SecurityConfig / CentralSecurityServicesConfig / SecurityHubConfig

https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html | AWS Security Hub configuration Use this configuration to enable Amazon Security Hub for an AWS Organization along with it's auditing configuration.

Example

securityHub:
enable: true
regionAggregation: true
excludeRegions: []
standards:
- name: AWS Foundational Security Best Practices v1.0.0
deploymentTargets:
organizationalUnits:
- Root
enable: true
controlsToDisable:
# Refer to the document for the controls
# https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html
- Control1
- Control2
logging:
cloudWatch:
enable: true

Hierarchy

  • SecurityHubConfig

Implements

Constructors

Properties

enable: false = false

Indicates whether AWS Security Hub enabled.

excludeRegions: string[] = []

(OPTIONAL) List of AWS Region names to be excluded from configuring Security Hub

logging: undefined | SecurityHubLoggingConfig = undefined

(OPTIONAL) Security Hub logs are sent to CloudWatch logs by default. This option can enable or disable the logging.

Remarks

By default, if nothing is given true is taken. In order to stop logging, set this parameter to false. Please note, this option can be toggled but log group with /${acceleratorPrefix}-SecurityHub will remain in the account for every enabled region and will need to be manually deleted. This is designed to ensure no accidental loss of data occurs.

notificationLevel: undefined = undefined

(OPTIONAL) Security Hub notification level

Remarks

Note: Values accepted are CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL

Notifications will be sent for events at the Level provided and above Example, if you specify the HIGH level notifications will be sent for HIGH and CRITICAL

regionAggregation: false = false

(OPTIONAL) Indicates whether Security Hub results are aggregated in the Home Region.

snsTopicName: undefined = undefined

(OPTIONAL) SNS Topic for Security Hub notifications.

Remarks

Note: Topic must exist in the global config

standards: SecurityHubStandardConfig[] = []

Security Hub standards configuration

Generated using TypeDoc