aws-native.securityhub.getSecurityControl

AWS Cloud Control v1.57.0, Mar 9 26

We recommend new projects start with resources from the AWS provider.

Viewing docs for AWS Cloud Control v1.57.0
published on Monday, Mar 9, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-aws-native

We recommend new projects start with resources from the AWS provider.

Viewing docs for AWS Cloud Control v1.57.0
published on Monday, Mar 9, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-aws-native

Using getSecurityControl

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getSecurityControl(args: GetSecurityControlArgs, opts?: InvokeOptions): Promise<GetSecurityControlResult>
function getSecurityControlOutput(args: GetSecurityControlOutputArgs, opts?: InvokeOptions): Output<GetSecurityControlResult>

def get_security_control(security_control_id: Optional[str] = None,
                         opts: Optional[InvokeOptions] = None) -> GetSecurityControlResult
def get_security_control_output(security_control_id: Optional[pulumi.Input[str]] = None,
                         opts: Optional[InvokeOptions] = None) -> Output[GetSecurityControlResult]

func LookupSecurityControl(ctx *Context, args *LookupSecurityControlArgs, opts ...InvokeOption) (*LookupSecurityControlResult, error)
func LookupSecurityControlOutput(ctx *Context, args *LookupSecurityControlOutputArgs, opts ...InvokeOption) LookupSecurityControlResultOutput

> Note: This function is named LookupSecurityControl in the Go SDK.

public static class GetSecurityControl 
{
    public static Task<GetSecurityControlResult> InvokeAsync(GetSecurityControlArgs args, InvokeOptions? opts = null)
    public static Output<GetSecurityControlResult> Invoke(GetSecurityControlInvokeArgs args, InvokeOptions? opts = null)
}

public static CompletableFuture<GetSecurityControlResult> getSecurityControl(GetSecurityControlArgs args, InvokeOptions options)
public static Output<GetSecurityControlResult> getSecurityControl(GetSecurityControlArgs args, InvokeOptions options)

fn::invoke:
  function: aws-native:securityhub:getSecurityControl
  arguments:
    # arguments dictionary

The following arguments are supported:

SecurityControlId string: The unique identifier of a security control across standards. Values for this field typically consist of an AWS service name and a number, such as APIGateway.3.

SecurityControlId string: The unique identifier of a security control across standards. Values for this field typically consist of an AWS service name and a number, such as APIGateway.3.

securityControlId String: The unique identifier of a security control across standards. Values for this field typically consist of an AWS service name and a number, such as APIGateway.3.

securityControlId string: The unique identifier of a security control across standards. Values for this field typically consist of an AWS service name and a number, such as APIGateway.3.

security_control_id str: The unique identifier of a security control across standards. Values for this field typically consist of an AWS service name and a number, such as APIGateway.3.

securityControlId String: The unique identifier of a security control across standards. Values for this field typically consist of an AWS service name and a number, such as APIGateway.3.

getSecurityControl Result

The following output properties are available:

LastUpdateReason string: The most recent reason for updating the customizable properties of a security control. This differs from the UpdateReason field of the BatchUpdateStandardsControlAssociations API, which tracks the reason for updating the enablement status of a control. This field accepts alphanumeric characters in addition to white spaces, dashes, and underscores.
Parameters Dictionary<string, Pulumi.AwsNative.SecurityHub.Outputs.SecurityControlParameterConfiguration>: An object that identifies the name of a control parameter, its current value, and whether it has been customized.
SecurityControlArn string: The Amazon Resource Name (ARN) for a security control across standards, such as arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1. This parameter doesn't mention a specific standard.

LastUpdateReason string: The most recent reason for updating the customizable properties of a security control. This differs from the UpdateReason field of the BatchUpdateStandardsControlAssociations API, which tracks the reason for updating the enablement status of a control. This field accepts alphanumeric characters in addition to white spaces, dashes, and underscores.
Parameters map[string]SecurityControlParameterConfiguration: An object that identifies the name of a control parameter, its current value, and whether it has been customized.
SecurityControlArn string: The Amazon Resource Name (ARN) for a security control across standards, such as arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1. This parameter doesn't mention a specific standard.

lastUpdateReason String: The most recent reason for updating the customizable properties of a security control. This differs from the UpdateReason field of the BatchUpdateStandardsControlAssociations API, which tracks the reason for updating the enablement status of a control. This field accepts alphanumeric characters in addition to white spaces, dashes, and underscores.
parameters Map<String,SecurityControlParameterConfiguration>: An object that identifies the name of a control parameter, its current value, and whether it has been customized.
securityControlArn String: The Amazon Resource Name (ARN) for a security control across standards, such as arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1. This parameter doesn't mention a specific standard.

lastUpdateReason string: The most recent reason for updating the customizable properties of a security control. This differs from the UpdateReason field of the BatchUpdateStandardsControlAssociations API, which tracks the reason for updating the enablement status of a control. This field accepts alphanumeric characters in addition to white spaces, dashes, and underscores.
parameters {[key: string]: SecurityControlParameterConfiguration}: An object that identifies the name of a control parameter, its current value, and whether it has been customized.
securityControlArn string: The Amazon Resource Name (ARN) for a security control across standards, such as arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1. This parameter doesn't mention a specific standard.

last_update_reason str: The most recent reason for updating the customizable properties of a security control. This differs from the UpdateReason field of the BatchUpdateStandardsControlAssociations API, which tracks the reason for updating the enablement status of a control. This field accepts alphanumeric characters in addition to white spaces, dashes, and underscores.
parameters Mapping[str, SecurityControlParameterConfiguration]: An object that identifies the name of a control parameter, its current value, and whether it has been customized.
security_control_arn str: The Amazon Resource Name (ARN) for a security control across standards, such as arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1. This parameter doesn't mention a specific standard.

lastUpdateReason String: The most recent reason for updating the customizable properties of a security control. This differs from the UpdateReason field of the BatchUpdateStandardsControlAssociations API, which tracks the reason for updating the enablement status of a control. This field accepts alphanumeric characters in addition to white spaces, dashes, and underscores.
parameters Map<Property Map>: An object that identifies the name of a control parameter, its current value, and whether it has been customized.
securityControlArn String: The Amazon Resource Name (ARN) for a security control across standards, such as arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1. This parameter doesn't mention a specific standard.

Supporting Types

SecurityControlParameterConfiguration

ValueType Pulumi.AwsNative.SecurityHub.SecurityControlParameterConfigurationValueType

Identifies whether a control parameter uses a custom user-defined value or subscribes to the default AWS Security Hub CSPM behavior.

When ValueType is set equal to DEFAULT , the default behavior can be a specific Security Hub CSPM default value, or the default behavior can be to ignore a specific parameter. When ValueType is set equal to DEFAULT , Security Hub CSPM ignores user-provided input for the Value field.

When ValueType is set equal to CUSTOM , the Value field can't be empty.

Value Pulumi.AwsNative.SecurityHub.Inputs.SecurityControlParameterValue