import * as cdk from "../../core"; import * as constructs from "constructs"; import * as cfn_parse from "../../core/lib/helpers-internal"; /** * The `AWS::SecurityHub::AutomationRule` resource specifies an automation rule based on input parameters. * * For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the *AWS Security Hub User Guide* . * * @cloudformationResource AWS::SecurityHub::AutomationRule * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-automationrule.html */ export declare class CfnAutomationRule extends cdk.CfnResource implements cdk.IInspectable { /** * The CloudFormation resource type name for this resource class. */ static readonly CFN_RESOURCE_TYPE_NAME: string; /** * Build a CfnAutomationRule from CloudFormation properties * * A factory method that creates a new instance of this class from an object * containing the CloudFormation properties of this resource. * Used in the @aws-cdk/cloudformation-include module. * * @internal */ static _fromCloudFormation(scope: constructs.Construct, id: string, resourceAttributes: any, options: cfn_parse.FromCloudFormationOptions): CfnAutomationRule; /** * A timestamp that indicates when the rule was created. * * Uses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` . * * @cloudformationAttribute CreatedAt */ readonly attrCreatedAt: string; /** * The principal that created the rule. For example, `arn:aws:sts::123456789012:assumed-role/Developer-Role/JaneDoe` . * * @cloudformationAttribute CreatedBy */ readonly attrCreatedBy: string; /** * The Amazon Resource Name (ARN) of the automation rule that you create. For example, `arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111` . * * @cloudformationAttribute RuleArn */ readonly attrRuleArn: string; /** * A timestamp that indicates when the rule was most recently updated. * * Uses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` . * * @cloudformationAttribute UpdatedAt */ readonly attrUpdatedAt: string; /** * One or more actions to update finding fields if a finding matches the conditions specified in `Criteria` . */ actions?: Array | cdk.IResolvable; /** * A set of [AWS Security Finding Format (ASFF)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) finding field attributes and corresponding expected values that Security Hub uses to filter findings. If a rule is enabled and a finding matches the criteria specified in this parameter, Security Hub applies the rule action to the finding. */ criteria?: CfnAutomationRule.AutomationRulesFindingFiltersProperty | cdk.IResolvable; /** * A description of the rule. */ description?: string; /** * Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. */ isTerminal?: boolean | cdk.IResolvable; /** * The name of the rule. */ ruleName?: string; /** * An integer ranging from 1 to 1000 that represents the order in which the rule action is applied to findings. */ ruleOrder?: number; /** * Whether the rule is active after it is created. */ ruleStatus?: string; /** * User-defined tags associated with an automation rule. */ tags?: Record; /** * @param scope Scope in which this resource is defined * @param id Construct identifier for this resource (unique in its scope) * @param props Resource properties */ constructor(scope: constructs.Construct, id: string, props?: CfnAutomationRuleProps); protected get cfnProperties(): Record; /** * Examines the CloudFormation resource and discloses attributes * * @param inspector tree inspector to collect and process attributes */ inspect(inspector: cdk.TreeInspector): void; protected renderProperties(props: Record): Record; } export declare namespace CfnAutomationRule { /** * One or more actions to update finding fields if a finding matches the defined criteria of the rule. * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesaction.html */ interface AutomationRulesActionProperty { /** * Specifies that the automation rule action is an update to a finding field. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesaction.html#cfn-securityhub-automationrule-automationrulesaction-findingfieldsupdate */ readonly findingFieldsUpdate: CfnAutomationRule.AutomationRulesFindingFieldsUpdateProperty | cdk.IResolvable; /** * Specifies that the rule action should update the `Types` finding field. * * The `Types` finding field classifies findings in the format of namespace/category/classifier. For more information, see [Types taxonomy for ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-type-taxonomy.html) in the *AWS Security Hub User Guide* . * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesaction.html#cfn-securityhub-automationrule-automationrulesaction-type */ readonly type: string; } /** * Identifies the finding fields that the automation rule action updates when a finding matches the defined criteria. * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfieldsupdate.html */ interface AutomationRulesFindingFieldsUpdateProperty { /** * The rule action updates the `Confidence` field of a finding. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfieldsupdate.html#cfn-securityhub-automationrule-automationrulesfindingfieldsupdate-confidence */ readonly confidence?: number; /** * The rule action updates the `Criticality` field of a finding. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfieldsupdate.html#cfn-securityhub-automationrule-automationrulesfindingfieldsupdate-criticality */ readonly criticality?: number; /** * The rule action will update the `Note` field of a finding. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfieldsupdate.html#cfn-securityhub-automationrule-automationrulesfindingfieldsupdate-note */ readonly note?: cdk.IResolvable | CfnAutomationRule.NoteUpdateProperty; /** * The rule action will update the `RelatedFindings` field of a finding. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfieldsupdate.html#cfn-securityhub-automationrule-automationrulesfindingfieldsupdate-relatedfindings */ readonly relatedFindings?: Array | cdk.IResolvable; /** * The rule action will update the `Severity` field of a finding. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfieldsupdate.html#cfn-securityhub-automationrule-automationrulesfindingfieldsupdate-severity */ readonly severity?: cdk.IResolvable | CfnAutomationRule.SeverityUpdateProperty; /** * The rule action updates the `Types` field of a finding. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfieldsupdate.html#cfn-securityhub-automationrule-automationrulesfindingfieldsupdate-types */ readonly types?: Array; /** * The rule action updates the `UserDefinedFields` field of a finding. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfieldsupdate.html#cfn-securityhub-automationrule-automationrulesfindingfieldsupdate-userdefinedfields */ readonly userDefinedFields?: cdk.IResolvable | Record; /** * The rule action updates the `VerificationState` field of a finding. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfieldsupdate.html#cfn-securityhub-automationrule-automationrulesfindingfieldsupdate-verificationstate */ readonly verificationState?: string; /** * The rule action will update the `Workflow` field of a finding. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfieldsupdate.html#cfn-securityhub-automationrule-automationrulesfindingfieldsupdate-workflow */ readonly workflow?: cdk.IResolvable | CfnAutomationRule.WorkflowUpdateProperty; } /** * The updated note. * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-noteupdate.html */ interface NoteUpdateProperty { /** * The updated note text. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-noteupdate.html#cfn-securityhub-automationrule-noteupdate-text */ readonly text: string; /** * The principal that updated the note. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-noteupdate.html#cfn-securityhub-automationrule-noteupdate-updatedby */ readonly updatedBy: any | cdk.IResolvable; } /** * Provides details about a list of findings that the current finding relates to. * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-relatedfinding.html */ interface RelatedFindingProperty { /** * The product-generated identifier for a related finding. * * Array Members: Minimum number of 1 item. Maximum number of 20 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-relatedfinding.html#cfn-securityhub-automationrule-relatedfinding-id */ readonly id: any | cdk.IResolvable; /** * The Amazon Resource Name (ARN) for the product that generated a related finding. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-relatedfinding.html#cfn-securityhub-automationrule-relatedfinding-productarn */ readonly productArn: string; } /** * Used to update information about the investigation into the finding. * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-workflowupdate.html */ interface WorkflowUpdateProperty { /** * The status of the investigation into the finding. * * The workflow status is specific to an individual finding. It does not affect the generation of new findings. For example, setting the workflow status to `SUPPRESSED` or `RESOLVED` does not prevent a new finding for the same issue. * * The allowed values are the following. * * - `NEW` - The initial state of a finding, before it is reviewed. * * Security Hub also resets `WorkFlowStatus` from `NOTIFIED` or `RESOLVED` to `NEW` in the following cases: * * - The record state changes from `ARCHIVED` to `ACTIVE` . * - The compliance status changes from `PASSED` to either `WARNING` , `FAILED` , or `NOT_AVAILABLE` . * - `NOTIFIED` - Indicates that you notified the resource owner about the security issue. Used when the initial reviewer is not the resource owner, and needs intervention from the resource owner. * - `RESOLVED` - The finding was reviewed and remediated and is now considered resolved. * - `SUPPRESSED` - Indicates that you reviewed the finding and do not believe that any action is needed. The finding is no longer updated. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-workflowupdate.html#cfn-securityhub-automationrule-workflowupdate-status */ readonly status: string; } /** * Updates to the severity information for a finding. * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-severityupdate.html */ interface SeverityUpdateProperty { /** * The severity value of the finding. The allowed values are the following. * * - `INFORMATIONAL` - No issue was found. * - `LOW` - The issue does not require action on its own. * - `MEDIUM` - The issue must be addressed but not urgently. * - `HIGH` - The issue must be addressed as a priority. * - `CRITICAL` - The issue must be remediated immediately to avoid it escalating. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-severityupdate.html#cfn-securityhub-automationrule-severityupdate-label */ readonly label?: string; /** * The normalized severity for the finding. This attribute is to be deprecated in favor of `Label` . * * If you provide `Normalized` and do not provide `Label` , `Label` is set automatically as follows. * * - 0 - `INFORMATIONAL` * - 1–39 - `LOW` * - 40–69 - `MEDIUM` * - 70–89 - `HIGH` * - 90–100 - `CRITICAL` * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-severityupdate.html#cfn-securityhub-automationrule-severityupdate-normalized */ readonly normalized?: number; /** * The native severity as defined by the AWS service or integrated partner product that generated the finding. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-severityupdate.html#cfn-securityhub-automationrule-severityupdate-product */ readonly product?: number; } /** * The criteria that determine which findings a rule applies to. * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html */ interface AutomationRulesFindingFiltersProperty { /** * The AWS account ID in which a finding was generated. * * Array Members: Minimum number of 1 item. Maximum number of 100 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-awsaccountid */ readonly awsAccountId?: Array | cdk.IResolvable; /** * The name of the company for the product that generated the finding. * * For control-based findings, the company is AWS . * * Array Members: Minimum number of 1 item. Maximum number of 20 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-companyname */ readonly companyName?: Array | cdk.IResolvable; /** * The unique identifier of a standard in which a control is enabled. * * This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the [DescribeStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API response. * * Array Members: Minimum number of 1 item. Maximum number of 20 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-complianceassociatedstandardsid */ readonly complianceAssociatedStandardsId?: Array | cdk.IResolvable; /** * The security control ID for which a finding was generated. Security control IDs are the same across standards. * * Array Members: Minimum number of 1 item. Maximum number of 20 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-compliancesecuritycontrolid */ readonly complianceSecurityControlId?: Array | cdk.IResolvable; /** * The result of a security check. This field is only used for findings generated from controls. * * Array Members: Minimum number of 1 item. Maximum number of 20 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-compliancestatus */ readonly complianceStatus?: Array | cdk.IResolvable; /** * The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. * * `Confidence` is scored on a 0–100 basis using a ratio scale. A value of `0` means 0 percent confidence, and a value of `100` means 100 percent confidence. For example, a data exfiltration detection based on a statistical deviation of network traffic has low confidence because an actual exfiltration hasn't been verified. For more information, see [Confidence](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-top-level-attributes.html#asff-confidence) in the *AWS Security Hub User Guide* . * * Array Members: Minimum number of 1 item. Maximum number of 20 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-confidence */ readonly confidence?: Array | cdk.IResolvable; /** * A timestamp that indicates when this finding record was created. * * Uses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` . * * Array Members: Minimum number of 1 item. Maximum number of 20 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-createdat */ readonly createdAt?: Array | cdk.IResolvable; /** * The level of importance that is assigned to the resources that are associated with a finding. * * `Criticality` is scored on a 0–100 basis, using a ratio scale that supports only full integers. A score of `0` means that the underlying resources have no criticality, and a score of `100` is reserved for the most critical resources. For more information, see [Criticality](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-top-level-attributes.html#asff-criticality) in the *AWS Security Hub User Guide* . * * Array Members: Minimum number of 1 item. Maximum number of 20 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-criticality */ readonly criticality?: Array | cdk.IResolvable; /** * A finding's description. * * Array Members: Minimum number of 1 item. Maximum number of 20 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-description */ readonly description?: Array | cdk.IResolvable; /** * A timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings product. * * Uses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` . * * Array Members: Minimum number of 1 item. Maximum number of 20 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-firstobservedat */ readonly firstObservedAt?: Array | cdk.IResolvable; /** * The identifier for the solution-specific component that generated a finding. * * Array Members: Minimum number of 1 item. Maximum number of 100 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-generatorid */ readonly generatorId?: Array | cdk.IResolvable; /** * The product-specific identifier for a finding. * * Array Members: Minimum number of 1 item. Maximum number of 20 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-id */ readonly id?: Array | cdk.IResolvable; /** * A timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings product. * * Uses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` . * * Array Members: Minimum number of 1 item. Maximum number of 20 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-lastobservedat */ readonly lastObservedAt?: Array | cdk.IResolvable; /** * The text of a user-defined note that's added to a finding. * * Array Members: Minimum number of 1 item. Maximum number of 20 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-notetext */ readonly noteText?: Array | cdk.IResolvable; /** * The timestamp of when the note was updated. * * Uses the date-time format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://www.rfc-editor.org/rfc/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` . * * Array Members: Minimum number of 1 item. Maximum number of 20 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-noteupdatedat */ readonly noteUpdatedAt?: Array | cdk.IResolvable; /** * The principal that created a note. * * Array Members: Minimum number of 1 item. Maximum number of 20 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-noteupdatedby */ readonly noteUpdatedBy?: Array | cdk.IResolvable; /** * The Amazon Resource Name (ARN) for a third-party product that generated a finding in Security Hub. * * Array Members: Minimum number of 1 item. Maximum number of 20 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-productarn */ readonly productArn?: Array | cdk.IResolvable; /** * Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub. * * Array Members: Minimum number of 1 item. Maximum number of 20 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-productname */ readonly productName?: Array | cdk.IResolvable; /** * Provides the current state of a finding. * * Array Members: Minimum number of 1 item. Maximum number of 20 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-recordstate */ readonly recordState?: Array | cdk.IResolvable; /** * The product-generated identifier for a related finding. * * Array Members: Minimum number of 1 item. Maximum number of 20 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-relatedfindingsid */ readonly relatedFindingsId?: Array | cdk.IResolvable; /** * The ARN for the product that generated a related finding. * * Array Members: Minimum number of 1 item. Maximum number of 20 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-relatedfindingsproductarn */ readonly relatedFindingsProductArn?: Array | cdk.IResolvable; /** * Custom fields and values about the resource that a finding pertains to. * * Array Members: Minimum number of 1 item. Maximum number of 20 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-resourcedetailsother */ readonly resourceDetailsOther?: Array | cdk.IResolvable; /** * The identifier for the given resource type. * * For AWS resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For AWS resources that lack ARNs, this is the identifier as defined by the AWS service that created the resource. For non- AWS resources, this is a unique identifier that is associated with the resource. * * Array Members: Minimum number of 1 item. Maximum number of 100 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-resourceid */ readonly resourceId?: Array | cdk.IResolvable; /** * The partition in which the resource that the finding pertains to is located. * * A partition is a group of AWS Regions . Each AWS account is scoped to one partition. * * Array Members: Minimum number of 1 item. Maximum number of 20 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-resourcepartition */ readonly resourcePartition?: Array | cdk.IResolvable; /** * The AWS Region where the resource that a finding pertains to is located. * * Array Members: Minimum number of 1 item. Maximum number of 20 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-resourceregion */ readonly resourceRegion?: Array | cdk.IResolvable; /** * A list of AWS tags associated with a resource at the time the finding was processed. * * Array Members: Minimum number of 1 item. Maximum number of 20 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-resourcetags */ readonly resourceTags?: Array | cdk.IResolvable; /** * A finding's title. * * Array Members: Minimum number of 1 item. Maximum number of 100 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-resourcetype */ readonly resourceType?: Array | cdk.IResolvable; /** * The severity value of the finding. * * Array Members: Minimum number of 1 item. Maximum number of 20 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-severitylabel */ readonly severityLabel?: Array | cdk.IResolvable; /** * Provides a URL that links to a page about the current finding in the finding product. * * Array Members: Minimum number of 1 item. Maximum number of 20 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-sourceurl */ readonly sourceUrl?: Array | cdk.IResolvable; /** * A finding's title. * * Array Members: Minimum number of 1 item. Maximum number of 100 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-title */ readonly title?: Array | cdk.IResolvable; /** * One or more finding types in the format of namespace/category/classifier that classify a finding. * * For a list of namespaces, classifiers, and categories, see [Types taxonomy for ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-type-taxonomy.html) in the *AWS Security Hub User Guide* . * * Array Members: Minimum number of 1 item. Maximum number of 20 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-type */ readonly type?: Array | cdk.IResolvable; /** * A timestamp that indicates when the finding record was most recently updated. * * Uses the `date-time` format specified in [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc3339#section-5.6) . The value cannot contain spaces. For example, `2020-03-22T13:22:13.933Z` . * * Array Members: Minimum number of 1 item. Maximum number of 20 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-updatedat */ readonly updatedAt?: Array | cdk.IResolvable; /** * A list of user-defined name and value string pairs added to a finding. * * Array Members: Minimum number of 1 item. Maximum number of 20 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-userdefinedfields */ readonly userDefinedFields?: Array | cdk.IResolvable; /** * Provides the veracity of a finding. * * Array Members: Minimum number of 1 item. Maximum number of 20 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-verificationstate */ readonly verificationState?: Array | cdk.IResolvable; /** * Provides information about the status of the investigation into a finding. * * Array Members: Minimum number of 1 item. Maximum number of 20 items. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-automationrulesfindingfilters.html#cfn-securityhub-automationrule-automationrulesfindingfilters-workflowstatus */ readonly workflowStatus?: Array | cdk.IResolvable; } /** * A string filter for filtering AWS Security Hub findings. * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-stringfilter.html */ interface StringFilterProperty { /** * The condition to apply to a string value when filtering Security Hub findings. * * To search for values that have the filter value, use one of the following comparison operators: * * - To search for values that include the filter value, use `CONTAINS` . For example, the filter `Title CONTAINS CloudFront` matches findings that have a `Title` that includes the string CloudFront. * - To search for values that exactly match the filter value, use `EQUALS` . For example, the filter `AwsAccountId EQUALS 123456789012` only matches findings that have an account ID of `123456789012` . * - To search for values that start with the filter value, use `PREFIX` . For example, the filter `ResourceRegion PREFIX us` matches findings that have a `ResourceRegion` that starts with `us` . A `ResourceRegion` that starts with a different value, such as `af` , `ap` , or `ca` , doesn't match. * * `CONTAINS` , `EQUALS` , and `PREFIX` filters on the same field are joined by `OR` . A finding matches if it matches any one of those filters. For example, the filters `Title CONTAINS CloudFront OR Title CONTAINS CloudWatch` match a finding that includes either `CloudFront` , `CloudWatch` , or both strings in the title. * * To search for values that don’t have the filter value, use one of the following comparison operators: * * - To search for values that exclude the filter value, use `NOT_CONTAINS` . For example, the filter `Title NOT_CONTAINS CloudFront` matches findings that have a `Title` that excludes the string CloudFront. * - To search for values other than the filter value, use `NOT_EQUALS` . For example, the filter `AwsAccountId NOT_EQUALS 123456789012` only matches findings that have an account ID other than `123456789012` . * - To search for values that don't start with the filter value, use `PREFIX_NOT_EQUALS` . For example, the filter `ResourceRegion PREFIX_NOT_EQUALS us` matches findings with a `ResourceRegion` that starts with a value other than `us` . * * `NOT_CONTAINS` , `NOT_EQUALS` , and `PREFIX_NOT_EQUALS` filters on the same field are joined by `AND` . A finding matches only if it matches all of those filters. For example, the filters `Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch` match a finding that excludes both `CloudFront` and `CloudWatch` in the title. * * You can’t have both a `CONTAINS` filter and a `NOT_CONTAINS` filter on the same field. Similarly, you can't provide both an `EQUALS` filter and a `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filter on the same field. Combining filters in this way returns an error. `CONTAINS` filters can only be used with other `CONTAINS` filters. `NOT_CONTAINS` filters can only be used with other `NOT_CONTAINS` filters. * * You can combine `PREFIX` filters with `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters for the same field. Security Hub first processes the `PREFIX` filters, and then the `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters. * * For example, for the following filters, Security Hub first identifies findings that have resource types that start with either `AwsIam` or `AwsEc2` . It then excludes findings that have a resource type of `AwsIamPolicy` and findings that have a resource type of `AwsEc2NetworkInterface` . * * - `ResourceType PREFIX AwsIam` * - `ResourceType PREFIX AwsEc2` * - `ResourceType NOT_EQUALS AwsIamPolicy` * - `ResourceType NOT_EQUALS AwsEc2NetworkInterface` * * `CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the *AWS Security Hub User Guide* . * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-stringfilter.html#cfn-securityhub-automationrule-stringfilter-comparison */ readonly comparison: string; /** * The string filter value. * * Filter values are case sensitive. For example, the product name for control-based findings is `Security Hub` . If you provide `security hub` as the filter value, there's no match. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-stringfilter.html#cfn-securityhub-automationrule-stringfilter-value */ readonly value: string; } /** * A map filter for filtering AWS Security Hub findings. * * Each map filter provides the field to check for, the value to check for, and the comparison operator. * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-mapfilter.html */ interface MapFilterProperty { /** * The condition to apply to the key value when filtering Security Hub findings with a map filter. * * To search for values that have the filter value, use one of the following comparison operators: * * - To search for values that include the filter value, use `CONTAINS` . For example, for the `ResourceTags` field, the filter `Department CONTAINS Security` matches findings that include the value `Security` for the `Department` tag. In the same example, a finding with a value of `Security team` for the `Department` tag is a match. * - To search for values that exactly match the filter value, use `EQUALS` . For example, for the `ResourceTags` field, the filter `Department EQUALS Security` matches findings that have the value `Security` for the `Department` tag. * * `CONTAINS` and `EQUALS` filters on the same field are joined by `OR` . A finding matches if it matches any one of those filters. For example, the filters `Department CONTAINS Security OR Department CONTAINS Finance` match a finding that includes either `Security` , `Finance` , or both values. * * To search for values that don't have the filter value, use one of the following comparison operators: * * - To search for values that exclude the filter value, use `NOT_CONTAINS` . For example, for the `ResourceTags` field, the filter `Department NOT_CONTAINS Finance` matches findings that exclude the value `Finance` for the `Department` tag. * - To search for values other than the filter value, use `NOT_EQUALS` . For example, for the `ResourceTags` field, the filter `Department NOT_EQUALS Finance` matches findings that don’t have the value `Finance` for the `Department` tag. * * `NOT_CONTAINS` and `NOT_EQUALS` filters on the same field are joined by `AND` . A finding matches only if it matches all of those filters. For example, the filters `Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance` match a finding that excludes both the `Security` and `Finance` values. * * `CONTAINS` filters can only be used with other `CONTAINS` filters. `NOT_CONTAINS` filters can only be used with other `NOT_CONTAINS` filters. * * You can’t have both a `CONTAINS` filter and a `NOT_CONTAINS` filter on the same field. Similarly, you can’t have both an `EQUALS` filter and a `NOT_EQUALS` filter on the same field. Combining filters in this way returns an error. * * `CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the *AWS Security Hub User Guide* . * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-mapfilter.html#cfn-securityhub-automationrule-mapfilter-comparison */ readonly comparison: string; /** * The key of the map filter. * * For example, for `ResourceTags` , `Key` identifies the name of the tag. For `UserDefinedFields` , `Key` is the name of the field. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-mapfilter.html#cfn-securityhub-automationrule-mapfilter-key */ readonly key: string; /** * The value for the key in the map filter. * * Filter values are case sensitive. For example, one of the values for a tag called `Department` might be `Security` . If you provide `security` as the filter value, then there's no match. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-mapfilter.html#cfn-securityhub-automationrule-mapfilter-value */ readonly value: string; } /** * A date filter for querying findings. * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-datefilter.html */ interface DateFilterProperty { /** * A date range for the date filter. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-datefilter.html#cfn-securityhub-automationrule-datefilter-daterange */ readonly dateRange?: CfnAutomationRule.DateRangeProperty | cdk.IResolvable; /** * A timestamp that provides the end date for the date filter. * * A correctly formatted example is `2020-05-21T20:16:34.724Z` . The value cannot contain spaces, and date and time should be separated by `T` . For more information, see [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://www.rfc-editor.org/rfc/rfc3339#section-5.6) . * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-datefilter.html#cfn-securityhub-automationrule-datefilter-end */ readonly end?: string; /** * A timestamp that provides the start date for the date filter. * * A correctly formatted example is `2020-05-21T20:16:34.724Z` . The value cannot contain spaces, and date and time should be separated by `T` . For more information, see [RFC 3339 section 5.6, Internet Date/Time Format](https://docs.aws.amazon.com/https://www.rfc-editor.org/rfc/rfc3339#section-5.6) . * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-datefilter.html#cfn-securityhub-automationrule-datefilter-start */ readonly start?: string; } /** * A date range for the date filter. * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-daterange.html */ interface DateRangeProperty { /** * A date range unit for the date filter. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-daterange.html#cfn-securityhub-automationrule-daterange-unit */ readonly unit: string; /** * A date range value for the date filter. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-daterange.html#cfn-securityhub-automationrule-daterange-value */ readonly value: number; } /** * A number filter for querying findings. * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-numberfilter.html */ interface NumberFilterProperty { /** * The equal-to condition to be applied to a single field when querying for findings. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-numberfilter.html#cfn-securityhub-automationrule-numberfilter-eq */ readonly eq?: number; /** * The greater-than-equal condition to be applied to a single field when querying for findings. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-numberfilter.html#cfn-securityhub-automationrule-numberfilter-gte */ readonly gte?: number; /** * The less-than-equal condition to be applied to a single field when querying for findings. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-automationrule-numberfilter.html#cfn-securityhub-automationrule-numberfilter-lte */ readonly lte?: number; } } /** * Properties for defining a `CfnAutomationRule` * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-automationrule.html */ export interface CfnAutomationRuleProps { /** * One or more actions to update finding fields if a finding matches the conditions specified in `Criteria` . * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-automationrule.html#cfn-securityhub-automationrule-actions */ readonly actions?: Array | cdk.IResolvable; /** * A set of [AWS Security Finding Format (ASFF)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) finding field attributes and corresponding expected values that Security Hub uses to filter findings. If a rule is enabled and a finding matches the criteria specified in this parameter, Security Hub applies the rule action to the finding. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-automationrule.html#cfn-securityhub-automationrule-criteria */ readonly criteria?: CfnAutomationRule.AutomationRulesFindingFiltersProperty | cdk.IResolvable; /** * A description of the rule. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-automationrule.html#cfn-securityhub-automationrule-description */ readonly description?: string; /** * Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. * * This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If a rule is terminal, Security Hub applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. By default, a rule isn't terminal. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-automationrule.html#cfn-securityhub-automationrule-isterminal */ readonly isTerminal?: boolean | cdk.IResolvable; /** * The name of the rule. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-automationrule.html#cfn-securityhub-automationrule-rulename */ readonly ruleName?: string; /** * An integer ranging from 1 to 1000 that represents the order in which the rule action is applied to findings. * * Security Hub applies rules with lower values for this parameter first. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-automationrule.html#cfn-securityhub-automationrule-ruleorder */ readonly ruleOrder?: number; /** * Whether the rule is active after it is created. * * If this parameter is equal to `ENABLED` , Security Hub applies the rule to findings and finding updates after the rule is created. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-automationrule.html#cfn-securityhub-automationrule-rulestatus */ readonly ruleStatus?: string; /** * User-defined tags associated with an automation rule. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-automationrule.html#cfn-securityhub-automationrule-tags */ readonly tags?: Record; } /** * The `AWS::SecurityHub::Hub` resource specifies the enablement of the AWS Security Hub service in your AWS account . * * The service is enabled in the current AWS Region or the specified Region. You create a separate `Hub` resource in each Region in which you want to enable Security Hub . * * When you use this resource to enable Security Hub , default security standards are enabled. To disable default standards, set the `EnableDefaultStandards` property to `false` . You can use the [`AWS::SecurityHub::Standard`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-standard.html) resource to enable additional standards. * * When you use this resource to enable Security Hub , new controls are automatically enabled for your enabled standards. To disable automatic enablement of new controls, set the `AutoEnableControls` property to `false` . * * You must create an `AWS::SecurityHub::Hub` resource for an account before you can create other types of Security Hub resources for the account through AWS CloudFormation . Use a [DependsOn attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html) , such as `"DependsOn": "Hub"` , to ensure that you've created an `AWS::SecurityHub::Hub` resource before creating other Security Hub resources for an account. * * @cloudformationResource AWS::SecurityHub::Hub * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-hub.html */ export declare class CfnHub extends cdk.CfnResource implements cdk.IInspectable, cdk.ITaggable { /** * The CloudFormation resource type name for this resource class. */ static readonly CFN_RESOURCE_TYPE_NAME: string; /** * Build a CfnHub from CloudFormation properties * * A factory method that creates a new instance of this class from an object * containing the CloudFormation properties of this resource. * Used in the @aws-cdk/cloudformation-include module. * * @internal */ static _fromCloudFormation(scope: constructs.Construct, id: string, resourceAttributes: any, options: cfn_parse.FromCloudFormationOptions): CfnHub; /** * @cloudformationAttribute Id */ readonly attrId: string; /** * Whether to automatically enable new controls when they are added to standards that are enabled. */ autoEnableControls?: boolean | cdk.IResolvable; /** * Specifies whether an account has consolidated control findings turned on or off. */ controlFindingGenerator?: string; /** * Whether to enable the security standards that Security Hub has designated as automatically enabled. */ enableDefaultStandards?: boolean | cdk.IResolvable; /** * Tag Manager which manages the tags for this resource */ readonly tags: cdk.TagManager; /** * An array of key-value pairs to apply to this resource. */ tagsRaw?: any; /** * @param scope Scope in which this resource is defined * @param id Construct identifier for this resource (unique in its scope) * @param props Resource properties */ constructor(scope: constructs.Construct, id: string, props?: CfnHubProps); protected get cfnProperties(): Record; /** * Examines the CloudFormation resource and discloses attributes * * @param inspector tree inspector to collect and process attributes */ inspect(inspector: cdk.TreeInspector): void; protected renderProperties(props: Record): Record; } /** * Properties for defining a `CfnHub` * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-hub.html */ export interface CfnHubProps { /** * Whether to automatically enable new controls when they are added to standards that are enabled. * * By default, this is set to `true` , and new controls are enabled automatically. To not automatically enable new controls, set this to `false` . * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-hub.html#cfn-securityhub-hub-autoenablecontrols */ readonly autoEnableControls?: boolean | cdk.IResolvable; /** * Specifies whether an account has consolidated control findings turned on or off. * * If the value for this field is set to `SECURITY_CONTROL` , Security Hub generates a single finding for a control check even when the check applies to multiple enabled standards. * * If the value for this field is set to `STANDARD_CONTROL` , Security Hub generates separate findings for a control check when the check applies to multiple enabled standards. * * The value for this field in a member account matches the value in the administrator account. For accounts that aren't part of an organization, the default value of this field is `SECURITY_CONTROL` if you enabled Security Hub on or after February 23, 2023. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-hub.html#cfn-securityhub-hub-controlfindinggenerator */ readonly controlFindingGenerator?: string; /** * Whether to enable the security standards that Security Hub has designated as automatically enabled. * * If you don't provide a value for `EnableDefaultStandards` , it is set to `true` , and the designated standards are automatically enabled in each AWS Region where you enable Security Hub . If you don't want to enable the designated standards, set `EnableDefaultStandards` to `false` . * * Currently, the automatically enabled standards are the Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0 and AWS Foundational Security Best Practices (FSBP). * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-hub.html#cfn-securityhub-hub-enabledefaultstandards */ readonly enableDefaultStandards?: boolean | cdk.IResolvable; /** * An array of key-value pairs to apply to this resource. * * For more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) . * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-hub.html#cfn-securityhub-hub-tags */ readonly tags?: any; } /** * The `AWS::SecurityHub::Standard` resource specifies the enablement of a security standard. * * The standard is identified by the `StandardsArn` property. To view a list of Security Hub standards and their Amazon Resource Names (ARNs), use the [`DescribeStandards`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API operation. * * You must create a separate `AWS::SecurityHub::Standard` resource for each standard that you want to enable. * * For more information about Security Hub standards, see [Security Hub standards reference](https://docs.aws.amazon.com/securityhub/latest/userguide/standards-reference.html) in the *AWS Security Hub User Guide* . * * @cloudformationResource AWS::SecurityHub::Standard * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-standard.html */ export declare class CfnStandard extends cdk.CfnResource implements cdk.IInspectable { /** * The CloudFormation resource type name for this resource class. */ static readonly CFN_RESOURCE_TYPE_NAME: string; /** * Build a CfnStandard from CloudFormation properties * * A factory method that creates a new instance of this class from an object * containing the CloudFormation properties of this resource. * Used in the @aws-cdk/cloudformation-include module. * * @internal */ static _fromCloudFormation(scope: constructs.Construct, id: string, resourceAttributes: any, options: cfn_parse.FromCloudFormationOptions): CfnStandard; /** * The ARN of a resource that represents your subscription to a supported standard. * * @cloudformationAttribute StandardsSubscriptionArn */ readonly attrStandardsSubscriptionArn: string; /** * Specifies which controls are to be disabled in a standard. */ disabledStandardsControls?: Array | cdk.IResolvable; /** * The ARN of the standard that you want to enable. */ standardsArn: string; /** * @param scope Scope in which this resource is defined * @param id Construct identifier for this resource (unique in its scope) * @param props Resource properties */ constructor(scope: constructs.Construct, id: string, props: CfnStandardProps); protected get cfnProperties(): Record; /** * Examines the CloudFormation resource and discloses attributes * * @param inspector tree inspector to collect and process attributes */ inspect(inspector: cdk.TreeInspector): void; protected renderProperties(props: Record): Record; } export declare namespace CfnStandard { /** * Provides details about an individual security control. * * For a list of Security Hub controls, see [Security Hub controls reference](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html) in the *AWS Security Hub User Guide* . * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-standard-standardscontrol.html */ interface StandardsControlProperty { /** * A user-defined reason for changing a control's enablement status in a specified standard. * * If you are disabling a control, then this property is required. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-standard-standardscontrol.html#cfn-securityhub-standard-standardscontrol-reason */ readonly reason?: string; /** * The Amazon Resource Name (ARN) of the control. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-standard-standardscontrol.html#cfn-securityhub-standard-standardscontrol-standardscontrolarn */ readonly standardsControlArn: string; } } /** * Properties for defining a `CfnStandard` * * @struct * @stability external * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-standard.html */ export interface CfnStandardProps { /** * Specifies which controls are to be disabled in a standard. * * *Maximum* : `100` * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-standard.html#cfn-securityhub-standard-disabledstandardscontrols */ readonly disabledStandardsControls?: Array | cdk.IResolvable; /** * The ARN of the standard that you want to enable. * * To view a list of available Security Hub standards and their ARNs, use the [`DescribeStandards`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API operation. * * @see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-standard.html#cfn-securityhub-standard-standardsarn */ readonly standardsArn: string; }