[Enhancement]: Support custom parameters for security hub controls

[RanganMahesh]

Description

AWS has recently released a features that allows users to modify certain parameters that is used to evaluate the control: Custom control parameters

List of controls which allow customer parameters: Allowed list

The requirement is to update the TF Resource: aws_securityhub_standards_control to support custom control parameters where it is allowed.

Affected Resource(s) and/or Data Source(s)

aws_securityhub_standards_control https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_control

Potential Terraform Configuration

resource "aws_securityhub_standards_control" "enable_acm_and_set_parameter" {
  standards_control_arn = "arn:aws:securityhub:us-east-1:111111111111:control/aws-foundational-security-best-practices/v/1.0.0/ACM.1"
  control_status        = "ENABLED"
  parameters  = [{
    name         = "daysToExpiration"
    value_type   = "CUSTOM"
    type         = "INTEGER"
    value        = 15
  }]

  depends_on = [aws_securityhub_standards_subscription.aws-foundational-security-best-practices]
}

References

https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html https://docs.aws.amazon.com/securityhub/latest/userguide/custom-control-parameters.html https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_control

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[acwwat]

Adding more info to this ticket.

The Security Hub distinguishes between standards control and security control. The former denotes the association of a control in the context of a standard, while the latter is the "global" control that can be included in multiple standards.

Since custom parameters are applied globally at the security control level (using the UpdateSecurityControl API), what we need is a new aws_securityhub_security_control resource.

Also note that you can already configure custom control parameters using SHCPs in both local and central configuration - see aws_securityhub_configuration_policy and aws_securityhub_configuration_policy.