SecurityConfig / CentralSecurityServicesConfig / SecurityHubConfig

https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html | AWS Security Hub configuration

Description

Use this configuration to enable Amazon Security Hub for an AWS Organization along with it's auditing configuration.

Example

securityHub:
enable: true
regionAggregation: true
excludeRegions: []
standards:
- name: AWS Foundational Security Best Practices v1.0.0
deploymentTargets:
organizationalUnits:
- Root
enable: true
controlsToDisable:
# Refer to the document for the controls
# https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html
- Control1
- Control2
logging:
cloudWatch:
enable: true
logLevel: MEDIUM

Hierarchy

  • SecurityHubConfig

Implements

Constructors

Properties

autoEnableOrgMembers: undefined | boolean = undefined

(OPTIONAL) Enables/disables the auto enabling of SecurityHub for any account including the new accounts joining the organization

It is recommended to set the value to false when using the deploymentTargets property to enable SecurityHub only on targeted accounts mentioned in the deploymentTargets. If you do not define or do not set it to false any new accounts joining the organization will automatically be enabled with SecurityHub.

Default

true

deploymentTargets: undefined | DeploymentTargets = undefined

(OPTIONAL) Deployment targets for SecurityHub

We highly recommend enabling SecurityHub across all accounts and enabled regions within your organization. deploymentTargets should only be used when more granular control is required, not as a default configuration Please only specify one of the deploymentTargets or excludeRegions properties.

Note: The delegated admin account defined in centralSecurityServices will always have SecurityHub enabled.

See

DeploymentTargets

enable: false = false

Indicates whether AWS Security Hub is enabled (AWSConfig is required for enabling SecurityHub)

excludeRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-south-2" | "ap-southeast-1" | "ap-southeast-2" | "ap-southeast-3" | "ap-northeast-1" | "ap-northeast-2" | "ap-northeast-3" | "ca-central-1" | "eu-central-1" | "eu-central-2" | "eu-west-1" | "eu-west-2" | "eu-west-3" | "eu-north-1" | "eu-south-1" | "eu-south-2" | "me-central-1" | "me-south-1" | "sa-east-1" | "us-east-1" | "us-east-2" | "us-west-1" | "us-west-2" | "cn-north-1" | "cn-northwest-1" | "us-gov-west-1" | "us-gov-east-1" | "us-iso-east-1" | "us-iso-west-1" | "us-isob-east-1" | "ap-southeast-4" | "il-central-1" | "ca-west-1")[] = []

(OPTIONAL) List of AWS Region names to be excluded from configuring Security Hub

logging: undefined | SecurityHubLoggingConfig = undefined

(OPTIONAL) Security Hub logs are sent to CloudWatch logs by default. This option can enable or disable the logging.

Remarks

By default, if nothing is given true is taken. In order to stop logging, set this parameter to false. Please note, this option can be toggled but log group with /${acceleratorPrefix}-SecurityHub will remain in the account for every enabled region and will need to be manually deleted. This is designed to ensure no accidental loss of data occurs.

notificationLevel: undefined = undefined

(OPTIONAL) Security Hub notification level

Remarks

Note: Values accepted are CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL

Notifications will be sent for events at the Level provided and above Example, if you specify the HIGH level notifications will be sent for HIGH and CRITICAL

regionAggregation: false = false

(OPTIONAL) Indicates whether Security Hub results are aggregated in the Home Region.

snsTopicName: undefined = undefined

(OPTIONAL) SNS Topic for Security Hub notifications.

Remarks

Note: Topic must exist in the global config

standards: SecurityHubStandardConfig[] = []

Security Hub standards configuration

Generated using TypeDoc