arazzo: 1.0.1
info:
  title: Amazon Security Hub Enable Hub and Review Standards
  summary: Enable Security Hub for the account and review which security standards are now available.
  description: >-
    Bootstraps Security Hub posture management by enabling the service for the
    current account and Region, then immediately enumerating the catalog of
    available security standards so the operator can confirm which standards
    were turned on by default and which remain available to subscribe to. Each
    step spells out its request inline so the flow can be read and executed
    without opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: securityHubApi
  url: ../openapi/amazon-security-hub-openapi.yml
  type: openapi
workflows:
- workflowId: enable-hub-and-review-standards
  summary: Enable Security Hub and list the available security standards.
  description: >-
    Enables Security Hub with the default standards turned on, then lists the
    available standards catalog to verify which standards are enabled by
    default in the account.
  inputs:
    type: object
    properties:
      enableDefaultStandards:
        type: boolean
        description: Whether to enable the standards Security Hub designates as automatically enabled.
        default: true
      controlFindingGenerator:
        type: string
        description: How control findings are generated.
        enum:
        - STANDARD_CONTROL
        - SECURITY_CONTROL
        default: SECURITY_CONTROL
      tags:
        type: object
        description: Optional tags to associate with the Security Hub resource.
        additionalProperties:
          type: string
      maxResults:
        type: integer
        description: The maximum number of standards to return in the catalog listing.
        default: 100
  steps:
  - stepId: enableHub
    description: >-
      Enable Security Hub for the account in the current Region, opting in to the
      default standards so baseline best-practice checks begin running.
    operationId: EnableSecurityHub
    requestBody:
      contentType: application/json
      payload:
        EnableDefaultStandards: $inputs.enableDefaultStandards
        ControlFindingGenerator: $inputs.controlFindingGenerator
        Tags: $inputs.tags
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      enableStatus: $statusCode
  - stepId: reviewStandards
    description: >-
      List the available security standards so the operator can confirm which
      standards are enabled by default after the hub was turned on.
    operationId: DescribeStandards
    parameters:
    - name: MaxResults
      in: query
      value: $inputs.maxResults
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      standards: $response.body#/Standards
      nextToken: $response.body#/NextToken
  outputs:
    enableStatus: $steps.enableHub.outputs.enableStatus
    standards: $steps.reviewStandards.outputs.standards