Standard

The Standard resource lets you manage AWS SecurityHub Standards to enhance your security posture by enabling various compliance frameworks and security checks.

Minimal Example

Create a basic SecurityHub Standard with required properties.

import AWS from "alchemy/aws/control";

const securityHubStandard = await AWS.SecurityHub.Standard("mySecurityHubStandard", {
  StandardsArn: "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
  DisabledStandardsControls: [
    {
      StandardsControlArn: "arn:aws:securityhub:us-east-1::controls/aws-foundational-security-best-practices/iam.1",
      Disabled: true
    }
  ]
});

Advanced Configuration

Configure a SecurityHub Standard with additional options such as adopting an existing resource.

const advancedSecurityHubStandard = await AWS.SecurityHub.Standard("advancedSecurityHubStandard", {
  StandardsArn: "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
  DisabledStandardsControls: [
    {
      StandardsControlArn: "arn:aws:securityhub:us-east-1::controls/aws-foundational-security-best-practices/iam.2",
      Disabled: false
    }
  ],
  adopt: true // Adopt existing resource if it already exists
});

Example with Custom Disabled Controls

Create a SecurityHub Standard with specific controls that are disabled.

const customDisabledControlsStandard = await AWS.SecurityHub.Standard("customDisabledControlsStandard", {
  StandardsArn: "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
  DisabledStandardsControls: [
    {
      StandardsControlArn: "arn:aws:securityhub:us-east-1::controls/aws-foundational-security-best-practices/s3.1",
      Disabled: true
    },
    {
      StandardsControlArn: "arn:aws:securityhub:us-east-1::controls/aws-foundational-security-best-practices/ec2.1",
      Disabled: true
    }
  ]
});