Skip to main content
← back to extensions

Aws/securityhub

@swamp/aws/securityhubv2026.05.27.1· 4d agoMODELS
01README

AWS SECURITYHUB infrastructure models

02Release Notes
  • Updated: connector_v2
03Models15
@swamp/aws/securityhub/aggregator-v2v2026.04.23.2aggregator_v2.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
RegionLinkingModeenumIndicates to link a list of included Regions
LinkedRegionsarrayThe list of included Regions
Tags?recordA key-value pair to associate with the Security Hub V2 resource.
fn create()
Create a SecurityHub AggregatorV2
fn get(identifier: string)
Get a SecurityHub AggregatorV2
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub AggregatorV2
fn update()
Update a SecurityHub AggregatorV2
fn delete(identifier: string)
Delete a SecurityHub AggregatorV2
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub AggregatorV2
fn sync()
Sync SecurityHub AggregatorV2 state from AWS

Resources

state(infinite)— SecurityHub AggregatorV2 resource state
@swamp/aws/securityhub/automation-rulev2026.05.15.1automation_rule.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
RuleStatus?enumWhether the rule is active after it is created. If this parameter is equal to ENABLED, ASH applies the rule to findings and finding updates after the rule is created.
RuleOrdernumberAn integer ranging from 1 to 1000 that represents the order in which the rule action is applied to findings. Security Hub CSPM applies rules with lower values for this parameter first.
DescriptionstringA description of the rule.
RuleNamestringThe name of the rule.
IsTerminal?booleanSpecifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If a rule is terminal, Security Hub CSPM applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. By default, a rule isn't terminal.
ActionsarrayOne or more actions to update finding fields if a finding matches the conditions specified in Criteria.
CriteriaobjectA set of [Security Finding Format (ASFF)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) finding field attributes and corresponding expected values that ASH uses to filter findings. If a rule is enabled and a finding matches the criteria specified in this parameter, ASH applies the rule action to the finding.
Tags?recordUser-defined tags associated with an automation rule.
fn create()
Create a SecurityHub AutomationRule
fn get(identifier: string)
Get a SecurityHub AutomationRule
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub AutomationRule
fn update()
Update a SecurityHub AutomationRule
fn delete(identifier: string)
Delete a SecurityHub AutomationRule
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub AutomationRule
fn sync()
Sync SecurityHub AutomationRule state from AWS

Resources

state(infinite)— SecurityHub AutomationRule resource state
@swamp/aws/securityhub/automation-rule-v2v2026.04.23.2automation_rule_v2.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
RuleNamestringThe name of the automation rule
RuleStatus?enumThe status of the automation rule
DescriptionstringA description of the automation rule
RuleOrdernumberThe value for the rule priority
CriteriaobjectDefines the parameters and conditions used to evaluate and filter security findings
ActionsarrayA list of actions to be performed when the rule criteria is met
Tags?recordA key-value pair to associate with a resource.
fn create()
Create a SecurityHub AutomationRuleV2
fn get(identifier: string)
Get a SecurityHub AutomationRuleV2
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub AutomationRuleV2
fn update()
Update a SecurityHub AutomationRuleV2
fn delete(identifier: string)
Delete a SecurityHub AutomationRuleV2
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub AutomationRuleV2
fn sync()
Sync SecurityHub AutomationRuleV2 state from AWS

Resources

state(infinite)— SecurityHub AutomationRuleV2 resource state
@swamp/aws/securityhub/configuration-policyv2026.04.23.2configuration_policy.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
NamestringThe name of the configuration policy.
Description?stringThe description of the configuration policy.
ConfigurationPolicyobjectAn object that defines how Security Hub is configured.
Tags?recordA key-value pair to associate with a resource.
fn create()
Create a SecurityHub ConfigurationPolicy
fn get(identifier: string)
Get a SecurityHub ConfigurationPolicy
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub ConfigurationPolicy
fn update()
Update a SecurityHub ConfigurationPolicy
fn delete(identifier: string)
Delete a SecurityHub ConfigurationPolicy
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub ConfigurationPolicy
fn sync()
Sync SecurityHub ConfigurationPolicy state from AWS

Resources

state(infinite)— SecurityHub ConfigurationPolicy resource state
@swamp/aws/securityhub/connector-v2v2026.05.27.1connector_v2.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
NamestringThe name of the connector
Description?stringA description of the connector
KmsKeyArn?stringThe ARN of KMS key used for the connector
ProviderrecordThe third-party provider configuration for the connector
Tags?recordA key-value pair to associate with a resource.
fn create()
Create a SecurityHub ConnectorV2
fn get(identifier: string)
Get a SecurityHub ConnectorV2
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub ConnectorV2
fn update()
Update a SecurityHub ConnectorV2
fn delete(identifier: string)
Delete a SecurityHub ConnectorV2
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub ConnectorV2
fn sync()
Sync SecurityHub ConnectorV2 state from AWS

Resources

state(infinite)— SecurityHub ConnectorV2 resource state
@swamp/aws/securityhub/delegated-adminv2026.04.23.2delegated_admin.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
AdminAccountIdstringThe AWS-account identifier of the account to designate as the Security Hub CSPM administrator account.
fn create()
Create a SecurityHub DelegatedAdmin
fn get(identifier: string)
Get a SecurityHub DelegatedAdmin
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub DelegatedAdmin
fn delete(identifier: string)
Delete a SecurityHub DelegatedAdmin
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub DelegatedAdmin
fn sync()
Sync SecurityHub DelegatedAdmin state from AWS

Resources

state(infinite)— SecurityHub DelegatedAdmin resource state
@swamp/aws/securityhub/finding-aggregatorv2026.04.23.2finding_aggregator.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
RegionLinkingModeenumIndicates whether to aggregate findings from all of the available Regions in the current partition. Also determines whether to automatically aggregate findings from new Regions as Security Hub supports them and you opt into them. The selected option also determines how to use the Regions provided in the Regions list. In CFN, the options for this property are as follows: ALL_REGIONS - Indicates to aggregate findings from all of the Regions where Security Hub is enabled. When you choose this optio
Regions?arrayIf RegionLinkingMode is ALL_REGIONS_EXCEPT_SPECIFIED, then this is a space-separated list of Regions that do not aggregate findings to the aggregation Region. If RegionLinkingMode is SPECIFIED_REGIONS, then this is a space-separated list of Regions that do aggregate findings to the aggregation Region.
fn create()
Create a SecurityHub FindingAggregator
fn get(identifier: string)
Get a SecurityHub FindingAggregator
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub FindingAggregator
fn update()
Update a SecurityHub FindingAggregator
fn delete(identifier: string)
Delete a SecurityHub FindingAggregator
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub FindingAggregator
fn sync()
Sync SecurityHub FindingAggregator state from AWS

Resources

state(infinite)— SecurityHub FindingAggregator resource state
@swamp/aws/securityhub/hubv2026.04.23.2hub.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
EnableDefaultStandards?booleanWhether to enable the security standards that Security Hub has designated as automatically enabled.
ControlFindingGenerator?stringThis field, used when enabling Security Hub, specifies whether the calling account has consolidated control findings turned on. If the value for this field is set to SECURITY_CONTROL, Security Hub generates a single finding for a control check even when the check applies to multiple enabled standards. If the value for this field is set to STANDARD_CONTROL, Security Hub generates separate findings for a control check when the check applies to multiple enabled standards.
AutoEnableControls?booleanWhether to automatically enable new controls when they are added to standards that are enabled
Tags?recordA key-value pair to associate with a resource.
fn create()
Create a SecurityHub Hub
fn get(identifier: string)
Get a SecurityHub Hub
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub Hub
fn update()
Update a SecurityHub Hub
fn delete(identifier: string)
Delete a SecurityHub Hub
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub Hub
fn sync()
Sync SecurityHub Hub state from AWS

Resources

state(infinite)— SecurityHub Hub resource state
@swamp/aws/securityhub/hub-v2v2026.04.23.2hub_v2.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
Tags?recordA key-value pair to associate with the Security Hub V2 resource. You can specify a key that is 1 to 128 Unicode characters in length and cannot be prefixed with aws:. You can use any of the following characters: the set of Unicode letters, digits, whitespace, _,., /, =, +, and -.
fn create()
Create a SecurityHub HubV2
fn get(identifier: string)
Get a SecurityHub HubV2
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub HubV2
fn update()
Update a SecurityHub HubV2
fn delete(identifier: string)
Delete a SecurityHub HubV2
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub HubV2
fn sync()
Sync SecurityHub HubV2 state from AWS

Resources

state(infinite)— SecurityHub HubV2 resource state
@swamp/aws/securityhub/insightv2026.04.23.2insight.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
NamestringThe name of a Security Hub insight
FiltersobjectOne or more attributes used to filter the findings included in the insight
GroupByAttributestringThe grouping attribute for the insight's findings
fn create()
Create a SecurityHub Insight
fn get(identifier: string)
Get a SecurityHub Insight
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub Insight
fn update()
Update a SecurityHub Insight
fn delete(identifier: string)
Delete a SecurityHub Insight
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub Insight
fn sync()
Sync SecurityHub Insight state from AWS

Resources

state(infinite)— SecurityHub Insight resource state
@swamp/aws/securityhub/organization-configurationv2026.04.23.2organization_configuration.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
AutoEnablebooleanWhether to automatically enable Security Hub in new member accounts when they join the organization.
AutoEnableStandards?enumWhether to automatically enable Security Hub default standards in new member accounts when they join the organization.
ConfigurationType?enumIndicates whether the organization uses local or central configuration.
fn create()
Create a SecurityHub OrganizationConfiguration
fn get(identifier: string)
Get a SecurityHub OrganizationConfiguration
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub OrganizationConfiguration
fn update()
Update a SecurityHub OrganizationConfiguration
fn delete(identifier: string)
Delete a SecurityHub OrganizationConfiguration
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub OrganizationConfiguration
fn sync()
Sync SecurityHub OrganizationConfiguration state from AWS

Resources

state(infinite)— SecurityHub OrganizationConfiguration resource state
@swamp/aws/securityhub/policy-associationv2026.04.23.2policy_association.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
ConfigurationPolicyIdstringThe universally unique identifier (UUID) of the configuration policy or a value of SELF_MANAGED_SECURITY_HUB for a self-managed configuration
TargetIdstringThe identifier of the target account, organizational unit, or the root
TargetTypeenumIndicates whether the target is an AWS account, organizational unit, or the organization root
fn create()
Create a SecurityHub PolicyAssociation
fn get(identifier: string)
Get a SecurityHub PolicyAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub PolicyAssociation
fn update()
Update a SecurityHub PolicyAssociation
fn delete(identifier: string)
Delete a SecurityHub PolicyAssociation
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub PolicyAssociation
fn sync()
Sync SecurityHub PolicyAssociation state from AWS

Resources

state(infinite)— SecurityHub PolicyAssociation resource state
@swamp/aws/securityhub/product-subscriptionv2026.04.23.2product_subscription.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
ProductArnstringThe generic ARN of the product being subscribed to
fn create()
Create a SecurityHub ProductSubscription
fn get(identifier: string)
Get a SecurityHub ProductSubscription
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub ProductSubscription
fn delete(identifier: string)
Delete a SecurityHub ProductSubscription
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub ProductSubscription
fn sync()
Sync SecurityHub ProductSubscription state from AWS

Resources

state(infinite)— SecurityHub ProductSubscription resource state
@swamp/aws/securityhub/security-controlv2026.04.23.2security_control.ts

Global Arguments

ArgumentTypeDescription
SecurityControlId?stringThe unique identifier of a security control across standards. Values for this field typically consist of an AWS service name and a number, such as APIGateway.3.
SecurityControlArn?stringThe Amazon Resource Name (ARN) for a security control across standards, such as `arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1`. This parameter doesn't mention a specific standard.
LastUpdateReason?stringThe most recent reason for updating the customizable properties of a security control. This differs from the UpdateReason field of the BatchUpdateStandardsControlAssociations API, which tracks the reason for updating the enablement status of a control. This field accepts alphanumeric characters in addition to white spaces, dashes, and underscores.
ParametersrecordAn object that identifies the name of a control parameter, its current value, and whether it has been customized.
fn create()
Create a SecurityHub SecurityControl
fn get(identifier: string)
Get a SecurityHub SecurityControl
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub SecurityControl
fn update()
Update a SecurityHub SecurityControl
fn delete(identifier: string)
Delete a SecurityHub SecurityControl
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub SecurityControl
fn sync()
Sync SecurityHub SecurityControl state from AWS

Resources

state(infinite)— SecurityHub SecurityControl resource state
@swamp/aws/securityhub/standardv2026.04.23.2standard.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
StandardsArnstringThe ARN of the standard that you want to enable. To view a list of available ASH standards and their ARNs, use the [DescribeStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API operation.
DisabledStandardsControls?arraySpecifies which controls are to be disabled in a standard. *Maximum*: 100
fn create()
Create a SecurityHub Standard
fn get(identifier: string)
Get a SecurityHub Standard
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub Standard
fn update()
Update a SecurityHub Standard
fn delete(identifier: string)
Delete a SecurityHub Standard
ArgumentTypeDescription
identifierstringThe primary identifier of the SecurityHub Standard
fn sync()
Sync SecurityHub Standard state from AWS

Resources

state(infinite)— SecurityHub Standard resource state
04Previous Versions7
2026.05.15.1May 15, 2026
  • Updated: automation_rule
2026.04.23.3Apr 23, 2026
2026.04.23.2Apr 23, 2026
  • Updated: aggregator_v2, automation_rule, automation_rule_v2, configuration_policy, connector_v2, delegated_admin, finding_aggregator, hub, hub_v2, insight, organization_configuration, policy_association, product_subscription, security_control, standard
2026.04.03.2Apr 3, 2026
  • Updated: aggregator_v2, automation_rule, automation_rule_v2, configuration_policy, connector_v2, delegated_admin, finding_aggregator, hub, hub_v2, insight, organization_configuration, policy_association, product_subscription, security_control, standard
2026.03.19.1Mar 19, 2026
  • Updated: aggregator_v2, automation_rule, automation_rule_v2, configuration_policy, connector_v2, delegated_admin, finding_aggregator, hub, hub_v2, insight, organization_configuration, policy_association, product_subscription, security_control, standard
2026.03.16.1Mar 16, 2026
  • Updated: aggregator_v2, automation_rule, automation_rule_v2, configuration_policy, connector_v2, delegated_admin, finding_aggregator, hub, hub_v2, insight, organization_configuration, policy_association, product_subscription, security_control, standard
2026.03.10.5Mar 10, 2026
05Stats
B
85 / 100
Downloads
3
Archive size
3.6 MB
Verified by Swamp
  • Has README or module doc2/2earned
  • README has a code example1/1earned
  • README is substantive1/1earned
  • Most symbols documented1/1earned
  • No slow types1/1earned
  • Dependencies pass trust audit0/2missing
  • Has description1/1earned
  • Platform support declared (or universal)2/2earned
  • License declared1/1earned
  • Verified public repository2/2earned
Repository
https://github.com/systeminit/swamp-extensions
06Platforms
07Labels
#aws#securityhub#cloud#infrastructure