security_profiles

Creates, updates, deletes or gets a security_profile resource or lists security_profiles in a region

Overview

Name	`security_profiles`
Type	Resource
Description	A security profile defines a set of expected behaviors for devices in your account.
Id	`aws.iot.security_profiles`

Fields

Name	Datatype	Description
`security_profile_name`	`string`	A unique identifier for the security profile.
`security_profile_description`	`string`	A description of the security profile.
`behaviors`	`array`	Specifies the behaviors that, when violated by a device (thing), cause an alert.
`alert_targets`	`object`	Specifies the destinations to which alerts are sent.
`additional_metrics_to_retain_v2`	`array`	A list of metrics whose data is retained (stored). By default, data is retained for any metric used in the profile's behaviors, but it is also retained for any metric specified here.
`metrics_export_config`	`object`	A structure containing the mqtt topic for metrics export.
`tags`	`array`	Metadata that can be used to manage the security profile.
`target_arns`	`array`	A set of target ARNs that the security profile is attached to.
`security_profile_arn`	`string`	The ARN (Amazon resource name) of the created security profile.
`region`	`string`	AWS region.

Methods

Name	Accessible by	Required Params
`create_resource`	`INSERT`	`, region`
`delete_resource`	`DELETE`	`data__Identifier, region`
`update_resource`	`UPDATE`	`data__Identifier, data__PatchDocument, region`
`list_resources`	`SELECT`	`region`
`get_resource`	`SELECT`	`data__Identifier, region`

`SELECT` examples

Gets all security_profiles in a region.

SELECT
region,
security_profile_name,
security_profile_description,
behaviors,
alert_targets,
additional_metrics_to_retain_v2,
metrics_export_config,
tags,
target_arns,
security_profile_arn
FROM aws.iot.security_profiles
WHERE region = 'us-east-1';

Gets all properties from an individual security_profile.

SELECT
region,
security_profile_name,
security_profile_description,
behaviors,
alert_targets,
additional_metrics_to_retain_v2,
metrics_export_config,
tags,
target_arns,
security_profile_arn
FROM aws.iot.security_profiles
WHERE region = 'us-east-1' AND data__Identifier = '<SecurityProfileName>';

`INSERT` example

Use the following StackQL query and manifest file to create a new security_profile resource, using stack-deploy.

Required Properties
All Properties
Manifest

/*+ create */
INSERT INTO aws.iot.security_profiles (
 ,
 region
)
SELECT 
'{{  }}',
'{{ region }}';

/*+ create */
INSERT INTO aws.iot.security_profiles (
 SecurityProfileName,
 SecurityProfileDescription,
 Behaviors,
 AlertTargets,
 AdditionalMetricsToRetainV2,
 MetricsExportConfig,
 Tags,
 TargetArns,
 region
)
SELECT 
 '{{ SecurityProfileName }}',
 '{{ SecurityProfileDescription }}',
 '{{ Behaviors }}',
 '{{ AlertTargets }}',
 '{{ AdditionalMetricsToRetainV2 }}',
 '{{ MetricsExportConfig }}',
 '{{ Tags }}',
 '{{ TargetArns }}',
 '{{ region }}';

version: 1
name: stack name
description: stack description
providers:
  - aws
globals:
  - name: region
    value: '{{ vars.AWS_REGION }}'
resources:
  - name: security_profile
    props:
      - name: SecurityProfileName
        value: '{{ SecurityProfileName }}'
      - name: SecurityProfileDescription
        value: '{{ SecurityProfileDescription }}'
      - name: Behaviors
        value:
          - Name: '{{ Name }}'
            Metric: '{{ Metric }}'
            MetricDimension:
              DimensionName: '{{ DimensionName }}'
              Operator: '{{ Operator }}'
            Criteria:
              ComparisonOperator: '{{ ComparisonOperator }}'
              Value:
                Count: '{{ Count }}'
                Cidrs:
                  - '{{ Cidrs[0] }}'
                Ports:
                  - '{{ Ports[0] }}'
                Number: null
                Numbers:
                  - null
                Strings:
                  - '{{ Strings[0] }}'
              DurationSeconds: '{{ DurationSeconds }}'
              ConsecutiveDatapointsToAlarm: '{{ ConsecutiveDatapointsToAlarm }}'
              ConsecutiveDatapointsToClear: '{{ ConsecutiveDatapointsToClear }}'
              StatisticalThreshold:
                Statistic: '{{ Statistic }}'
              MlDetectionConfig:
                ConfidenceLevel: '{{ ConfidenceLevel }}'
            SuppressAlerts: '{{ SuppressAlerts }}'
            ExportMetric: '{{ ExportMetric }}'
      - name: AlertTargets
        value: {}
      - name: AdditionalMetricsToRetainV2
        value:
          - Metric: '{{ Metric }}'
            MetricDimension: null
            ExportMetric: null
      - name: MetricsExportConfig
        value:
          MqttTopic: '{{ MqttTopic }}'
          RoleArn: '{{ RoleArn }}'
      - name: Tags
        value:
          - Key: '{{ Key }}'
            Value: '{{ Value }}'
      - name: TargetArns
        value:
          - '{{ TargetArns[0] }}'

`DELETE` example

/*+ delete */
DELETE FROM aws.iot.security_profiles
WHERE data__Identifier = '<SecurityProfileName>'
AND region = 'us-east-1';

Permissions

To operate on the security_profiles resource, the following permissions are required:

Create

iot:CreateSecurityProfile,
iot:AttachSecurityProfile,
iot:DescribeSecurityProfile,
iot:TagResource,
iam:PassRole

Read

iot:DescribeSecurityProfile,
iot:ListTagsForResource,
iot:ListTargetsForSecurityProfile

Update

iot:UpdateSecurityProfile,
iot:ListTargetsForSecurityProfile,
iot:AttachSecurityProfile,
iot:DetachSecurityProfile,
iot:ListTagsForResource,
iot:UntagResource,
iot:TagResource,
iam:PassRole

Delete

iot:DescribeSecurityProfile,
iot:DeleteSecurityProfile

List

iot:ListSecurityProfiles

Overview​

Fields​

Methods​

SELECT examples​

INSERT example​

DELETE example​

Permissions​

Create​

Read​

Update​

Delete​

List​