The aws:securityhub/configurationPolicy:ConfigurationPolicy resource, part of the Pulumi AWS provider, defines Security Hub configuration policies that control service enablement, security standards, and control settings across AWS Organizations. This guide focuses on three capabilities: enabling Security Hub with default standards, disabling the service for specific accounts, and customizing control parameters.
Configuration policies require Security Hub OrganizationConfiguration set to CENTRAL type and a FindingAggregator for cross-region findings. The examples are intentionally small. Combine them with policy attachments to organizational units or accounts to apply configurations.
Enable Security Hub with default standards
Organizations adopting Security Hub centrally often start by enabling the service with AWS-recommended security standards.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.securityhub.FindingAggregator("example", {linkingMode: "ALL_REGIONS"});
const exampleOrganizationConfiguration = new aws.securityhub.OrganizationConfiguration("example", {
autoEnable: false,
autoEnableStandards: "NONE",
organizationConfiguration: {
configurationType: "CENTRAL",
},
}, {
dependsOn: [example],
});
const exampleConfigurationPolicy = new aws.securityhub.ConfigurationPolicy("example", {
name: "Example",
description: "This is an example configuration policy",
configurationPolicy: {
serviceEnabled: true,
enabledStandardArns: [
"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
],
securityControlsConfiguration: {
disabledControlIdentifiers: [],
},
},
}, {
dependsOn: [exampleOrganizationConfiguration],
});
import pulumi
import pulumi_aws as aws
example = aws.securityhub.FindingAggregator("example", linking_mode="ALL_REGIONS")
example_organization_configuration = aws.securityhub.OrganizationConfiguration("example",
auto_enable=False,
auto_enable_standards="NONE",
organization_configuration={
"configuration_type": "CENTRAL",
},
opts = pulumi.ResourceOptions(depends_on=[example]))
example_configuration_policy = aws.securityhub.ConfigurationPolicy("example",
name="Example",
description="This is an example configuration policy",
configuration_policy={
"service_enabled": True,
"enabled_standard_arns": [
"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
],
"security_controls_configuration": {
"disabled_control_identifiers": [],
},
},
opts = pulumi.ResourceOptions(depends_on=[example_organization_configuration]))
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/securityhub"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := securityhub.NewFindingAggregator(ctx, "example", &securityhub.FindingAggregatorArgs{
LinkingMode: pulumi.String("ALL_REGIONS"),
})
if err != nil {
return err
}
exampleOrganizationConfiguration, err := securityhub.NewOrganizationConfiguration(ctx, "example", &securityhub.OrganizationConfigurationArgs{
AutoEnable: pulumi.Bool(false),
AutoEnableStandards: pulumi.String("NONE"),
OrganizationConfiguration: &securityhub.OrganizationConfigurationOrganizationConfigurationArgs{
ConfigurationType: pulumi.String("CENTRAL"),
},
}, pulumi.DependsOn([]pulumi.Resource{
example,
}))
if err != nil {
return err
}
_, err = securityhub.NewConfigurationPolicy(ctx, "example", &securityhub.ConfigurationPolicyArgs{
Name: pulumi.String("Example"),
Description: pulumi.String("This is an example configuration policy"),
ConfigurationPolicy: &securityhub.ConfigurationPolicyConfigurationPolicyArgs{
ServiceEnabled: pulumi.Bool(true),
EnabledStandardArns: pulumi.StringArray{
pulumi.String("arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"),
pulumi.String("arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"),
},
SecurityControlsConfiguration: &securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationArgs{
DisabledControlIdentifiers: pulumi.StringArray{},
},
},
}, pulumi.DependsOn([]pulumi.Resource{
exampleOrganizationConfiguration,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.SecurityHub.FindingAggregator("example", new()
{
LinkingMode = "ALL_REGIONS",
});
var exampleOrganizationConfiguration = new Aws.SecurityHub.OrganizationConfiguration("example", new()
{
AutoEnable = false,
AutoEnableStandards = "NONE",
OrganizationConfigurationDetails = new Aws.SecurityHub.Inputs.OrganizationConfigurationOrganizationConfigurationArgs
{
ConfigurationType = "CENTRAL",
},
}, new CustomResourceOptions
{
DependsOn =
{
example,
},
});
var exampleConfigurationPolicy = new Aws.SecurityHub.ConfigurationPolicy("example", new()
{
Name = "Example",
Description = "This is an example configuration policy",
ConfigurationPolicyDetails = new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicyArgs
{
ServiceEnabled = true,
EnabledStandardArns = new[]
{
"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
},
SecurityControlsConfiguration = new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationArgs
{
DisabledControlIdentifiers = new() { },
},
},
}, new CustomResourceOptions
{
DependsOn =
{
exampleOrganizationConfiguration,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.securityhub.FindingAggregator;
import com.pulumi.aws.securityhub.FindingAggregatorArgs;
import com.pulumi.aws.securityhub.OrganizationConfiguration;
import com.pulumi.aws.securityhub.OrganizationConfigurationArgs;
import com.pulumi.aws.securityhub.inputs.OrganizationConfigurationOrganizationConfigurationArgs;
import com.pulumi.aws.securityhub.ConfigurationPolicy;
import com.pulumi.aws.securityhub.ConfigurationPolicyArgs;
import com.pulumi.aws.securityhub.inputs.ConfigurationPolicyConfigurationPolicyArgs;
import com.pulumi.aws.securityhub.inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new FindingAggregator("example", FindingAggregatorArgs.builder()
.linkingMode("ALL_REGIONS")
.build());
var exampleOrganizationConfiguration = new OrganizationConfiguration("exampleOrganizationConfiguration", OrganizationConfigurationArgs.builder()
.autoEnable(false)
.autoEnableStandards("NONE")
.organizationConfiguration(OrganizationConfigurationOrganizationConfigurationArgs.builder()
.configurationType("CENTRAL")
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(example)
.build());
var exampleConfigurationPolicy = new ConfigurationPolicy("exampleConfigurationPolicy", ConfigurationPolicyArgs.builder()
.name("Example")
.description("This is an example configuration policy")
.configurationPolicy(ConfigurationPolicyConfigurationPolicyArgs.builder()
.serviceEnabled(true)
.enabledStandardArns(
"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0")
.securityControlsConfiguration(ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationArgs.builder()
.disabledControlIdentifiers()
.build())
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(exampleOrganizationConfiguration)
.build());
}
}
resources:
example:
type: aws:securityhub:FindingAggregator
properties:
linkingMode: ALL_REGIONS
exampleOrganizationConfiguration:
type: aws:securityhub:OrganizationConfiguration
name: example
properties:
autoEnable: false
autoEnableStandards: NONE
organizationConfiguration:
configurationType: CENTRAL
options:
dependsOn:
- ${example}
exampleConfigurationPolicy:
type: aws:securityhub:ConfigurationPolicy
name: example
properties:
name: Example
description: This is an example configuration policy
configurationPolicy:
serviceEnabled: true
enabledStandardArns:
- arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0
- arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0
securityControlsConfiguration:
disabledControlIdentifiers: []
options:
dependsOn:
- ${exampleOrganizationConfiguration}
When serviceEnabled is true, Security Hub activates in target accounts. The enabledStandardArns property specifies which security standards to enable; here, AWS Foundational Security Best Practices and CIS AWS Foundations Benchmark. The securityControlsConfiguration block controls which checks run; an empty disabledControlIdentifiers list means all controls in the enabled standards are active.
Disable Security Hub for specific accounts
Some organizational units or accounts need Security Hub explicitly disabled, such as sandbox environments or accounts with alternative security tooling.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const disabled = new aws.securityhub.ConfigurationPolicy("disabled", {
name: "Disabled",
description: "This is an example of disabled configuration policy",
configurationPolicy: {
serviceEnabled: false,
},
}, {
dependsOn: [example],
});
import pulumi
import pulumi_aws as aws
disabled = aws.securityhub.ConfigurationPolicy("disabled",
name="Disabled",
description="This is an example of disabled configuration policy",
configuration_policy={
"service_enabled": False,
},
opts = pulumi.ResourceOptions(depends_on=[example]))
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/securityhub"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securityhub.NewConfigurationPolicy(ctx, "disabled", &securityhub.ConfigurationPolicyArgs{
Name: pulumi.String("Disabled"),
Description: pulumi.String("This is an example of disabled configuration policy"),
ConfigurationPolicy: &securityhub.ConfigurationPolicyConfigurationPolicyArgs{
ServiceEnabled: pulumi.Bool(false),
},
}, pulumi.DependsOn([]pulumi.Resource{
example,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var disabled = new Aws.SecurityHub.ConfigurationPolicy("disabled", new()
{
Name = "Disabled",
Description = "This is an example of disabled configuration policy",
ConfigurationPolicyDetails = new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicyArgs
{
ServiceEnabled = false,
},
}, new CustomResourceOptions
{
DependsOn =
{
example,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.securityhub.ConfigurationPolicy;
import com.pulumi.aws.securityhub.ConfigurationPolicyArgs;
import com.pulumi.aws.securityhub.inputs.ConfigurationPolicyConfigurationPolicyArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var disabled = new ConfigurationPolicy("disabled", ConfigurationPolicyArgs.builder()
.name("Disabled")
.description("This is an example of disabled configuration policy")
.configurationPolicy(ConfigurationPolicyConfigurationPolicyArgs.builder()
.serviceEnabled(false)
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(example)
.build());
}
}
resources:
disabled:
type: aws:securityhub:ConfigurationPolicy
properties:
name: Disabled
description: This is an example of disabled configuration policy
configurationPolicy:
serviceEnabled: false
options:
dependsOn:
- ${example}
Setting serviceEnabled to false turns off Security Hub in accounts where this policy applies. No standards or controls are configured because the service itself is inactive.
Customize control parameters and enablement
Teams often need to tune Security Hub controls to match their compliance requirements, adjusting thresholds or enabling only specific controls.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const disabled = new aws.securityhub.ConfigurationPolicy("disabled", {
name: "Custom Controls",
description: "This is an example of configuration policy with custom control settings",
configurationPolicy: {
serviceEnabled: true,
enabledStandardArns: [
"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
],
securityControlsConfiguration: {
enabledControlIdentifiers: [
"APIGateway.1",
"IAM.7",
],
securityControlCustomParameters: [
{
securityControlId: "APIGateway.1",
parameters: [{
name: "loggingLevel",
valueType: "CUSTOM",
"enum": {
value: "INFO",
},
}],
},
{
securityControlId: "IAM.7",
parameters: [
{
name: "RequireLowercaseCharacters",
valueType: "CUSTOM",
bool: {
value: false,
},
},
{
name: "MaxPasswordAge",
valueType: "CUSTOM",
int: {
value: 60,
},
},
],
},
],
},
},
}, {
dependsOn: [example],
});
import pulumi
import pulumi_aws as aws
disabled = aws.securityhub.ConfigurationPolicy("disabled",
name="Custom Controls",
description="This is an example of configuration policy with custom control settings",
configuration_policy={
"service_enabled": True,
"enabled_standard_arns": [
"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
],
"security_controls_configuration": {
"enabled_control_identifiers": [
"APIGateway.1",
"IAM.7",
],
"security_control_custom_parameters": [
{
"security_control_id": "APIGateway.1",
"parameters": [{
"name": "loggingLevel",
"value_type": "CUSTOM",
"enum": {
"value": "INFO",
},
}],
},
{
"security_control_id": "IAM.7",
"parameters": [
{
"name": "RequireLowercaseCharacters",
"value_type": "CUSTOM",
"bool": {
"value": False,
},
},
{
"name": "MaxPasswordAge",
"value_type": "CUSTOM",
"int": {
"value": 60,
},
},
],
},
],
},
},
opts = pulumi.ResourceOptions(depends_on=[example]))
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/securityhub"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securityhub.NewConfigurationPolicy(ctx, "disabled", &securityhub.ConfigurationPolicyArgs{
Name: pulumi.String("Custom Controls"),
Description: pulumi.String("This is an example of configuration policy with custom control settings"),
ConfigurationPolicy: &securityhub.ConfigurationPolicyConfigurationPolicyArgs{
ServiceEnabled: pulumi.Bool(true),
EnabledStandardArns: pulumi.StringArray{
pulumi.String("arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"),
pulumi.String("arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"),
},
SecurityControlsConfiguration: &securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationArgs{
EnabledControlIdentifiers: pulumi.StringArray{
pulumi.String("APIGateway.1"),
pulumi.String("IAM.7"),
},
SecurityControlCustomParameters: securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterArray{
&securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterArgs{
SecurityControlId: pulumi.String("APIGateway.1"),
Parameters: securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArray{
&securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArgs{
Name: pulumi.String("loggingLevel"),
ValueType: pulumi.String("CUSTOM"),
Enum: &securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterEnumArgs{
Value: pulumi.String("INFO"),
},
},
},
},
&securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterArgs{
SecurityControlId: pulumi.String("IAM.7"),
Parameters: securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArray{
&securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArgs{
Name: pulumi.String("RequireLowercaseCharacters"),
ValueType: pulumi.String("CUSTOM"),
Bool: &securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterBoolArgs{
Value: pulumi.Bool(false),
},
},
&securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArgs{
Name: pulumi.String("MaxPasswordAge"),
ValueType: pulumi.String("CUSTOM"),
Int: &securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterIntArgs{
Value: pulumi.Int(60),
},
},
},
},
},
},
},
}, pulumi.DependsOn([]pulumi.Resource{
example,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var disabled = new Aws.SecurityHub.ConfigurationPolicy("disabled", new()
{
Name = "Custom Controls",
Description = "This is an example of configuration policy with custom control settings",
ConfigurationPolicyDetails = new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicyArgs
{
ServiceEnabled = true,
EnabledStandardArns = new[]
{
"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
},
SecurityControlsConfiguration = new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationArgs
{
EnabledControlIdentifiers = new[]
{
"APIGateway.1",
"IAM.7",
},
SecurityControlCustomParameters = new[]
{
new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterArgs
{
SecurityControlId = "APIGateway.1",
Parameters = new[]
{
new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArgs
{
Name = "loggingLevel",
ValueType = "CUSTOM",
Enum = new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterEnumArgs
{
Value = "INFO",
},
},
},
},
new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterArgs
{
SecurityControlId = "IAM.7",
Parameters = new[]
{
new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArgs
{
Name = "RequireLowercaseCharacters",
ValueType = "CUSTOM",
Bool = new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterBoolArgs
{
Value = false,
},
},
new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArgs
{
Name = "MaxPasswordAge",
ValueType = "CUSTOM",
Int = new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterIntArgs
{
Value = 60,
},
},
},
},
},
},
},
}, new CustomResourceOptions
{
DependsOn =
{
example,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.securityhub.ConfigurationPolicy;
import com.pulumi.aws.securityhub.ConfigurationPolicyArgs;
import com.pulumi.aws.securityhub.inputs.ConfigurationPolicyConfigurationPolicyArgs;
import com.pulumi.aws.securityhub.inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var disabled = new ConfigurationPolicy("disabled", ConfigurationPolicyArgs.builder()
.name("Custom Controls")
.description("This is an example of configuration policy with custom control settings")
.configurationPolicy(ConfigurationPolicyConfigurationPolicyArgs.builder()
.serviceEnabled(true)
.enabledStandardArns(
"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0")
.securityControlsConfiguration(ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationArgs.builder()
.enabledControlIdentifiers(
"APIGateway.1",
"IAM.7")
.securityControlCustomParameters(
ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterArgs.builder()
.securityControlId("APIGateway.1")
.parameters(ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArgs.builder()
.name("loggingLevel")
.valueType("CUSTOM")
.enum_(ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterEnumArgs.builder()
.value("INFO")
.build())
.build())
.build(),
ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterArgs.builder()
.securityControlId("IAM.7")
.parameters(
ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArgs.builder()
.name("RequireLowercaseCharacters")
.valueType("CUSTOM")
.bool(ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterBoolArgs.builder()
.value(false)
.build())
.build(),
ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArgs.builder()
.name("MaxPasswordAge")
.valueType("CUSTOM")
.int_(ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterIntArgs.builder()
.value(60)
.build())
.build())
.build())
.build())
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(example)
.build());
}
}
resources:
disabled:
type: aws:securityhub:ConfigurationPolicy
properties:
name: Custom Controls
description: This is an example of configuration policy with custom control settings
configurationPolicy:
serviceEnabled: true
enabledStandardArns:
- arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0
- arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0
securityControlsConfiguration:
enabledControlIdentifiers:
- APIGateway.1
- IAM.7
securityControlCustomParameters:
- securityControlId: APIGateway.1
parameters:
- name: loggingLevel
valueType: CUSTOM
enum:
value: INFO
- securityControlId: IAM.7
parameters:
- name: RequireLowercaseCharacters
valueType: CUSTOM
bool:
value: false
- name: MaxPasswordAge
valueType: CUSTOM
int:
value: 60
options:
dependsOn:
- ${example}
The enabledControlIdentifiers property limits which controls run, overriding the defaults from enabled standards. The securityControlCustomParameters array adjusts control behavior: each entry targets a securityControlId and defines parameters with name, valueType, and the appropriate value field (enum, bool, int, etc.). Here, APIGateway.1 requires INFO-level logging, and IAM.7 disables lowercase requirements while setting a 60-day password age.
Beyond these examples
These snippets focus on specific configuration policy features: service enablement and standard selection, and control-level customization. They’re intentionally minimal rather than complete Security Hub deployments.
The examples require pre-existing infrastructure such as Security Hub OrganizationConfiguration (CENTRAL type) and FindingAggregator for cross-region findings. They focus on defining policies rather than attaching them to organizational units or accounts.
To keep things focused, common policy patterns are omitted, including:
- Policy attachment to organizational units or accounts
- Control disablement (disabledControlIdentifiers)
- Multiple parameter types (string, stringList, int, intList, double, bool, enum)
- Region-specific configuration
These omissions are intentional: the goal is to illustrate how each policy feature is wired, not provide drop-in compliance modules. See the Security Hub ConfigurationPolicy resource reference for all available configuration options.
Let's configure AWS Security Hub Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Prerequisites & Setup
What's required before creating a configuration policy?
You must configure
aws.securityhub.OrganizationConfiguration with configurationType set to CENTRAL. Use dependsOn to ensure the organization configuration is created first.Policy Configuration
How do I enable or disable Security Hub via a configuration policy?
Set
configurationPolicy.serviceEnabled to true to enable or false to disable Security Hub.How do I enable specific security standards?
Use
configurationPolicy.enabledStandardArns with a list of standard ARNs, such as arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0 or arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0.Control Customization
Can I enable or disable individual security controls?
Yes, use
securityControlsConfiguration.enabledControlIdentifiers or disabledControlIdentifiers to specify which controls to enable or disable by their control IDs (e.g., APIGateway.1, IAM.7).How do I customize parameters for specific security controls?
Use
securityControlsConfiguration.securityControlCustomParameters with the control ID and parameter configuration. Parameters support three value types: enum (for string values), bool (for boolean values), and int (for integer values).