SecurityHub / Client / create_configuration_policy

create_configuration_policy#

SecurityHub.Client.create_configuration_policy(**kwargs)#

Creates a configuration policy with the defined configuration. Only the Security Hub delegated administrator can invoke this operation from the home Region.

See also: AWS API Documentation

Request Syntax

response = client.create_configuration_policy(
    Name='string',
    Description='string',
    ConfigurationPolicy={
        'SecurityHub': {
            'ServiceEnabled': True|False,
            'EnabledStandardIdentifiers': [
                'string',
            ],
            'SecurityControlsConfiguration': {
                'EnabledSecurityControlIdentifiers': [
                    'string',
                ],
                'DisabledSecurityControlIdentifiers': [
                    'string',
                ],
                'SecurityControlCustomParameters': [
                    {
                        'SecurityControlId': 'string',
                        'Parameters': {
                            'string': {
                                'ValueType': 'DEFAULT'|'CUSTOM',
                                'Value': {
                                    'Integer': 123,
                                    'IntegerList': [
                                        123,
                                    ],
                                    'Double': 123.0,
                                    'String': 'string',
                                    'StringList': [
                                        'string',
                                    ],
                                    'Boolean': True|False,
                                    'Enum': 'string',
                                    'EnumList': [
                                        'string',
                                    ]
                                }
                            }
                        }
                    },
                ]
            }
        }
    },
    Tags={
        'string': 'string'
    }
)
Parameters:
  • Name (string) –

    [REQUIRED]

    The name of the configuration policy. Alphanumeric characters and the following ASCII characters are permitted: -, ., !, *, /.

  • Description (string) – The description of the configuration policy.

  • ConfigurationPolicy (dict) –

    [REQUIRED]

    An object that defines how Security Hub is configured. It includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If you provide a list of security controls that are enabled in the configuration policy, Security Hub disables all other controls (including newly released controls). If you provide a list of security controls that are disabled in the configuration policy, Security Hub enables all other controls (including newly released controls).

    Note

    This is a Tagged Union structure. Only one of the following top level keys can be set: SecurityHub.

    • SecurityHub (dict) –

      The Amazon Web Services service that the configuration policy applies to.

      • ServiceEnabled (boolean) –

        Indicates whether Security Hub is enabled in the policy.

      • EnabledStandardIdentifiers (list) –

        A list that defines which security standards are enabled in the configuration policy.

        • (string) –

      • SecurityControlsConfiguration (dict) –

        An object that defines which security controls are enabled in the configuration policy. The enablement status of a control is aligned across all of the enabled standards in an account.

        • EnabledSecurityControlIdentifiers (list) –

          A list of security controls that are enabled in the configuration policy. Security Hub disables all other controls (including newly released controls) other than the listed controls.

          • (string) –

        • DisabledSecurityControlIdentifiers (list) –

          A list of security controls that are disabled in the configuration policy. Security Hub enables all other controls (including newly released controls) other than the listed controls.

          • (string) –

        • SecurityControlCustomParameters (list) –

          A list of security controls and control parameter values that are included in a configuration policy.

          • (dict) –

            A list of security controls and control parameter values that are included in a configuration policy.

            • SecurityControlId (string) –

              The ID of the security control.

            • Parameters (dict) –

              An object that specifies parameter values for a control in a configuration policy.

              • (string) –

                • (dict) –

                  An object that provides the current value of a security control parameter and identifies whether it has been customized.

                  • ValueType (string) – [REQUIRED]

                    Identifies whether a control parameter uses a custom user-defined value or subscribes to the default Security Hub behavior.

                    When ValueType is set equal to DEFAULT, the default behavior can be a specific Security Hub default value, or the default behavior can be to ignore a specific parameter. When ValueType is set equal to DEFAULT, Security Hub ignores user-provided input for the Value field.

                    When ValueType is set equal to CUSTOM, the Value field can’t be empty.

                  • Value (dict) –

                    The current value of a control parameter.

                    Note

                    This is a Tagged Union structure. Only one of the following top level keys can be set: Integer, IntegerList, Double, String, StringList, Boolean, Enum, EnumList.

                    • Integer (integer) –

                      A control parameter that is an integer.

                    • IntegerList (list) –

                      A control parameter that is a list of integers.

                      • (integer) –

                    • Double (float) –

                      A control parameter that is a double.

                    • String (string) –

                      A control parameter that is a string.

                    • StringList (list) –

                      A control parameter that is a list of strings.

                      • (string) –

                    • Boolean (boolean) –

                      A control parameter that is a boolean.

                    • Enum (string) –

                      A control parameter that is an enum.

                    • EnumList (list) –

                      A control parameter that is a list of enums.

                      • (string) –

  • Tags (dict) –

    User-defined tags associated with a configuration policy. For more information, see Tagging Security Hub resources in the Security Hub user guide.

    • (string) –

      • (string) –

Return type:

dict

Returns:

Response Syntax

{
    'Arn': 'string',
    'Id': 'string',
    'Name': 'string',
    'Description': 'string',
    'UpdatedAt': datetime(2015, 1, 1),
    'CreatedAt': datetime(2015, 1, 1),
    'ConfigurationPolicy': {
        'SecurityHub': {
            'ServiceEnabled': True|False,
            'EnabledStandardIdentifiers': [
                'string',
            ],
            'SecurityControlsConfiguration': {
                'EnabledSecurityControlIdentifiers': [
                    'string',
                ],
                'DisabledSecurityControlIdentifiers': [
                    'string',
                ],
                'SecurityControlCustomParameters': [
                    {
                        'SecurityControlId': 'string',
                        'Parameters': {
                            'string': {
                                'ValueType': 'DEFAULT'|'CUSTOM',
                                'Value': {
                                    'Integer': 123,
                                    'IntegerList': [
                                        123,
                                    ],
                                    'Double': 123.0,
                                    'String': 'string',
                                    'StringList': [
                                        'string',
                                    ],
                                    'Boolean': True|False,
                                    'Enum': 'string',
                                    'EnumList': [
                                        'string',
                                    ]
                                }
                            }
                        }
                    },
                ]
            }
        }
    }
}

Response Structure

  • (dict) –

    • Arn (string) –

      The Amazon Resource Name (ARN) of the configuration policy.

    • Id (string) –

      The universally unique identifier (UUID) of the configuration policy.

    • Name (string) –

      The name of the configuration policy.

    • Description (string) –

      The description of the configuration policy.

    • UpdatedAt (datetime) –

      The date and time, in UTC and ISO 8601 format, that the configuration policy was last updated.

    • CreatedAt (datetime) –

      The date and time, in UTC and ISO 8601 format, that the configuration policy was created.

    • ConfigurationPolicy (dict) –

      An object that defines how Security Hub is configured. It includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If the request included a list of security controls that are enabled in the configuration policy, Security Hub disables all other controls (including newly released controls). If the request included a list of security controls that are disabled in the configuration policy, Security Hub enables all other controls (including newly released controls).

      Note

      This is a Tagged Union structure. Only one of the following top level keys will be set: SecurityHub. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:

      'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
      
      • SecurityHub (dict) –

        The Amazon Web Services service that the configuration policy applies to.

        • ServiceEnabled (boolean) –

          Indicates whether Security Hub is enabled in the policy.

        • EnabledStandardIdentifiers (list) –

          A list that defines which security standards are enabled in the configuration policy.

          • (string) –

        • SecurityControlsConfiguration (dict) –

          An object that defines which security controls are enabled in the configuration policy. The enablement status of a control is aligned across all of the enabled standards in an account.

          • EnabledSecurityControlIdentifiers (list) –

            A list of security controls that are enabled in the configuration policy. Security Hub disables all other controls (including newly released controls) other than the listed controls.

            • (string) –

          • DisabledSecurityControlIdentifiers (list) –

            A list of security controls that are disabled in the configuration policy. Security Hub enables all other controls (including newly released controls) other than the listed controls.

            • (string) –

          • SecurityControlCustomParameters (list) –

            A list of security controls and control parameter values that are included in a configuration policy.

            • (dict) –

              A list of security controls and control parameter values that are included in a configuration policy.

              • SecurityControlId (string) –

                The ID of the security control.

              • Parameters (dict) –

                An object that specifies parameter values for a control in a configuration policy.

                • (string) –

                  • (dict) –

                    An object that provides the current value of a security control parameter and identifies whether it has been customized.

                    • ValueType (string) –

                      Identifies whether a control parameter uses a custom user-defined value or subscribes to the default Security Hub behavior.

                      When ValueType is set equal to DEFAULT, the default behavior can be a specific Security Hub default value, or the default behavior can be to ignore a specific parameter. When ValueType is set equal to DEFAULT, Security Hub ignores user-provided input for the Value field.

                      When ValueType is set equal to CUSTOM, the Value field can’t be empty.

                    • Value (dict) –

                      The current value of a control parameter.

                      Note

                      This is a Tagged Union structure. Only one of the following top level keys will be set: Integer, IntegerList, Double, String, StringList, Boolean, Enum, EnumList. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:

                      'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
                      
                      • Integer (integer) –

                        A control parameter that is an integer.

                      • IntegerList (list) –

                        A control parameter that is a list of integers.

                        • (integer) –

                      • Double (float) –

                        A control parameter that is a double.

                      • String (string) –

                        A control parameter that is a string.

                      • StringList (list) –

                        A control parameter that is a list of strings.

                        • (string) –

                      • Boolean (boolean) –

                        A control parameter that is a boolean.

                      • Enum (string) –

                        A control parameter that is an enum.

                      • EnumList (list) –

                        A control parameter that is a list of enums.

                        • (string) –

Exceptions

  • SecurityHub.Client.exceptions.InternalException

  • SecurityHub.Client.exceptions.InvalidAccessException

  • SecurityHub.Client.exceptions.InvalidInputException

  • SecurityHub.Client.exceptions.LimitExceededException

  • SecurityHub.Client.exceptions.AccessDeniedException

  • SecurityHub.Client.exceptions.ResourceConflictException