Skip to content

/AWS1/CL_SHBSECURITYCONTROL

A security control in Security Hub CSPM describes a security best practice related to a specific resource.

CONSTRUCTOR

IMPORTING

Required arguments:

iv_securitycontrolid TYPE /AWS1/SHBNONEMPTYSTRING /AWS1/SHBNONEMPTYSTRING

The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Services service name and a number, such as APIGateway.3.

iv_securitycontrolarn TYPE /AWS1/SHBNONEMPTYSTRING /AWS1/SHBNONEMPTYSTRING

The Amazon Resource Name (ARN) for a security control across standards, such as arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1. This parameter doesn't mention a specific standard.

iv_title TYPE /AWS1/SHBNONEMPTYSTRING /AWS1/SHBNONEMPTYSTRING

The title of a security control.

iv_description TYPE /AWS1/SHBNONEMPTYSTRING /AWS1/SHBNONEMPTYSTRING

The description of a security control across standards. This typically summarizes how Security Hub CSPM evaluates the control and the conditions under which it produces a failed finding. This parameter doesn't reference a specific standard.

iv_remediationurl TYPE /AWS1/SHBNONEMPTYSTRING /AWS1/SHBNONEMPTYSTRING

A link to Security Hub CSPM documentation that explains how to remediate a failed finding for a security control.

iv_severityrating TYPE /AWS1/SHBSEVERITYRATING /AWS1/SHBSEVERITYRATING

The severity of a security control. For more information about how Security Hub CSPM determines control severity, see Assigning severity to control findings in the Security Hub CSPM User Guide.

iv_securitycontrolstatus TYPE /AWS1/SHBCONTROLSTATUS /AWS1/SHBCONTROLSTATUS

The enablement status of a security control in a specific standard.

Optional arguments:

iv_updatestatus TYPE /AWS1/SHBUPDATESTATUS /AWS1/SHBUPDATESTATUS

Identifies whether customizable properties of a security control are reflected in Security Hub CSPM findings. A status of READY indicates that Security Hub CSPM uses the current control parameter values when running security checks of the control. A status of UPDATING indicates that all security checks might not use the current parameter values.

it_parameters TYPE /AWS1/CL_SHBPARAMETERCONF=>TT_PARAMETERS TT_PARAMETERS

An object that identifies the name of a control parameter, its current value, and whether it has been customized.

iv_lastupdatereason TYPE /AWS1/SHBALPHANUMERICNONEMPT00 /AWS1/SHBALPHANUMERICNONEMPT00

The most recent reason for updating the customizable properties of a security control. This differs from the UpdateReason field of the BatchUpdateStandardsControlAssociations API, which tracks the reason for updating the enablement status of a control. This field accepts alphanumeric characters in addition to white spaces, dashes, and underscores.

Queryable Attributes

SecurityControlId

The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Services service name and a number, such as APIGateway.3.

Accessible with the following methods

Method Description
GET_SECURITYCONTROLID() Getter for SECURITYCONTROLID, with configurable default
ASK_SECURITYCONTROLID() Getter for SECURITYCONTROLID w/ exceptions if field has no v
HAS_SECURITYCONTROLID() Determine if SECURITYCONTROLID has a value

SecurityControlArn

The Amazon Resource Name (ARN) for a security control across standards, such as arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1. This parameter doesn't mention a specific standard.

Accessible with the following methods

Method Description
GET_SECURITYCONTROLARN() Getter for SECURITYCONTROLARN, with configurable default
ASK_SECURITYCONTROLARN() Getter for SECURITYCONTROLARN w/ exceptions if field has no
HAS_SECURITYCONTROLARN() Determine if SECURITYCONTROLARN has a value

Title

The title of a security control.

Accessible with the following methods

Method Description
GET_TITLE() Getter for TITLE, with configurable default
ASK_TITLE() Getter for TITLE w/ exceptions if field has no value
HAS_TITLE() Determine if TITLE has a value

Description

The description of a security control across standards. This typically summarizes how Security Hub CSPM evaluates the control and the conditions under which it produces a failed finding. This parameter doesn't reference a specific standard.

Accessible with the following methods

Method Description
GET_DESCRIPTION() Getter for DESCRIPTION, with configurable default
ASK_DESCRIPTION() Getter for DESCRIPTION w/ exceptions if field has no value
HAS_DESCRIPTION() Determine if DESCRIPTION has a value

RemediationUrl

A link to Security Hub CSPM documentation that explains how to remediate a failed finding for a security control.

Accessible with the following methods

Method Description
GET_REMEDIATIONURL() Getter for REMEDIATIONURL, with configurable default
ASK_REMEDIATIONURL() Getter for REMEDIATIONURL w/ exceptions if field has no valu
HAS_REMEDIATIONURL() Determine if REMEDIATIONURL has a value

SeverityRating

The severity of a security control. For more information about how Security Hub CSPM determines control severity, see Assigning severity to control findings in the Security Hub CSPM User Guide.

Accessible with the following methods

Method Description
GET_SEVERITYRATING() Getter for SEVERITYRATING, with configurable default
ASK_SEVERITYRATING() Getter for SEVERITYRATING w/ exceptions if field has no valu
HAS_SEVERITYRATING() Determine if SEVERITYRATING has a value

SecurityControlStatus

The enablement status of a security control in a specific standard.

Accessible with the following methods

Method Description
GET_SECURITYCONTROLSTATUS() Getter for SECURITYCONTROLSTATUS, with configurable default
ASK_SECURITYCONTROLSTATUS() Getter for SECURITYCONTROLSTATUS w/ exceptions if field has
HAS_SECURITYCONTROLSTATUS() Determine if SECURITYCONTROLSTATUS has a value

UpdateStatus

Identifies whether customizable properties of a security control are reflected in Security Hub CSPM findings. A status of READY indicates that Security Hub CSPM uses the current control parameter values when running security checks of the control. A status of UPDATING indicates that all security checks might not use the current parameter values.

Accessible with the following methods

Method Description
GET_UPDATESTATUS() Getter for UPDATESTATUS, with configurable default
ASK_UPDATESTATUS() Getter for UPDATESTATUS w/ exceptions if field has no value
HAS_UPDATESTATUS() Determine if UPDATESTATUS has a value

Parameters

An object that identifies the name of a control parameter, its current value, and whether it has been customized.

Accessible with the following methods

Method Description
GET_PARAMETERS() Getter for PARAMETERS, with configurable default
ASK_PARAMETERS() Getter for PARAMETERS w/ exceptions if field has no value
HAS_PARAMETERS() Determine if PARAMETERS has a value

LastUpdateReason

The most recent reason for updating the customizable properties of a security control. This differs from the UpdateReason field of the BatchUpdateStandardsControlAssociations API, which tracks the reason for updating the enablement status of a control. This field accepts alphanumeric characters in addition to white spaces, dashes, and underscores.

Accessible with the following methods

Method Description
GET_LASTUPDATEREASON() Getter for LASTUPDATEREASON, with configurable default
ASK_LASTUPDATEREASON() Getter for LASTUPDATEREASON w/ exceptions if field has no va
HAS_LASTUPDATEREASON() Determine if LASTUPDATEREASON has a value

Public Local Types In This Class

Internal table types, representing arrays and maps of this class, are defined as local types:

TT_SECURITYCONTROLS

TYPES TT_SECURITYCONTROLS TYPE STANDARD TABLE OF REF TO /AWS1/CL_SHBSECURITYCONTROL WITH DEFAULT KEY
.