Skip to main content
← back to extensions

@swamp/aws/securityhub

v2026.04.23.3

AWS SECURITYHUB infrastructure models

Repository

https://github.com/systeminit/swamp-extensions

Platforms

linux-x86_64linux-aarch64darwin-x86_64darwin-aarch64

Labels

awssecurityhubcloudinfrastructure

Contents

models

Quality score

Verified by Swamp

How well-documented and verifiable this extension is.

100%

Grade A

  • Has README or module doc2/2earned
  • README has a code example1/1earned
  • README is substantive1/1earned
  • Most symbols documented1/1earned
  • No slow types1/1earned
  • Has description1/1earned
  • At least one platform tag (or universal)1/1earned
  • Two or more platform tags (or universal)1/1earned
  • License declared1/1earned
  • Verified public repository2/2earned

Install

$ swamp extension pull @swamp/aws/securityhub

@swamp/aws/securityhub/aggregator-v2v2026.04.23.2aggregator_v2.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
RegionLinkingModeenumIndicates to link a list of included Regions
LinkedRegionsarrayThe list of included Regions
Tags?recordA key-value pair to associate with the Security Hub V2 resource.
createCreate a SecurityHub AggregatorV2
getGet a SecurityHub AggregatorV2
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub AggregatorV2
updateUpdate a SecurityHub AggregatorV2
deleteDelete a SecurityHub AggregatorV2
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub AggregatorV2
syncSync SecurityHub AggregatorV2 state from AWS

Resources

state(infinite)— SecurityHub AggregatorV2 resource state
@swamp/aws/securityhub/automation-rulev2026.04.23.2automation_rule.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
RuleStatus?enumWhether the rule is active after it is created. If this parameter is equal to ENABLED, ASH applies the rule to findings and finding updates after the rule is created.
RuleOrdernumberAn integer ranging from 1 to 1000 that represents the order in which the rule action is applied to findings. Security Hub CSPM applies rules with lower values for this parameter first.
DescriptionstringA description of the rule.
RuleNamestringThe name of the rule.
IsTerminal?booleanSpecifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If a rule is terminal, Security Hub CSPM applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. By default, a rule isn't terminal.
ActionsarrayOne or more actions to update finding fields if a finding matches the conditions specified in Criteria.
CriteriaobjectA set of [Security Finding Format (ASFF)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) finding field attributes and corresponding expected values that ASH uses to filter findings. If a rule is enabled and a finding matches the criteria specified in this parameter, ASH applies the rule action to the finding.
Tags?recordUser-defined tags associated with an automation rule.
createCreate a SecurityHub AutomationRule
getGet a SecurityHub AutomationRule
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub AutomationRule
updateUpdate a SecurityHub AutomationRule
deleteDelete a SecurityHub AutomationRule
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub AutomationRule
syncSync SecurityHub AutomationRule state from AWS

Resources

state(infinite)— SecurityHub AutomationRule resource state
@swamp/aws/securityhub/automation-rule-v2v2026.04.23.2automation_rule_v2.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
RuleNamestringThe name of the automation rule
RuleStatus?enumThe status of the automation rule
DescriptionstringA description of the automation rule
RuleOrdernumberThe value for the rule priority
CriteriaobjectDefines the parameters and conditions used to evaluate and filter security findings
ActionsarrayA list of actions to be performed when the rule criteria is met
Tags?recordA key-value pair to associate with a resource.
createCreate a SecurityHub AutomationRuleV2
getGet a SecurityHub AutomationRuleV2
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub AutomationRuleV2
updateUpdate a SecurityHub AutomationRuleV2
deleteDelete a SecurityHub AutomationRuleV2
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub AutomationRuleV2
syncSync SecurityHub AutomationRuleV2 state from AWS

Resources

state(infinite)— SecurityHub AutomationRuleV2 resource state
@swamp/aws/securityhub/configuration-policyv2026.04.23.2configuration_policy.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
NamestringThe name of the configuration policy.
Description?stringThe description of the configuration policy.
ConfigurationPolicyobjectAn object that defines how Security Hub is configured.
Tags?recordA key-value pair to associate with a resource.
createCreate a SecurityHub ConfigurationPolicy
getGet a SecurityHub ConfigurationPolicy
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub ConfigurationPolicy
updateUpdate a SecurityHub ConfigurationPolicy
deleteDelete a SecurityHub ConfigurationPolicy
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub ConfigurationPolicy
syncSync SecurityHub ConfigurationPolicy state from AWS

Resources

state(infinite)— SecurityHub ConfigurationPolicy resource state
@swamp/aws/securityhub/connector-v2v2026.04.23.2connector_v2.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
NamestringThe name of the connector
Description?stringA description of the connector
KmsKeyArn?stringThe ARN of KMS key used for the connector
ProviderstringThe third-party provider configuration for the connector
Tags?recordA key-value pair to associate with a resource.
createCreate a SecurityHub ConnectorV2
getGet a SecurityHub ConnectorV2
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub ConnectorV2
updateUpdate a SecurityHub ConnectorV2
deleteDelete a SecurityHub ConnectorV2
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub ConnectorV2
syncSync SecurityHub ConnectorV2 state from AWS

Resources

state(infinite)— SecurityHub ConnectorV2 resource state
@swamp/aws/securityhub/delegated-adminv2026.04.23.2delegated_admin.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
AdminAccountIdstringThe AWS-account identifier of the account to designate as the Security Hub CSPM administrator account.
createCreate a SecurityHub DelegatedAdmin
getGet a SecurityHub DelegatedAdmin
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub DelegatedAdmin
deleteDelete a SecurityHub DelegatedAdmin
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub DelegatedAdmin
syncSync SecurityHub DelegatedAdmin state from AWS

Resources

state(infinite)— SecurityHub DelegatedAdmin resource state
@swamp/aws/securityhub/finding-aggregatorv2026.04.23.2finding_aggregator.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
RegionLinkingModeenumIndicates whether to aggregate findings from all of the available Regions in the current partition. Also determines whether to automatically aggregate findings from new Regions as Security Hub supports them and you opt into them. The selected option also determines how to use the Regions provided in the Regions list. In CFN, the options for this property are as follows: ALL_REGIONS - Indicates to aggregate findings from all of the Regions where Security Hub is enabled. When you choose this optio
Regions?arrayIf RegionLinkingMode is ALL_REGIONS_EXCEPT_SPECIFIED, then this is a space-separated list of Regions that do not aggregate findings to the aggregation Region. If RegionLinkingMode is SPECIFIED_REGIONS, then this is a space-separated list of Regions that do aggregate findings to the aggregation Region.
createCreate a SecurityHub FindingAggregator
getGet a SecurityHub FindingAggregator
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub FindingAggregator
updateUpdate a SecurityHub FindingAggregator
deleteDelete a SecurityHub FindingAggregator
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub FindingAggregator
syncSync SecurityHub FindingAggregator state from AWS

Resources

state(infinite)— SecurityHub FindingAggregator resource state
@swamp/aws/securityhub/hubv2026.04.23.2hub.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
EnableDefaultStandards?booleanWhether to enable the security standards that Security Hub has designated as automatically enabled.
ControlFindingGenerator?stringThis field, used when enabling Security Hub, specifies whether the calling account has consolidated control findings turned on. If the value for this field is set to SECURITY_CONTROL, Security Hub generates a single finding for a control check even when the check applies to multiple enabled standards. If the value for this field is set to STANDARD_CONTROL, Security Hub generates separate findings for a control check when the check applies to multiple enabled standards.
AutoEnableControls?booleanWhether to automatically enable new controls when they are added to standards that are enabled
Tags?recordA key-value pair to associate with a resource.
createCreate a SecurityHub Hub
getGet a SecurityHub Hub
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub Hub
updateUpdate a SecurityHub Hub
deleteDelete a SecurityHub Hub
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub Hub
syncSync SecurityHub Hub state from AWS

Resources

state(infinite)— SecurityHub Hub resource state
@swamp/aws/securityhub/hub-v2v2026.04.23.2hub_v2.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
Tags?recordA key-value pair to associate with the Security Hub V2 resource. You can specify a key that is 1 to 128 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _,., /, =, +, and -.
createCreate a SecurityHub HubV2
getGet a SecurityHub HubV2
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub HubV2
updateUpdate a SecurityHub HubV2
deleteDelete a SecurityHub HubV2
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub HubV2
syncSync SecurityHub HubV2 state from AWS

Resources

state(infinite)— SecurityHub HubV2 resource state
@swamp/aws/securityhub/insightv2026.04.23.2insight.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
NamestringThe name of a Security Hub insight
FiltersobjectOne or more attributes used to filter the findings included in the insight
GroupByAttributestringThe grouping attribute for the insight's findings
createCreate a SecurityHub Insight
getGet a SecurityHub Insight
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub Insight
updateUpdate a SecurityHub Insight
deleteDelete a SecurityHub Insight
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub Insight
syncSync SecurityHub Insight state from AWS

Resources

state(infinite)— SecurityHub Insight resource state
@swamp/aws/securityhub/organization-configurationv2026.04.23.2organization_configuration.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
AutoEnablebooleanWhether to automatically enable Security Hub in new member accounts when they join the organization.
AutoEnableStandards?enumWhether to automatically enable Security Hub default standards in new member accounts when they join the organization.
ConfigurationType?enumIndicates whether the organization uses local or central configuration.
createCreate a SecurityHub OrganizationConfiguration
getGet a SecurityHub OrganizationConfiguration
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub OrganizationConfiguration
updateUpdate a SecurityHub OrganizationConfiguration
deleteDelete a SecurityHub OrganizationConfiguration
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub OrganizationConfiguration
syncSync SecurityHub OrganizationConfiguration state from AWS

Resources

state(infinite)— SecurityHub OrganizationConfiguration resource state
@swamp/aws/securityhub/policy-associationv2026.04.23.2policy_association.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
ConfigurationPolicyIdstringThe universally unique identifier (UUID) of the configuration policy or a value of SELF_MANAGED_SECURITY_HUB for a self-managed configuration
TargetIdstringThe identifier of the target account, organizational unit, or the root
TargetTypeenumIndicates whether the target is an AWS account, organizational unit, or the organization root
createCreate a SecurityHub PolicyAssociation
getGet a SecurityHub PolicyAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub PolicyAssociation
updateUpdate a SecurityHub PolicyAssociation
deleteDelete a SecurityHub PolicyAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub PolicyAssociation
syncSync SecurityHub PolicyAssociation state from AWS

Resources

state(infinite)— SecurityHub PolicyAssociation resource state
@swamp/aws/securityhub/product-subscriptionv2026.04.23.2product_subscription.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
ProductArnstringThe generic ARN of the product being subscribed to
createCreate a SecurityHub ProductSubscription
getGet a SecurityHub ProductSubscription
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub ProductSubscription
deleteDelete a SecurityHub ProductSubscription
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub ProductSubscription
syncSync SecurityHub ProductSubscription state from AWS

Resources

state(infinite)— SecurityHub ProductSubscription resource state
@swamp/aws/securityhub/security-controlv2026.04.23.2security_control.ts

Global Arguments

ArgumentTypeDescription
SecurityControlId?stringThe unique identifier of a security control across standards. Values for this field typically consist of an AWS service name and a number, such as APIGateway.3.
SecurityControlArn?stringThe Amazon Resource Name (ARN) for a security control across standards, such as `arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1`. This parameter doesn't mention a specific standard.
LastUpdateReason?stringThe most recent reason for updating the customizable properties of a security control. This differs from the UpdateReason field of the BatchUpdateStandardsControlAssociations API, which tracks the reason for updating the enablement status of a control. This field accepts alphanumeric characters in addition to white spaces, dashes, and underscores.
ParametersrecordAn object that identifies the name of a control parameter, its current value, and whether it has been customized.
createCreate a SecurityHub SecurityControl
getGet a SecurityHub SecurityControl
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub SecurityControl
updateUpdate a SecurityHub SecurityControl
deleteDelete a SecurityHub SecurityControl
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub SecurityControl
syncSync SecurityHub SecurityControl state from AWS

Resources

state(infinite)— SecurityHub SecurityControl resource state
@swamp/aws/securityhub/standardv2026.04.23.2standard.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
StandardsArnstringThe ARN of the standard that you want to enable. To view a list of available ASH standards and their ARNs, use the [DescribeStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API operation.
DisabledStandardsControls?arraySpecifies which controls are to be disabled in a standard. *Maximum*: 100
createCreate a SecurityHub Standard
getGet a SecurityHub Standard
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub Standard
updateUpdate a SecurityHub Standard
deleteDelete a SecurityHub Standard
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub Standard
syncSync SecurityHub Standard state from AWS

Resources

state(infinite)— SecurityHub Standard resource state