The aws:securityhub/configurationPolicy:ConfigurationPolicy resource, part of the Pulumi AWS provider, defines Security Hub configuration policies that control service enablement, security standards, and control settings across AWS Organizations. This guide focuses on three capabilities: enabling Security Hub with default standards, disabling Security Hub for specific accounts, and customizing control parameters and selective enablement.
Configuration policies require Security Hub OrganizationConfiguration with CENTRAL type and a FindingAggregator for cross-region findings. The examples are intentionally small. Combine them with your own organizational unit associations and account targeting.
Enable Security Hub with default standards
Organizations using central configuration start by defining a policy that enables Security Hub and activates foundational security standards across member accounts.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.securityhub.FindingAggregator("example", {linkingMode: "ALL_REGIONS"});
const exampleOrganizationConfiguration = new aws.securityhub.OrganizationConfiguration("example", {
autoEnable: false,
autoEnableStandards: "NONE",
organizationConfiguration: {
configurationType: "CENTRAL",
},
}, {
dependsOn: [example],
});
const exampleConfigurationPolicy = new aws.securityhub.ConfigurationPolicy("example", {
name: "Example",
description: "This is an example configuration policy",
configurationPolicy: {
serviceEnabled: true,
enabledStandardArns: [
"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
],
securityControlsConfiguration: {
disabledControlIdentifiers: [],
},
},
}, {
dependsOn: [exampleOrganizationConfiguration],
});
import pulumi
import pulumi_aws as aws
example = aws.securityhub.FindingAggregator("example", linking_mode="ALL_REGIONS")
example_organization_configuration = aws.securityhub.OrganizationConfiguration("example",
auto_enable=False,
auto_enable_standards="NONE",
organization_configuration={
"configuration_type": "CENTRAL",
},
opts = pulumi.ResourceOptions(depends_on=[example]))
example_configuration_policy = aws.securityhub.ConfigurationPolicy("example",
name="Example",
description="This is an example configuration policy",
configuration_policy={
"service_enabled": True,
"enabled_standard_arns": [
"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
],
"security_controls_configuration": {
"disabled_control_identifiers": [],
},
},
opts = pulumi.ResourceOptions(depends_on=[example_organization_configuration]))
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/securityhub"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := securityhub.NewFindingAggregator(ctx, "example", &securityhub.FindingAggregatorArgs{
LinkingMode: pulumi.String("ALL_REGIONS"),
})
if err != nil {
return err
}
exampleOrganizationConfiguration, err := securityhub.NewOrganizationConfiguration(ctx, "example", &securityhub.OrganizationConfigurationArgs{
AutoEnable: pulumi.Bool(false),
AutoEnableStandards: pulumi.String("NONE"),
OrganizationConfiguration: &securityhub.OrganizationConfigurationOrganizationConfigurationArgs{
ConfigurationType: pulumi.String("CENTRAL"),
},
}, pulumi.DependsOn([]pulumi.Resource{
example,
}))
if err != nil {
return err
}
_, err = securityhub.NewConfigurationPolicy(ctx, "example", &securityhub.ConfigurationPolicyArgs{
Name: pulumi.String("Example"),
Description: pulumi.String("This is an example configuration policy"),
ConfigurationPolicy: &securityhub.ConfigurationPolicyConfigurationPolicyArgs{
ServiceEnabled: pulumi.Bool(true),
EnabledStandardArns: pulumi.StringArray{
pulumi.String("arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"),
pulumi.String("arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"),
},
SecurityControlsConfiguration: &securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationArgs{
DisabledControlIdentifiers: pulumi.StringArray{},
},
},
}, pulumi.DependsOn([]pulumi.Resource{
exampleOrganizationConfiguration,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.SecurityHub.FindingAggregator("example", new()
{
LinkingMode = "ALL_REGIONS",
});
var exampleOrganizationConfiguration = new Aws.SecurityHub.OrganizationConfiguration("example", new()
{
AutoEnable = false,
AutoEnableStandards = "NONE",
OrganizationConfigurationDetails = new Aws.SecurityHub.Inputs.OrganizationConfigurationOrganizationConfigurationArgs
{
ConfigurationType = "CENTRAL",
},
}, new CustomResourceOptions
{
DependsOn =
{
example,
},
});
var exampleConfigurationPolicy = new Aws.SecurityHub.ConfigurationPolicy("example", new()
{
Name = "Example",
Description = "This is an example configuration policy",
ConfigurationPolicyDetails = new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicyArgs
{
ServiceEnabled = true,
EnabledStandardArns = new[]
{
"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
},
SecurityControlsConfiguration = new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationArgs
{
DisabledControlIdentifiers = new() { },
},
},
}, new CustomResourceOptions
{
DependsOn =
{
exampleOrganizationConfiguration,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.securityhub.FindingAggregator;
import com.pulumi.aws.securityhub.FindingAggregatorArgs;
import com.pulumi.aws.securityhub.OrganizationConfiguration;
import com.pulumi.aws.securityhub.OrganizationConfigurationArgs;
import com.pulumi.aws.securityhub.inputs.OrganizationConfigurationOrganizationConfigurationArgs;
import com.pulumi.aws.securityhub.ConfigurationPolicy;
import com.pulumi.aws.securityhub.ConfigurationPolicyArgs;
import com.pulumi.aws.securityhub.inputs.ConfigurationPolicyConfigurationPolicyArgs;
import com.pulumi.aws.securityhub.inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new FindingAggregator("example", FindingAggregatorArgs.builder()
.linkingMode("ALL_REGIONS")
.build());
var exampleOrganizationConfiguration = new OrganizationConfiguration("exampleOrganizationConfiguration", OrganizationConfigurationArgs.builder()
.autoEnable(false)
.autoEnableStandards("NONE")
.organizationConfiguration(OrganizationConfigurationOrganizationConfigurationArgs.builder()
.configurationType("CENTRAL")
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(example)
.build());
var exampleConfigurationPolicy = new ConfigurationPolicy("exampleConfigurationPolicy", ConfigurationPolicyArgs.builder()
.name("Example")
.description("This is an example configuration policy")
.configurationPolicy(ConfigurationPolicyConfigurationPolicyArgs.builder()
.serviceEnabled(true)
.enabledStandardArns(
"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0")
.securityControlsConfiguration(ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationArgs.builder()
.disabledControlIdentifiers()
.build())
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(exampleOrganizationConfiguration)
.build());
}
}
resources:
example:
type: aws:securityhub:FindingAggregator
properties:
linkingMode: ALL_REGIONS
exampleOrganizationConfiguration:
type: aws:securityhub:OrganizationConfiguration
name: example
properties:
autoEnable: false
autoEnableStandards: NONE
organizationConfiguration:
configurationType: CENTRAL
options:
dependsOn:
- ${example}
exampleConfigurationPolicy:
type: aws:securityhub:ConfigurationPolicy
name: example
properties:
name: Example
description: This is an example configuration policy
configurationPolicy:
serviceEnabled: true
enabledStandardArns:
- arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0
- arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0
securityControlsConfiguration:
disabledControlIdentifiers: []
options:
dependsOn:
- ${exampleOrganizationConfiguration}
When serviceEnabled is true, Security Hub runs in accounts where this policy applies. The enabledStandardArns property activates specific compliance frameworks like AWS Foundational Security Best Practices and CIS Benchmarks. The securityControlsConfiguration block controls which checks run; an empty disabledControlIdentifiers list means all controls in the enabled standards are active.
Disable Security Hub for specific accounts
Some accounts need Security Hub disabled, such as sandbox environments or accounts with conflicting security tooling.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const disabled = new aws.securityhub.ConfigurationPolicy("disabled", {
name: "Disabled",
description: "This is an example of disabled configuration policy",
configurationPolicy: {
serviceEnabled: false,
},
}, {
dependsOn: [example],
});
import pulumi
import pulumi_aws as aws
disabled = aws.securityhub.ConfigurationPolicy("disabled",
name="Disabled",
description="This is an example of disabled configuration policy",
configuration_policy={
"service_enabled": False,
},
opts = pulumi.ResourceOptions(depends_on=[example]))
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/securityhub"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securityhub.NewConfigurationPolicy(ctx, "disabled", &securityhub.ConfigurationPolicyArgs{
Name: pulumi.String("Disabled"),
Description: pulumi.String("This is an example of disabled configuration policy"),
ConfigurationPolicy: &securityhub.ConfigurationPolicyConfigurationPolicyArgs{
ServiceEnabled: pulumi.Bool(false),
},
}, pulumi.DependsOn([]pulumi.Resource{
example,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var disabled = new Aws.SecurityHub.ConfigurationPolicy("disabled", new()
{
Name = "Disabled",
Description = "This is an example of disabled configuration policy",
ConfigurationPolicyDetails = new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicyArgs
{
ServiceEnabled = false,
},
}, new CustomResourceOptions
{
DependsOn =
{
example,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.securityhub.ConfigurationPolicy;
import com.pulumi.aws.securityhub.ConfigurationPolicyArgs;
import com.pulumi.aws.securityhub.inputs.ConfigurationPolicyConfigurationPolicyArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var disabled = new ConfigurationPolicy("disabled", ConfigurationPolicyArgs.builder()
.name("Disabled")
.description("This is an example of disabled configuration policy")
.configurationPolicy(ConfigurationPolicyConfigurationPolicyArgs.builder()
.serviceEnabled(false)
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(example)
.build());
}
}
resources:
disabled:
type: aws:securityhub:ConfigurationPolicy
properties:
name: Disabled
description: This is an example of disabled configuration policy
configurationPolicy:
serviceEnabled: false
options:
dependsOn:
- ${example}
Setting serviceEnabled to false turns off Security Hub entirely. No standards run, no findings are generated. This policy can be associated with specific organizational units or accounts that should not participate in centralized security monitoring.
Customize control parameters and selective enablement
Organizations often need to tune Security Hub controls to match their compliance requirements, adjusting thresholds or enabling only specific controls.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const disabled = new aws.securityhub.ConfigurationPolicy("disabled", {
name: "Custom Controls",
description: "This is an example of configuration policy with custom control settings",
configurationPolicy: {
serviceEnabled: true,
enabledStandardArns: [
"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
],
securityControlsConfiguration: {
enabledControlIdentifiers: [
"APIGateway.1",
"IAM.7",
],
securityControlCustomParameters: [
{
securityControlId: "APIGateway.1",
parameters: [{
name: "loggingLevel",
valueType: "CUSTOM",
"enum": {
value: "INFO",
},
}],
},
{
securityControlId: "IAM.7",
parameters: [
{
name: "RequireLowercaseCharacters",
valueType: "CUSTOM",
bool: {
value: false,
},
},
{
name: "MaxPasswordAge",
valueType: "CUSTOM",
int: {
value: 60,
},
},
],
},
],
},
},
}, {
dependsOn: [example],
});
import pulumi
import pulumi_aws as aws
disabled = aws.securityhub.ConfigurationPolicy("disabled",
name="Custom Controls",
description="This is an example of configuration policy with custom control settings",
configuration_policy={
"service_enabled": True,
"enabled_standard_arns": [
"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
],
"security_controls_configuration": {
"enabled_control_identifiers": [
"APIGateway.1",
"IAM.7",
],
"security_control_custom_parameters": [
{
"security_control_id": "APIGateway.1",
"parameters": [{
"name": "loggingLevel",
"value_type": "CUSTOM",
"enum": {
"value": "INFO",
},
}],
},
{
"security_control_id": "IAM.7",
"parameters": [
{
"name": "RequireLowercaseCharacters",
"value_type": "CUSTOM",
"bool": {
"value": False,
},
},
{
"name": "MaxPasswordAge",
"value_type": "CUSTOM",
"int": {
"value": 60,
},
},
],
},
],
},
},
opts = pulumi.ResourceOptions(depends_on=[example]))
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/securityhub"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securityhub.NewConfigurationPolicy(ctx, "disabled", &securityhub.ConfigurationPolicyArgs{
Name: pulumi.String("Custom Controls"),
Description: pulumi.String("This is an example of configuration policy with custom control settings"),
ConfigurationPolicy: &securityhub.ConfigurationPolicyConfigurationPolicyArgs{
ServiceEnabled: pulumi.Bool(true),
EnabledStandardArns: pulumi.StringArray{
pulumi.String("arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"),
pulumi.String("arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"),
},
SecurityControlsConfiguration: &securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationArgs{
EnabledControlIdentifiers: pulumi.StringArray{
pulumi.String("APIGateway.1"),
pulumi.String("IAM.7"),
},
SecurityControlCustomParameters: securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterArray{
&securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterArgs{
SecurityControlId: pulumi.String("APIGateway.1"),
Parameters: securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArray{
&securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArgs{
Name: pulumi.String("loggingLevel"),
ValueType: pulumi.String("CUSTOM"),
Enum: &securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterEnumArgs{
Value: pulumi.String("INFO"),
},
},
},
},
&securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterArgs{
SecurityControlId: pulumi.String("IAM.7"),
Parameters: securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArray{
&securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArgs{
Name: pulumi.String("RequireLowercaseCharacters"),
ValueType: pulumi.String("CUSTOM"),
Bool: &securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterBoolArgs{
Value: pulumi.Bool(false),
},
},
&securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArgs{
Name: pulumi.String("MaxPasswordAge"),
ValueType: pulumi.String("CUSTOM"),
Int: &securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterIntArgs{
Value: pulumi.Int(60),
},
},
},
},
},
},
},
}, pulumi.DependsOn([]pulumi.Resource{
example,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var disabled = new Aws.SecurityHub.ConfigurationPolicy("disabled", new()
{
Name = "Custom Controls",
Description = "This is an example of configuration policy with custom control settings",
ConfigurationPolicyDetails = new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicyArgs
{
ServiceEnabled = true,
EnabledStandardArns = new[]
{
"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
},
SecurityControlsConfiguration = new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationArgs
{
EnabledControlIdentifiers = new[]
{
"APIGateway.1",
"IAM.7",
},
SecurityControlCustomParameters = new[]
{
new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterArgs
{
SecurityControlId = "APIGateway.1",
Parameters = new[]
{
new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArgs
{
Name = "loggingLevel",
ValueType = "CUSTOM",
Enum = new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterEnumArgs
{
Value = "INFO",
},
},
},
},
new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterArgs
{
SecurityControlId = "IAM.7",
Parameters = new[]
{
new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArgs
{
Name = "RequireLowercaseCharacters",
ValueType = "CUSTOM",
Bool = new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterBoolArgs
{
Value = false,
},
},
new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArgs
{
Name = "MaxPasswordAge",
ValueType = "CUSTOM",
Int = new Aws.SecurityHub.Inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterIntArgs
{
Value = 60,
},
},
},
},
},
},
},
}, new CustomResourceOptions
{
DependsOn =
{
example,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.securityhub.ConfigurationPolicy;
import com.pulumi.aws.securityhub.ConfigurationPolicyArgs;
import com.pulumi.aws.securityhub.inputs.ConfigurationPolicyConfigurationPolicyArgs;
import com.pulumi.aws.securityhub.inputs.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var disabled = new ConfigurationPolicy("disabled", ConfigurationPolicyArgs.builder()
.name("Custom Controls")
.description("This is an example of configuration policy with custom control settings")
.configurationPolicy(ConfigurationPolicyConfigurationPolicyArgs.builder()
.serviceEnabled(true)
.enabledStandardArns(
"arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0")
.securityControlsConfiguration(ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationArgs.builder()
.enabledControlIdentifiers(
"APIGateway.1",
"IAM.7")
.securityControlCustomParameters(
ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterArgs.builder()
.securityControlId("APIGateway.1")
.parameters(ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArgs.builder()
.name("loggingLevel")
.valueType("CUSTOM")
.enum_(ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterEnumArgs.builder()
.value("INFO")
.build())
.build())
.build(),
ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterArgs.builder()
.securityControlId("IAM.7")
.parameters(
ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArgs.builder()
.name("RequireLowercaseCharacters")
.valueType("CUSTOM")
.bool(ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterBoolArgs.builder()
.value(false)
.build())
.build(),
ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterArgs.builder()
.name("MaxPasswordAge")
.valueType("CUSTOM")
.int_(ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterIntArgs.builder()
.value(60)
.build())
.build())
.build())
.build())
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(example)
.build());
}
}
resources:
disabled:
type: aws:securityhub:ConfigurationPolicy
properties:
name: Custom Controls
description: This is an example of configuration policy with custom control settings
configurationPolicy:
serviceEnabled: true
enabledStandardArns:
- arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0
- arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0
securityControlsConfiguration:
enabledControlIdentifiers:
- APIGateway.1
- IAM.7
securityControlCustomParameters:
- securityControlId: APIGateway.1
parameters:
- name: loggingLevel
valueType: CUSTOM
enum:
value: INFO
- securityControlId: IAM.7
parameters:
- name: RequireLowercaseCharacters
valueType: CUSTOM
bool:
value: false
- name: MaxPasswordAge
valueType: CUSTOM
int:
value: 60
options:
dependsOn:
- ${example}
The enabledControlIdentifiers property activates only the listed controls, overriding the default behavior of running all controls in enabled standards. The securityControlCustomParameters array adjusts control behavior: you can set logging levels (enum), toggle requirements (bool), or adjust thresholds (int). Each parameter’s valueType must be CUSTOM when overriding defaults.
Beyond these examples
These snippets focus on specific configuration policy features: service enablement and standard activation, and control-level customization. They’re intentionally minimal rather than full organizational security deployments.
The examples require pre-existing infrastructure such as Security Hub OrganizationConfiguration with CENTRAL type, and FindingAggregator for cross-region findings. They focus on defining the policy rather than associating it with organizational units or accounts.
To keep things focused, common policy patterns are omitted, including:
- Policy association with organizational units or accounts
- Disabled control identifiers (disabledControlIdentifiers)
- Control parameter types beyond enum, bool, and int
- Policy updates and versioning
These omissions are intentional: the goal is to illustrate how each policy feature is wired, not provide drop-in security governance modules. See the Security Hub ConfigurationPolicy resource reference for all available configuration options.
Let's configure AWS Security Hub Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Prerequisites & Setup
What do I need to configure before creating a configuration policy?
You must first create an
aws.securityhub.OrganizationConfiguration resource with configurationType set to CENTRAL. Use dependsOn to ensure the OrganizationConfiguration is created before the ConfigurationPolicy.Policy Configuration
How do I enable or disable Security Hub through a configuration policy?
Set
serviceEnabled to true or false within the configurationPolicy block. When set to false, Security Hub is disabled for accounts using this policy.How do I enable specific security standards in my policy?
Use the
enabledStandardArns array with the ARNs of standards you want to enable, such as arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0 or CIS benchmark ARNs.How do I import an existing configuration policy?
Use
pulumi import with the policy’s UUID: pulumi import aws:securityhub/configurationPolicy:ConfigurationPolicy example "00000000-1111-2222-3333-444444444444"Controls Configuration
What's the difference between enabledControlIdentifiers and disabledControlIdentifiers?
enabledControlIdentifiers explicitly enables specific controls (opt-in approach), while disabledControlIdentifiers disables specific controls (opt-out approach). Choose based on whether you want to enable only certain controls or disable specific ones from a broader set.How do I customize parameters for specific security controls?
Use
securityControlCustomParameters within securityControlsConfiguration. Specify the securityControlId, parameter name, valueType as CUSTOM, and the value using the appropriate format (enum, bool, or int).What value types can I use for custom control parameters?
Custom control parameters support three value types:
enum (for string values like INFO), bool (for true/false values), and int (for numeric values like 60). Set valueType to CUSTOM and use the corresponding value format.