument for DISABLED control status.
controlStatusUpdatedAt string: The date and time that the status of the security standard control was most recently updated.
description string: The standard control longer description. Provides information about what the control is checking for.
disabledReason string: A description of the reason why you are disabling a security standard control. If you specify this attribute, control_status will be set to DISABLED automatically.
relatedRequirements string[]: The list of requirements that are related to this control.
remediationUrl string: A link to remediation information for the control in the Security Hub user documentation.
severityRating string: The severity of findings generated from this security standard control.
standardsControlArn string: The standards control ARN. See the AWS documentation for how to list existing controls using get-enabled-standards and describe-standards-controls.
title string: The standard control title.

control_id str: The identifier of the security standard control.
control_status str: The control status could be ENABLED or DISABLED. You have to specify disabled_reason argument for DISABLED control status.
control_status_updated_at str: The date and time that the status of the security standard control was most recently updated.
description str: The standard control longer description. Provides information about what the control is checking for.
disabled_reason str: A description of the reason why you are disabling a security standard control. If you specify this attribute, control_status will be set to DISABLED automatically.
related_requirements Sequence[str]: The list of requirements that are related to this control.
remediation_url str: A link to remediation information for the control in the Security Hub user documentation.
severity_rating str: The severity of findings generated from this security standard control.
standards_control_arn str: The standards control ARN. See the AWS documentation for how to list existing controls using get-enabled-standards and describe-standards-controls.
title str: The standard control title.

controlId String: The identifier of the security standard control.
controlStatus String: The control status could be ENABLED or DISABLED. You have to specify disabled_reason argument for DISABLED control status.
controlStatusUpdatedAt String: The date and time that the status of the security standard control was most recently updated.
description String: The standard control longer description. Provides information about what the control is checking for.
disabledReason String: A description of the reason why you are disabling a security standard control. If you specify this attribute, control_status will be set to DISABLED automatically.
relatedRequirements List<String>: The list of requirements that are related to this control.
remediationUrl String: A link to remediation information for the control in the Security Hub user documentation.
severityRating String: The severity of findings generated from this security standard control.
standardsControlArn String: The standards control ARN. See the AWS documentation for how to list existing controls using get-enabled-standards and describe-standards-controls.
title String: The standard control title.

Package Details

Repository: AWS Classic pulumi/pulumi-aws
License: Apache-2.0
Notes: This Pulumi package is based on the aws Terraform Provider.

AWS v6.73.0 published on Wednesday, Mar 19, 2025 by Pulumi

pulumi/pulumi-aws

aws.securityhub.StandardsControl

On this page

On this page

Example Usage

Create StandardsControl Resource

Constructor syntax

Parameters

Constructor example

StandardsControl Resource Properties

Inputs

Outputs

Look up Existing StandardsControl Resource

Package Details

On this page

On this page