The AWS::SecurityHub::AutomationRule resource specifies an automation rule based on input parameters. For more information, see
Automation rules in the AWS Security Hub User Guide.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{
"Type" : "AWS::SecurityHub::AutomationRule",
"Properties" : {
"Actions" : [ AutomationRulesAction, ... ],
"Criteria" : AutomationRulesFindingFilters,
"Description" : String,
"IsTerminal" : Boolean,
"RuleName" : String,
"RuleOrder" : Integer,
"RuleStatus" : String,
"Tags" : {Key: Value, ...}
}
}
YAML
Type: AWS::SecurityHub::AutomationRule
Properties:
Actions:
- AutomationRulesAction
Criteria:
AutomationRulesFindingFilters
Description: String
IsTerminal: Boolean
RuleName: String
RuleOrder: Integer
RuleStatus: String
Tags:
Key: Value
Properties
Actions-
One or more actions to update finding fields if a finding matches the conditions specified in
Criteria.Required: Yes
Type: Array of AutomationRulesAction
Minimum:
1Maximum:
1Update requires: No interruption
Criteria-
A set of AWS Security Finding Format (ASFF) finding field attributes and corresponding expected values that Security Hub uses to filter findings. If a rule is enabled and a finding matches the criteria specified in this parameter, Security Hub applies the rule action to the finding.
Required: Yes
Type: AutomationRulesFindingFilters
Update requires: No interruption
Description-
A description of the rule.
Required: Yes
Type: String
Minimum:
1Maximum:
1024Update requires: No interruption
IsTerminal-
Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If a rule is terminal, Security Hub applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. By default, a rule isn't terminal.
Required: No
Type: Boolean
Update requires: No interruption
RuleName-
The name of the rule.
Required: Yes
Type: String
Minimum:
1Maximum:
256Update requires: No interruption
RuleOrder-
An integer ranging from 1 to 1000 that represents the order in which the rule action is applied to findings. Security Hub applies rules with lower values for this parameter first.
Required: Yes
Type: Integer
Minimum:
1Maximum:
1000Update requires: No interruption
RuleStatus-
Whether the rule is active after it is created. If this parameter is equal to
ENABLED, Security Hub applies the rule to findings and finding updates after the rule is created.Required: No
Type: String
Allowed values:
ENABLED | DISABLEDUpdate requires: No interruption
-
User-defined tags associated with an automation rule.
Required: No
Type: Object of String
Pattern:
^[a-zA-Z0-9]{1,128}$Minimum:
0Maximum:
256Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returnsRuleArn. For example, arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111.
For more information about using the Ref function, see Ref.
Fn::GetAtt
The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.
CreatedAt-
A timestamp that indicates when the rule was created.
Uses the
date-timeformat specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z. CreatedBy-
The principal that created the rule. For example,
arn:aws:sts::123456789012:assumed-role/Developer-Role/JaneDoe. RuleArn-
The Amazon Resource Name (ARN) of the automation rule that you create. For example,
arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111. UpdatedAt-
A timestamp that indicates when the rule was most recently updated.
Uses the
date-timeformat specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z.
Examples
The following examples demonstrate how to declare an AWS::SecurityHub::AutomationRule resource.
Creating an automation rule
This example creates a Security Hub automation rule. This example contains all available
fields for Actions and Criteria for demonstration purposes.
JSON
{
"Description": "Example template to create a Security Hub automation rule",
"Resources": {
"RuleWithCriteriaActionsTags": {
"Type": "AWS::SecurityHub::AutomationRule",
"Properties": {
"RuleName": "Example rule name",
"RuleOrder": 5,
"Description": "Example rule description.",
"IsTerminal": false,
"RuleStatus": "ENABLED",
"Criteria": {
"ProductName": [
{
"Comparison": "EQUALS",
"Value": "GuardDuty"
},
{
"Comparison": "PREFIX",
"Value": "SecurityHub"
}
],
"CompanyName": [
{
"Comparison": "EQUALS",
"Value": "AWS"
},
{
"Comparison": "PREFIX",
"Value": "Private"
}
],
"ProductArn": [
{
"Comparison": "EQUALS",
"Value": "arn:aws:securityhub:us-west-2:123456789012:product/123456789012/default"
},
{
"Comparison": "PREFIX",
"Value": "arn:aws:securityhub:us-west-2:123456789012:product/aws"
}
],
"AwsAccountId": [
{
"Comparison": "EQUALS",
"Value": 123456789012
}
],
"Id": [
{
"Comparison": "EQUALS",
"Value": "example-finding-id"
}
],
"GeneratorId": [
{
"Comparison": "EQUALS",
"Value": "example-generator-id"
}
],
"Type": [
{
"Comparison": "EQUALS",
"Value": "type-1"
},
{
"Comparison": "EQUALS",
"Value": "type-2"
}
],
"Description": [
{
"Comparison": "EQUALS",
"Value": "description1"
},
{
"Comparison": "EQUALS",
"Value": "description2"
}
],
"SourceUrl": [
{
"Comparison": "PREFIX",
"Value": "https"
},
{
"Comparison": "PREFIX",
"Value": "ftp"
}
],
"Title": [
{
"Comparison": "EQUALS",
"Value": "title-1"
},
{
"Comparison": "PREFIX",
"Value": "title-2"
}
],
"SeverityLabel": [
{
"Comparison": "EQUALS",
"Value": "LOW"
},
{
"Comparison": "EQUALS",
"Value": "HIGH"
}
],
"ResourceType": [
{
"Comparison": "EQUALS",
"Value": "AwsEc2Instance"
}
],
"ResourcePartition": [
{
"Comparison": "EQUALS",
"Value": "aws"
}
],
"ResourceId": [
{
"Comparison": "PREFIX",
"Value": "i-1234567890"
}
],
"ResourceRegion": [
{
"Comparison": "PREFIX",
"Value": "us-west"
}
],
"ComplianceStatus": [
{
"Comparison": "EQUALS",
"Value": "FAILED"
}
],
"ComplianceSecurityControlId": [
{
"Comparison": "EQUALS",
"Value": "EC2.3"
}
],
"ComplianceAssociatedStandardsId": [
{
"Comparison": "EQUALS",
"Value": "ruleset/cis-aws-foundations-benchmark/v/1.2.0"
}
],
"VerificationState": [
{
"Comparison": "EQUALS",
"Value": "BENIGN_POSITIVE"
}
],
"RecordState": [
{
"Comparison": "EQUALS",
"Value": "ACTIVE"
}
],
"RelatedFindingsProductArn": [
{
"Comparison": "EQUALS",
"Value": "arn:aws:securityhub:eu-central-1::product/aws/securityhub"
}
],
"RelatedFindingsId": [
{
"Comparison": "EQUALS",
"Value": "example-finding-id-2"
}
],
"NoteText": [
{
"Comparison": "EQUALS",
"Value": "example-note-text"
}
],
"NoteUpdatedAt": [
{
"DateRange": {
"Unit": "DAYS",
"Value": 5
}
}
],
"NoteUpdatedBy": [
{
"Comparison": "PREFIX",
"Value": "sechub"
}
],
"WorkflowStatus": [
{
"Comparison": "EQUALS",
"Value": "NEW"
}
],
"FirstObservedAt": [
{
"DateRange": {
"Unit": "DAYS",
"Value": 5
}
}
],
"LastObservedAt": [
{
"DateRange": {
"Unit": "DAYS",
"Value": 5
}
}
],
"CreatedAt": [
{
"DateRange": {
"Unit": "DAYS",
"Value": 5
}
}
],
"UpdatedAt": [
{
"Start": "2023-04-25T17:05:54.832Z",
"End": "2023-05-25T17:05:54.832Z"
}
],
"ResourceTags": [
{
"Comparison": "NOT_EQUALS",
"Key": "department",
"Value": "security"
},
{
"Comparison": "NOT_EQUALS",
"Key": "department",
"Value": "operations"
}
],
"UserDefinedFields": [
{
"Comparison": "EQUALS",
"Key": "key1",
"Value": "security"
},
{
"Comparison": "EQUALS",
"Key": "key2",
"Value": "operations"
}
],
"ResourceDetailsOther": [
{
"Comparison": "NOT_EQUALS",
"Key": "area",
"Value": "na"
},
{
"Comparison": "NOT_EQUALS",
"Key": "department",
"Value": "sales"
}
],
"Confidence": [
{
"Gte": 50,
"Lte": 95
}
],
"Criticality": [
{
"Gte": 50,
"Lte": 95
}
]
},
"Actions": [
{
"Type": "FINDING_FIELDS_UPDATE",
"FindingFieldsUpdate": {
"Severity": {
"Product": 50,
"Label": "MEDIUM",
"Normalized": 60
},
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices",
"Industry Compliance"
],
"Confidence": 98,
"Criticality": 95,
"UserDefinedFields": {
"key1": "value1",
"key2": "value2"
},
"RelatedFindings": [
{
"ProductArn": "arn:aws:securityhub:us-west-2:123456789012:product/123456789012/default",
"Id": "sample-finding-id-1"
},
{
"ProductArn": "arn:aws:securityhub:us-west-2:123456789012:product/123456789012/default",
"Id": "sample-finding-id-2"
}
],
"Note": {
"Text": "sample-note-text",
"UpdatedBy": "sechub"
},
"VerificationState": "TRUE_POSITIVE",
"Workflow": {
"Status": "NOTIFIED"
}
}
}
],
"Tags": {
"sampleTag": "sampleValue",
"organizationUnit": "pnw"
}
}
}
}
}YAML
Description: Example template to create a Security Hub automation rule
Resources:
RuleWithCriteriaActionsTags:
Type: "AWS::SecurityHub::AutomationRule"
Properties:
RuleName: "Example rule name"
RuleOrder: 5
Description: "Example rule description."
IsTerminal: false
RuleStatus: "ENABLED"
Criteria:
ProductName:
- Comparison: EQUALS
Value: GuardDuty
- Comparison: PREFIX
Value: SecurityHub
CompanyName:
- Comparison: EQUALS
Value: AWS
- Comparison: PREFIX
Value: Private
ProductArn:
- Comparison: EQUALS
Value: arn:aws:securityhub:us-west-2:123456789012:product/123456789012/default
- Comparison: PREFIX
Value: arn:aws:securityhub:us-west-2:123456789012:product/aws
AwsAccountId:
- Comparison: EQUALS
Value: 123456789012
Id:
- Comparison: EQUALS
Value: example-finding-id
GeneratorId:
- Comparison: EQUALS
Value: example-generator-id
Type:
- Comparison: EQUALS
Value: type-1
- Comparison: EQUALS
Value: type-2
Description:
- Comparison: EQUALS
Value: description1
- Comparison: EQUALS
Value: description2
SourceUrl:
- Comparison: PREFIX
Value: https
- Comparison: PREFIX
Value: ftp
Title:
- Comparison: EQUALS
Value: title-1
- Comparison: PREFIX
Value: title-2
SeverityLabel:
- Comparison: EQUALS
Value: LOW
- Comparison: EQUALS
Value: HIGH
ResourceType:
- Comparison: EQUALS
Value: AwsEc2Instance
ResourcePartition:
- Comparison: EQUALS
Value: aws
ResourceId:
- Comparison: PREFIX
Value: i-1234567890
ResourceRegion:
- Comparison: PREFIX
Value: us-west
ComplianceStatus:
- Comparison: EQUALS
Value: FAILED
ComplianceSecurityControlId:
- Comparison: EQUALS
Value: EC2.3
ComplianceAssociatedStandardsId:
- Comparison: EQUALS
Value: ruleset/cis-aws-foundations-benchmark/v/1.2.0
VerificationState:
- Comparison: EQUALS
Value: BENIGN_POSITIVE
RecordState:
- Comparison: EQUALS
Value: ACTIVE
RelatedFindingsProductArn:
- Comparison: EQUALS
Value: arn:aws:securityhub:eu-central-1::product/aws/securityhub
RelatedFindingsId:
- Comparison: EQUALS
Value: example-finding-id-2
NoteText:
- Comparison: EQUALS
Value: example-note-text
NoteUpdatedAt:
- DateRange:
Unit: DAYS
Value: 5
NoteUpdatedBy:
- Comparison: PREFIX
Value: sechub
WorkflowStatus:
- Comparison: EQUALS
Value: NEW
FirstObservedAt:
- DateRange:
Unit: DAYS
Value: 5
LastObservedAt:
- DateRange:
Unit: DAYS
Value: 5
CreatedAt:
- DateRange:
Unit: DAYS
Value: 5
UpdatedAt:
- Start: "2023-04-25T17:05:54.832Z"
End: "2023-05-25T17:05:54.832Z"
ResourceTags:
- Comparison: NOT_EQUALS
Key: department
Value: security
- Comparison: NOT_EQUALS
Key: department
Value: operations
UserDefinedFields:
- Comparison: EQUALS
Key: key1
Value: security
- Comparison: EQUALS
Key: key2
Value: operations
ResourceDetailsOther:
- Comparison: NOT_EQUALS
Key: area
Value: na
- Comparison: NOT_EQUALS
Key: department
Value: sales
Confidence:
- Gte: 50
Lte: 95
Criticality:
- Gte: 50
Lte: 95
Actions:
- Type: FINDING_FIELDS_UPDATE
FindingFieldsUpdate:
Severity:
Product: 50
Label: MEDIUM
Normalized: 60
Types:
- Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices
- Industry Compliance
Confidence: 98
Criticality: 95
UserDefinedFields:
key1: value1
key2: value2
RelatedFindings:
- ProductArn: arn:aws:securityhub:us-west-2:123456789012:product/123456789012/default
Id: sample-finding-id-1
- ProductArn: arn:aws:securityhub:us-west-2:123456789012:product/123456789012/default
Id: sample-finding-id-2
Note:
Text: sample-note-text
UpdatedBy: sechub
VerificationState: TRUE_POSITIVE
Workflow:
Status: NOTIFIED
Tags:
sampleTag: sampleValue
organizationUnit: pnw