aws-cdk-lib 2.144.0__py3-none-any.whl → 2.146.0__py3-none-any.whl

aws_cdk/aws_securityhub/__init__.py

@@ -2927,24 +2927,16 @@ class CfnAutomationRuleProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556)
-class CfnDelegatedAdmin(
+@jsii.implements(_IInspectable_c2943556, _ITaggableV2_4e6798f8)
+class CfnConfigurationPolicy(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
-    jsii_type="aws-cdk-lib.aws_securityhub.CfnDelegatedAdmin",
+    jsii_type="aws-cdk-lib.aws_securityhub.CfnConfigurationPolicy",
 ):
-    '''The ``AWS::SecurityHub::DelegatedAdmin`` resource designates the delegated AWS Security Hub administrator account for an organization.
-
-    You must enable the integration between Security Hub and AWS Organizations before you can designate a delegated Security Hub administrator. Only the management account for an organization can designate the delegated Security Hub administrator account. For more information, see `Designating the delegated Security Hub administrator <https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html#designate-admin-instructions>`_ in the *AWS Security Hub User Guide* .
-
-    To change the delegated administrator account, remove the current delegated administrator account, and then designate the new account.
-
-    To designate multiple delegated administrators in different organizations and AWS Regions , we recommend using `AWS CloudFormation mappings <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/mappings-section-structure.html>`_ .
-
-    Tags aren't supported for this resource.
+    '''The AWS::SecurityHub::ConfigurationPolicy resource represents the Central Configuration Policy in your account.
 
-    :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-delegatedadmin.html
-    :cloudformationResource: AWS::SecurityHub::DelegatedAdmin
+    :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-configurationpolicy.html
+    :cloudformationResource: AWS::SecurityHub::ConfigurationPolicy
     :exampleMetadata: fixture=_generated
 
     Example::
@@ -2953,8 +2945,44 @@ class CfnDelegatedAdmin(
         # The values are placeholders you should change.
         from aws_cdk import aws_securityhub as securityhub
         
-        cfn_delegated_admin = securityhub.CfnDelegatedAdmin(self, "MyCfnDelegatedAdmin",
-            admin_account_id="adminAccountId"
+        cfn_configuration_policy = securityhub.CfnConfigurationPolicy(self, "MyCfnConfigurationPolicy",
+            configuration_policy=securityhub.CfnConfigurationPolicy.PolicyProperty(
+                security_hub=securityhub.CfnConfigurationPolicy.SecurityHubPolicyProperty(
+                    enabled_standard_identifiers=["enabledStandardIdentifiers"],
+                    security_controls_configuration=securityhub.CfnConfigurationPolicy.SecurityControlsConfigurationProperty(
+                        disabled_security_control_identifiers=["disabledSecurityControlIdentifiers"],
+                        enabled_security_control_identifiers=["enabledSecurityControlIdentifiers"],
+                        security_control_custom_parameters=[securityhub.CfnConfigurationPolicy.SecurityControlCustomParameterProperty(
+                            parameters={
+                                "parameters_key": securityhub.CfnConfigurationPolicy.ParameterConfigurationProperty(
+                                    value_type="valueType",
+        
+                                    # the properties below are optional
+                                    value=securityhub.CfnConfigurationPolicy.ParameterValueProperty(
+                                        boolean=False,
+                                        double=123,
+                                        enum="enum",
+                                        enum_list=["enumList"],
+                                        integer=123,
+                                        integer_list=[123],
+                                        string="string",
+                                        string_list=["stringList"]
+                                    )
+                                )
+                            },
+                            security_control_id="securityControlId"
+                        )]
+                    ),
+                    service_enabled=False
+                )
+            ),
+            name="name",
+        
+            # the properties below are optional
+            description="description",
+            tags={
+                "tags_key": "tags"
+            }
         )
     '''
 
@@ -2963,18 +2991,29 @@ class CfnDelegatedAdmin(
         scope: _constructs_77d1e7e8.Construct,
         id: builtins.str,
         *,
-        admin_account_id: builtins.str,
+        configuration_policy: typing.Union[_IResolvable_da3f097b, typing.Union["CfnConfigurationPolicy.PolicyProperty", typing.Dict[builtins.str, typing.Any]]],
+        name: builtins.str,
+        description: typing.Optional[builtins.str] = None,
+        tags: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     ) -> None:
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param admin_account_id: The AWS account identifier of the account to designate as the Security Hub administrator account.
+        :param configuration_policy: An object that defines how Security Hub is configured.
+        :param name: The name of the configuration policy.
+        :param description: The description of the configuration policy.
+        :param tags: A key-value pair to associate with a resource.
         '''
         if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__e27e329e801cb67f6ec71f03a054a574103f5946def22c1bfdcd99ba50827d58)
+            type_hints = typing.get_type_hints(_typecheckingstub__e2cee5cf3fe5ba0b354ff30ea357f97d4a69893bed692305ae2919f0061404d2)
             check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
-        props = CfnDelegatedAdminProps(admin_account_id=admin_account_id)
+        props = CfnConfigurationPolicyProps(
+            configuration_policy=configuration_policy,
+            name=name,
+            description=description,
+            tags=tags,
+        )
 
         jsii.create(self.__class__, self, [scope, id, props])
 
@@ -2985,7 +3024,7 @@ class CfnDelegatedAdmin(
         :param inspector: tree inspector to collect and process attributes.
         '''
         if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__baaaa369299b88b2085a28b2af39aa2abf07ab6772dc8c3ce8044a9ef9ea4df7)
+            type_hints = typing.get_type_hints(_typecheckingstub__7db746216d4af7625aa0207d7a7c29b228b046ca193581d4486931471769f9e7)
             check_type(argname="argument inspector", value=inspector, expected_type=type_hints["inspector"])
         return typing.cast(None, jsii.invoke(self, "inspect", [inspector]))
 
@@ -2998,7 +3037,7 @@ class CfnDelegatedAdmin(
         :param props: -
         '''
         if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__2c0e442efc9a3d07aaf74da8d8d9132c602da0b1c240bc4589e6ce7e3e2459a3)
+            type_hints = typing.get_type_hints(_typecheckingstub__66e713d67f1f54ace155bb5c7fe5334bde6b3843a28e97e26e40c575ec7d505e)
             check_type(argname="argument props", value=props, expected_type=type_hints["props"])
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.invoke(self, "renderProperties", [props]))
 
@@ -3009,22 +3048,55 @@ class CfnDelegatedAdmin(
         return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
 
     @builtins.property
-    @jsii.member(jsii_name="attrDelegatedAdminIdentifier")
-    def attr_delegated_admin_identifier(self) -> builtins.str:
-        '''The ID of the delegated Security Hub administrator account, in the format of ``accountID/Region`` .
+    @jsii.member(jsii_name="attrArn")
+    def attr_arn(self) -> builtins.str:
+        '''The Amazon Resource Name (ARN) of the configuration policy.
 
-        :cloudformationAttribute: DelegatedAdminIdentifier
+        :cloudformationAttribute: Arn
         '''
-        return typing.cast(builtins.str, jsii.get(self, "attrDelegatedAdminIdentifier"))
+        return typing.cast(builtins.str, jsii.get(self, "attrArn"))
 
     @builtins.property
-    @jsii.member(jsii_name="attrStatus")
-    def attr_status(self) -> builtins.str:
-        '''Whether the delegated Security Hub administrator is set for the organization.
+    @jsii.member(jsii_name="attrCreatedAt")
+    def attr_created_at(self) -> builtins.str:
+        '''The date and time, in UTC and ISO 8601 format.
 
-        :cloudformationAttribute: Status
+        :cloudformationAttribute: CreatedAt
         '''
-        return typing.cast(builtins.str, jsii.get(self, "attrStatus"))
+        return typing.cast(builtins.str, jsii.get(self, "attrCreatedAt"))
+
+    @builtins.property
+    @jsii.member(jsii_name="attrId")
+    def attr_id(self) -> builtins.str:
+        '''The universally unique identifier (UUID) of the configuration policy.
+
+        :cloudformationAttribute: Id
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrId"))
+
+    @builtins.property
+    @jsii.member(jsii_name="attrServiceEnabled")
+    def attr_service_enabled(self) -> _IResolvable_da3f097b:
+        '''Indicates whether the service that the configuration policy applies to is enabled in the policy.
+
+        :cloudformationAttribute: ServiceEnabled
+        '''
+        return typing.cast(_IResolvable_da3f097b, jsii.get(self, "attrServiceEnabled"))
+
+    @builtins.property
+    @jsii.member(jsii_name="attrUpdatedAt")
+    def attr_updated_at(self) -> builtins.str:
+        '''The date and time, in UTC and ISO 8601 format.
+
+        :cloudformationAttribute: UpdatedAt
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrUpdatedAt"))
+
+    @builtins.property
+    @jsii.member(jsii_name="cdkTagManager")
+    def cdk_tag_manager(self) -> _TagManager_0a598cb3:
+        '''Tag Manager which manages the tags for this resource.'''
+        return typing.cast(_TagManager_0a598cb3, jsii.get(self, "cdkTagManager"))
 
     @builtins.property
     @jsii.member(jsii_name="cfnProperties")
@@ -3032,374 +3104,859 @@ class CfnDelegatedAdmin(
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
     @builtins.property
-    @jsii.member(jsii_name="adminAccountId")
-    def admin_account_id(self) -> builtins.str:
-        '''The AWS account identifier of the account to designate as the Security Hub administrator account.'''
-        return typing.cast(builtins.str, jsii.get(self, "adminAccountId"))
+    @jsii.member(jsii_name="configurationPolicy")
+    def configuration_policy(
+        self,
+    ) -> typing.Union[_IResolvable_da3f097b, "CfnConfigurationPolicy.PolicyProperty"]:
+        '''An object that defines how Security Hub is configured.'''
+        return typing.cast(typing.Union[_IResolvable_da3f097b, "CfnConfigurationPolicy.PolicyProperty"], jsii.get(self, "configurationPolicy"))
 
-    @admin_account_id.setter
-    def admin_account_id(self, value: builtins.str) -> None:
+    @configuration_policy.setter
+    def configuration_policy(
+        self,
+        value: typing.Union[_IResolvable_da3f097b, "CfnConfigurationPolicy.PolicyProperty"],
+    ) -> None:
         if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__f5fdd5db8baf5624dbb4185acb8020d5499aa459d03967b97375912c3e6844c5)
+            type_hints = typing.get_type_hints(_typecheckingstub__dcfe8504c7335f76a4bad5bb43755a142eab48d80958f837dfc86c94989b8b0b)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "adminAccountId", value)
+        jsii.set(self, "configurationPolicy", value)
 
+    @builtins.property
+    @jsii.member(jsii_name="name")
+    def name(self) -> builtins.str:
+        '''The name of the configuration policy.'''
+        return typing.cast(builtins.str, jsii.get(self, "name"))
 
-@jsii.data_type(
-    jsii_type="aws-cdk-lib.aws_securityhub.CfnDelegatedAdminProps",
-    jsii_struct_bases=[],
-    name_mapping={"admin_account_id": "adminAccountId"},
-)
-class CfnDelegatedAdminProps:
-    def __init__(self, *, admin_account_id: builtins.str) -> None:
-        '''Properties for defining a ``CfnDelegatedAdmin``.
+    @name.setter
+    def name(self, value: builtins.str) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__0c731f4e7d50837bdafa92a4f5cb8478dc20fafa27c5a4f08cdf841e2570899f)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "name", value)
 
-        :param admin_account_id: The AWS account identifier of the account to designate as the Security Hub administrator account.
+    @builtins.property
+    @jsii.member(jsii_name="description")
+    def description(self) -> typing.Optional[builtins.str]:
+        '''The description of the configuration policy.'''
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "description"))
 
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-delegatedadmin.html
-        :exampleMetadata: fixture=_generated
+    @description.setter
+    def description(self, value: typing.Optional[builtins.str]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__04301850c858bba803007d4d9502ff9c879ed1e1d926fa157899bd92a915c3cd)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "description", value)
 
-        Example::
+    @builtins.property
+    @jsii.member(jsii_name="tags")
+    def tags(self) -> typing.Optional[typing.Mapping[builtins.str, builtins.str]]:
+        '''A key-value pair to associate with a resource.'''
+        return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], jsii.get(self, "tags"))
 
-            # The code below shows an example of how to instantiate this type.
-            # The values are placeholders you should change.
-            from aws_cdk import aws_securityhub as securityhub
-            
-            cfn_delegated_admin_props = securityhub.CfnDelegatedAdminProps(
-                admin_account_id="adminAccountId"
-            )
-        '''
+    @tags.setter
+    def tags(
+        self,
+        value: typing.Optional[typing.Mapping[builtins.str, builtins.str]],
+    ) -> None:
         if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__bccd0acf2d461662eef1addff325ba8fe883439d680f7762ea393681a481c0ca)
-            check_type(argname="argument admin_account_id", value=admin_account_id, expected_type=type_hints["admin_account_id"])
-        self._values: typing.Dict[builtins.str, typing.Any] = {
-            "admin_account_id": admin_account_id,
-        }
+            type_hints = typing.get_type_hints(_typecheckingstub__418f84486ff1ec65f898c97538e438a38d2ee43b4f9ed6260595a25dfa039629)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "tags", value)
 
-    @builtins.property
-    def admin_account_id(self) -> builtins.str:
-        '''The AWS account identifier of the account to designate as the Security Hub administrator account.
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_securityhub.CfnConfigurationPolicy.ParameterConfigurationProperty",
+        jsii_struct_bases=[],
+        name_mapping={"value_type": "valueType", "value": "value"},
+    )
+    class ParameterConfigurationProperty:
+        def __init__(
+            self,
+            *,
+            value_type: builtins.str,
+            value: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnConfigurationPolicy.ParameterValueProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+        ) -> None:
+            '''An object that provides the current value of a security control parameter and identifies whether it has been customized.
 
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-delegatedadmin.html#cfn-securityhub-delegatedadmin-adminaccountid
-        '''
-        result = self._values.get("admin_account_id")
-        assert result is not None, "Required property 'admin_account_id' is missing"
-        return typing.cast(builtins.str, result)
+            :param value_type: Identifies whether a control parameter uses a custom user-defined value or subscribes to the default AWS Security Hub behavior.
+            :param value: An object that includes the data type of a security control parameter and its current value.
 
-    def __eq__(self, rhs: typing.Any) -> builtins.bool:
-        return isinstance(rhs, self.__class__) and rhs._values == self._values
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-parameterconfiguration.html
+            :exampleMetadata: fixture=_generated
 
-    def __ne__(self, rhs: typing.Any) -> builtins.bool:
-        return not (rhs == self)
+            Example::
 
-    def __repr__(self) -> str:
-        return "CfnDelegatedAdminProps(%s)" % ", ".join(
-            k + "=" + repr(v) for k, v in self._values.items()
-        )
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_securityhub as securityhub
+                
+                parameter_configuration_property = securityhub.CfnConfigurationPolicy.ParameterConfigurationProperty(
+                    value_type="valueType",
+                
+                    # the properties below are optional
+                    value=securityhub.CfnConfigurationPolicy.ParameterValueProperty(
+                        boolean=False,
+                        double=123,
+                        enum="enum",
+                        enum_list=["enumList"],
+                        integer=123,
+                        integer_list=[123],
+                        string="string",
+                        string_list=["stringList"]
+                    )
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__bb7172387b04074df24e1743dd558a99d470acadb8c73ad883b45213f409832e)
+                check_type(argname="argument value_type", value=value_type, expected_type=type_hints["value_type"])
+                check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {
+                "value_type": value_type,
+            }
+            if value is not None:
+                self._values["value"] = value
 
+        @builtins.property
+        def value_type(self) -> builtins.str:
+            '''Identifies whether a control parameter uses a custom user-defined value or subscribes to the default AWS Security Hub behavior.
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
-class CfnHub(
-    _CfnResource_9df397a6,
-    metaclass=jsii.JSIIMeta,
-    jsii_type="aws-cdk-lib.aws_securityhub.CfnHub",
-):
-    '''The ``AWS::SecurityHub::Hub`` resource specifies the enablement of the AWS Security Hub service in your AWS account .
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-parameterconfiguration.html#cfn-securityhub-configurationpolicy-parameterconfiguration-valuetype
+            '''
+            result = self._values.get("value_type")
+            assert result is not None, "Required property 'value_type' is missing"
+            return typing.cast(builtins.str, result)
 
-    The service is enabled in the current AWS Region or the specified Region. You create a separate ``Hub`` resource in each Region in which you want to enable Security Hub .
+        @builtins.property
+        def value(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnConfigurationPolicy.ParameterValueProperty"]]:
+            '''An object that includes the data type of a security control parameter and its current value.
 
-    When you use this resource to enable Security Hub , default security standards are enabled. To disable default standards, set the ``EnableDefaultStandards`` property to ``false`` . You can use the ```AWS::SecurityHub::Standard`` <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-standard.html>`_ resource to enable additional standards.
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-parameterconfiguration.html#cfn-securityhub-configurationpolicy-parameterconfiguration-value
+            '''
+            result = self._values.get("value")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnConfigurationPolicy.ParameterValueProperty"]], result)
 
-    When you use this resource to enable Security Hub , new controls are automatically enabled for your enabled standards. To disable automatic enablement of new controls, set the ``AutoEnableControls`` property to ``false`` .
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
 
-    You must create an ``AWS::SecurityHub::Hub`` resource for an account before you can create other types of Security Hub resources for the account through AWS CloudFormation . Use a `DependsOn attribute <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html>`_ , such as ``"DependsOn": "Hub"`` , to ensure that you've created an ``AWS::SecurityHub::Hub`` resource before creating other Security Hub resources for an account.
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
 
-    :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-hub.html
-    :cloudformationResource: AWS::SecurityHub::Hub
-    :exampleMetadata: fixture=_generated
+        def __repr__(self) -> str:
+            return "ParameterConfigurationProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
 
-    Example::
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_securityhub.CfnConfigurationPolicy.ParameterValueProperty",
+        jsii_struct_bases=[],
+        name_mapping={
+            "boolean": "boolean",
+            "double": "double",
+            "enum": "enum",
+            "enum_list": "enumList",
+            "integer": "integer",
+            "integer_list": "integerList",
+            "string": "string",
+            "string_list": "stringList",
+        },
+    )
+    class ParameterValueProperty:
+        def __init__(
+            self,
+            *,
+            boolean: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+            double: typing.Optional[jsii.Number] = None,
+            enum: typing.Optional[builtins.str] = None,
+            enum_list: typing.Optional[typing.Sequence[builtins.str]] = None,
+            integer: typing.Optional[jsii.Number] = None,
+            integer_list: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[jsii.Number]]] = None,
+            string: typing.Optional[builtins.str] = None,
+            string_list: typing.Optional[typing.Sequence[builtins.str]] = None,
+        ) -> None:
+            '''An object that includes the data type of a security control parameter and its current value.
+
+            :param boolean: A control parameter that is a boolean.
+            :param double: A control parameter that is a double.
+            :param enum: A control parameter that is an enum.
+            :param enum_list: A control parameter that is a list of enums.
+            :param integer: A control parameter that is an integer.
+            :param integer_list: A control parameter that is a list of integers.
+            :param string: A control parameter that is a string.
+            :param string_list: A control parameter that is a list of strings.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-parametervalue.html
+            :exampleMetadata: fixture=_generated
 
-        # The code below shows an example of how to instantiate this type.
-        # The values are placeholders you should change.
-        from aws_cdk import aws_securityhub as securityhub
-        
-        # tags: Any
-        
-        cfn_hub = securityhub.CfnHub(self, "MyCfnHub",
-            auto_enable_controls=False,
-            control_finding_generator="controlFindingGenerator",
-            enable_default_standards=False,
-            tags=tags
-        )
-    '''
+            Example::
 
-    def __init__(
-        self,
-        scope: _constructs_77d1e7e8.Construct,
-        id: builtins.str,
-        *,
-        auto_enable_controls: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
-        control_finding_generator: typing.Optional[builtins.str] = None,
-        enable_default_standards: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
-        tags: typing.Any = None,
-    ) -> None:
-        '''
-        :param scope: Scope in which this resource is defined.
-        :param id: Construct identifier for this resource (unique in its scope).
-        :param auto_enable_controls: Whether to automatically enable new controls when they are added to standards that are enabled. By default, this is set to ``true`` , and new controls are enabled automatically. To not automatically enable new controls, set this to ``false`` .
-        :param control_finding_generator: Specifies whether an account has consolidated control findings turned on or off. If the value for this field is set to ``SECURITY_CONTROL`` , Security Hub generates a single finding for a control check even when the check applies to multiple enabled standards. If the value for this field is set to ``STANDARD_CONTROL`` , Security Hub generates separate findings for a control check when the check applies to multiple enabled standards. The value for this field in a member account matches the value in the administrator account. For accounts that aren't part of an organization, the default value of this field is ``SECURITY_CONTROL`` if you enabled Security Hub on or after February 23, 2023.
-        :param enable_default_standards: Whether to enable the security standards that Security Hub has designated as automatically enabled. If you don't provide a value for ``EnableDefaultStandards`` , it is set to ``true`` , and the designated standards are automatically enabled in each AWS Region where you enable Security Hub . If you don't want to enable the designated standards, set ``EnableDefaultStandards`` to ``false`` . Currently, the automatically enabled standards are the Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0 and AWS Foundational Security Best Practices (FSBP).
-        :param tags: An array of key-value pairs to apply to this resource. For more information, see `Tag <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html>`_ .
-        '''
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__b5258d6906cbc8ea3b7ed82ec2c832e2751a0a1255445e6f3e81ea5935e2defb)
-            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
-            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
-        props = CfnHubProps(
-            auto_enable_controls=auto_enable_controls,
-            control_finding_generator=control_finding_generator,
-            enable_default_standards=enable_default_standards,
-            tags=tags,
-        )
-
-        jsii.create(self.__class__, self, [scope, id, props])
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_securityhub as securityhub
+                
+                parameter_value_property = securityhub.CfnConfigurationPolicy.ParameterValueProperty(
+                    boolean=False,
+                    double=123,
+                    enum="enum",
+                    enum_list=["enumList"],
+                    integer=123,
+                    integer_list=[123],
+                    string="string",
+                    string_list=["stringList"]
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__969ca8061fcd5bd0e97fbdd1aa2f0797cdbe22b447375480430ca26de8051846)
+                check_type(argname="argument boolean", value=boolean, expected_type=type_hints["boolean"])
+                check_type(argname="argument double", value=double, expected_type=type_hints["double"])
+                check_type(argname="argument enum", value=enum, expected_type=type_hints["enum"])
+                check_type(argname="argument enum_list", value=enum_list, expected_type=type_hints["enum_list"])
+                check_type(argname="argument integer", value=integer, expected_type=type_hints["integer"])
+                check_type(argname="argument integer_list", value=integer_list, expected_type=type_hints["integer_list"])
+                check_type(argname="argument string", value=string, expected_type=type_hints["string"])
+                check_type(argname="argument string_list", value=string_list, expected_type=type_hints["string_list"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if boolean is not None:
+                self._values["boolean"] = boolean
+            if double is not None:
+                self._values["double"] = double
+            if enum is not None:
+                self._values["enum"] = enum
+            if enum_list is not None:
+                self._values["enum_list"] = enum_list
+            if integer is not None:
+                self._values["integer"] = integer
+            if integer_list is not None:
+                self._values["integer_list"] = integer_list
+            if string is not None:
+                self._values["string"] = string
+            if string_list is not None:
+                self._values["string_list"] = string_list
 
-    @jsii.member(jsii_name="inspect")
-    def inspect(self, inspector: _TreeInspector_488e0dd5) -> None:
-        '''Examines the CloudFormation resource and discloses attributes.
+        @builtins.property
+        def boolean(
+            self,
+        ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
+            '''A control parameter that is a boolean.
 
-        :param inspector: tree inspector to collect and process attributes.
-        '''
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__afc1b02284691f4fac4c50413d7e6e3c86b4db4f8702643ba4c85dd68b5cb0b4)
-            check_type(argname="argument inspector", value=inspector, expected_type=type_hints["inspector"])
-        return typing.cast(None, jsii.invoke(self, "inspect", [inspector]))
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-parametervalue.html#cfn-securityhub-configurationpolicy-parametervalue-boolean
+            '''
+            result = self._values.get("boolean")
+            return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], result)
 
-    @jsii.member(jsii_name="renderProperties")
-    def _render_properties(
-        self,
-        props: typing.Mapping[builtins.str, typing.Any],
-    ) -> typing.Mapping[builtins.str, typing.Any]:
-        '''
-        :param props: -
-        '''
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__db4b61e6830fa5a7557c941ad1ea7690d59d4d1ea7c453b10a17081c25ba2e27)
-            check_type(argname="argument props", value=props, expected_type=type_hints["props"])
-        return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.invoke(self, "renderProperties", [props]))
+        @builtins.property
+        def double(self) -> typing.Optional[jsii.Number]:
+            '''A control parameter that is a double.
 
-    @jsii.python.classproperty
-    @jsii.member(jsii_name="CFN_RESOURCE_TYPE_NAME")
-    def CFN_RESOURCE_TYPE_NAME(cls) -> builtins.str:
-        '''The CloudFormation resource type name for this resource class.'''
-        return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-parametervalue.html#cfn-securityhub-configurationpolicy-parametervalue-double
+            '''
+            result = self._values.get("double")
+            return typing.cast(typing.Optional[jsii.Number], result)
 
-    @builtins.property
-    @jsii.member(jsii_name="attrArn")
-    def attr_arn(self) -> builtins.str:
-        '''The Amazon Resource Name (ARN) of the ``Hub`` resource that was retrieved.
+        @builtins.property
+        def enum(self) -> typing.Optional[builtins.str]:
+            '''A control parameter that is an enum.
 
-        :cloudformationAttribute: ARN
-        '''
-        return typing.cast(builtins.str, jsii.get(self, "attrArn"))
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-parametervalue.html#cfn-securityhub-configurationpolicy-parametervalue-enum
+            '''
+            result = self._values.get("enum")
+            return typing.cast(typing.Optional[builtins.str], result)
 
-    @builtins.property
-    @jsii.member(jsii_name="attrSubscribedAt")
-    def attr_subscribed_at(self) -> builtins.str:
-        '''The date and time when Security Hub was enabled in your account.
+        @builtins.property
+        def enum_list(self) -> typing.Optional[typing.List[builtins.str]]:
+            '''A control parameter that is a list of enums.
 
-        :cloudformationAttribute: SubscribedAt
-        '''
-        return typing.cast(builtins.str, jsii.get(self, "attrSubscribedAt"))
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-parametervalue.html#cfn-securityhub-configurationpolicy-parametervalue-enumlist
+            '''
+            result = self._values.get("enum_list")
+            return typing.cast(typing.Optional[typing.List[builtins.str]], result)
 
-    @builtins.property
-    @jsii.member(jsii_name="cfnProperties")
-    def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
-        return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
+        @builtins.property
+        def integer(self) -> typing.Optional[jsii.Number]:
+            '''A control parameter that is an integer.
 
-    @builtins.property
-    @jsii.member(jsii_name="tags")
-    def tags(self) -> _TagManager_0a598cb3:
-        '''Tag Manager which manages the tags for this resource.'''
-        return typing.cast(_TagManager_0a598cb3, jsii.get(self, "tags"))
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-parametervalue.html#cfn-securityhub-configurationpolicy-parametervalue-integer
+            '''
+            result = self._values.get("integer")
+            return typing.cast(typing.Optional[jsii.Number], result)
 
-    @builtins.property
-    @jsii.member(jsii_name="autoEnableControls")
-    def auto_enable_controls(
-        self,
-    ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-        '''Whether to automatically enable new controls when they are added to standards that are enabled.'''
-        return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], jsii.get(self, "autoEnableControls"))
+        @builtins.property
+        def integer_list(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[jsii.Number]]]:
+            '''A control parameter that is a list of integers.
 
-    @auto_enable_controls.setter
-    def auto_enable_controls(
-        self,
-        value: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]],
-    ) -> None:
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__f8111fb2c58ed3e1e0c85928b084d60f2c8b02b604055e3087ce38f249967a54)
-            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "autoEnableControls", value)
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-parametervalue.html#cfn-securityhub-configurationpolicy-parametervalue-integerlist
+            '''
+            result = self._values.get("integer_list")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[jsii.Number]]], result)
 
-    @builtins.property
-    @jsii.member(jsii_name="controlFindingGenerator")
-    def control_finding_generator(self) -> typing.Optional[builtins.str]:
-        '''Specifies whether an account has consolidated control findings turned on or off.'''
-        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "controlFindingGenerator"))
+        @builtins.property
+        def string(self) -> typing.Optional[builtins.str]:
+            '''A control parameter that is a string.
 
-    @control_finding_generator.setter
-    def control_finding_generator(self, value: typing.Optional[builtins.str]) -> None:
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__6647ce06efe713d1b36ec98af92808e5bf616a683fa68b2fb4fe64fafe92bf35)
-            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "controlFindingGenerator", value)
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-parametervalue.html#cfn-securityhub-configurationpolicy-parametervalue-string
+            '''
+            result = self._values.get("string")
+            return typing.cast(typing.Optional[builtins.str], result)
 
-    @builtins.property
-    @jsii.member(jsii_name="enableDefaultStandards")
-    def enable_default_standards(
-        self,
-    ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-        '''Whether to enable the security standards that Security Hub has designated as automatically enabled.'''
-        return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], jsii.get(self, "enableDefaultStandards"))
+        @builtins.property
+        def string_list(self) -> typing.Optional[typing.List[builtins.str]]:
+            '''A control parameter that is a list of strings.
 
-    @enable_default_standards.setter
-    def enable_default_standards(
-        self,
-        value: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]],
-    ) -> None:
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__4d118847a7bb58b794458a6afe88e0a8324a3a4e1590aba4f028de455ee8c624)
-            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "enableDefaultStandards", value)
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-parametervalue.html#cfn-securityhub-configurationpolicy-parametervalue-stringlist
+            '''
+            result = self._values.get("string_list")
+            return typing.cast(typing.Optional[typing.List[builtins.str]], result)
 
-    @builtins.property
-    @jsii.member(jsii_name="tagsRaw")
-    def tags_raw(self) -> typing.Any:
-        '''An array of key-value pairs to apply to this resource.'''
-        return typing.cast(typing.Any, jsii.get(self, "tagsRaw"))
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
 
-    @tags_raw.setter
-    def tags_raw(self, value: typing.Any) -> None:
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__e17fb796b4e0971555823ae1c97a99f19e5677ae303ff0ef984cd00ac919ea87)
-            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "tagsRaw", value)
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
 
+        def __repr__(self) -> str:
+            return "ParameterValueProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
 
-@jsii.data_type(
-    jsii_type="aws-cdk-lib.aws_securityhub.CfnHubProps",
-    jsii_struct_bases=[],
-    name_mapping={
-        "auto_enable_controls": "autoEnableControls",
-        "control_finding_generator": "controlFindingGenerator",
-        "enable_default_standards": "enableDefaultStandards",
-        "tags": "tags",
-    },
-)
-class CfnHubProps:
-    def __init__(
-        self,
-        *,
-        auto_enable_controls: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
-        control_finding_generator: typing.Optional[builtins.str] = None,
-        enable_default_standards: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
-        tags: typing.Any = None,
-    ) -> None:
-        '''Properties for defining a ``CfnHub``.
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_securityhub.CfnConfigurationPolicy.PolicyProperty",
+        jsii_struct_bases=[],
+        name_mapping={"security_hub": "securityHub"},
+    )
+    class PolicyProperty:
+        def __init__(
+            self,
+            *,
+            security_hub: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnConfigurationPolicy.SecurityHubPolicyProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+        ) -> None:
+            '''An object that defines how Security Hub is configured.
 
-        :param auto_enable_controls: Whether to automatically enable new controls when they are added to standards that are enabled. By default, this is set to ``true`` , and new controls are enabled automatically. To not automatically enable new controls, set this to ``false`` .
-        :param control_finding_generator: Specifies whether an account has consolidated control findings turned on or off. If the value for this field is set to ``SECURITY_CONTROL`` , Security Hub generates a single finding for a control check even when the check applies to multiple enabled standards. If the value for this field is set to ``STANDARD_CONTROL`` , Security Hub generates separate findings for a control check when the check applies to multiple enabled standards. The value for this field in a member account matches the value in the administrator account. For accounts that aren't part of an organization, the default value of this field is ``SECURITY_CONTROL`` if you enabled Security Hub on or after February 23, 2023.
-        :param enable_default_standards: Whether to enable the security standards that Security Hub has designated as automatically enabled. If you don't provide a value for ``EnableDefaultStandards`` , it is set to ``true`` , and the designated standards are automatically enabled in each AWS Region where you enable Security Hub . If you don't want to enable the designated standards, set ``EnableDefaultStandards`` to ``false`` . Currently, the automatically enabled standards are the Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0 and AWS Foundational Security Best Practices (FSBP).
-        :param tags: An array of key-value pairs to apply to this resource. For more information, see `Tag <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html>`_ .
+            :param security_hub: An object that defines how AWS Security Hub is configured.
 
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-hub.html
-        :exampleMetadata: fixture=_generated
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-policy.html
+            :exampleMetadata: fixture=_generated
 
-        Example::
+            Example::
 
-            # The code below shows an example of how to instantiate this type.
-            # The values are placeholders you should change.
-            from aws_cdk import aws_securityhub as securityhub
-            
-            # tags: Any
-            
-            cfn_hub_props = securityhub.CfnHubProps(
-                auto_enable_controls=False,
-                control_finding_generator="controlFindingGenerator",
-                enable_default_standards=False,
-                tags=tags
-            )
-        '''
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__9a38c34c1f2742403521eb4af2098475d7afb878d3f9aba37048ae543b43e29c)
-            check_type(argname="argument auto_enable_controls", value=auto_enable_controls, expected_type=type_hints["auto_enable_controls"])
-            check_type(argname="argument control_finding_generator", value=control_finding_generator, expected_type=type_hints["control_finding_generator"])
-            check_type(argname="argument enable_default_standards", value=enable_default_standards, expected_type=type_hints["enable_default_standards"])
-            check_type(argname="argument tags", value=tags, expected_type=type_hints["tags"])
-        self._values: typing.Dict[builtins.str, typing.Any] = {}
-        if auto_enable_controls is not None:
-            self._values["auto_enable_controls"] = auto_enable_controls
-        if control_finding_generator is not None:
-            self._values["control_finding_generator"] = control_finding_generator
-        if enable_default_standards is not None:
-            self._values["enable_default_standards"] = enable_default_standards
-        if tags is not None:
-            self._values["tags"] = tags
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_securityhub as securityhub
+                
+                policy_property = securityhub.CfnConfigurationPolicy.PolicyProperty(
+                    security_hub=securityhub.CfnConfigurationPolicy.SecurityHubPolicyProperty(
+                        enabled_standard_identifiers=["enabledStandardIdentifiers"],
+                        security_controls_configuration=securityhub.CfnConfigurationPolicy.SecurityControlsConfigurationProperty(
+                            disabled_security_control_identifiers=["disabledSecurityControlIdentifiers"],
+                            enabled_security_control_identifiers=["enabledSecurityControlIdentifiers"],
+                            security_control_custom_parameters=[securityhub.CfnConfigurationPolicy.SecurityControlCustomParameterProperty(
+                                parameters={
+                                    "parameters_key": securityhub.CfnConfigurationPolicy.ParameterConfigurationProperty(
+                                        value_type="valueType",
+                
+                                        # the properties below are optional
+                                        value=securityhub.CfnConfigurationPolicy.ParameterValueProperty(
+                                            boolean=False,
+                                            double=123,
+                                            enum="enum",
+                                            enum_list=["enumList"],
+                                            integer=123,
+                                            integer_list=[123],
+                                            string="string",
+                                            string_list=["stringList"]
+                                        )
+                                    )
+                                },
+                                security_control_id="securityControlId"
+                            )]
+                        ),
+                        service_enabled=False
+                    )
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__e1ba9b51d0a7fd087e8cf10fa5291c42d61f90148e1a8a190e3c90fecacd0e7a)
+                check_type(argname="argument security_hub", value=security_hub, expected_type=type_hints["security_hub"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if security_hub is not None:
+                self._values["security_hub"] = security_hub
 
-    @builtins.property
-    def auto_enable_controls(
-        self,
-    ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-        '''Whether to automatically enable new controls when they are added to standards that are enabled.
+        @builtins.property
+        def security_hub(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnConfigurationPolicy.SecurityHubPolicyProperty"]]:
+            '''An object that defines how AWS Security Hub is configured.
 
-        By default, this is set to ``true`` , and new controls are enabled automatically. To not automatically enable new controls, set this to ``false`` .
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-policy.html#cfn-securityhub-configurationpolicy-policy-securityhub
+            '''
+            result = self._values.get("security_hub")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnConfigurationPolicy.SecurityHubPolicyProperty"]], result)
 
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-hub.html#cfn-securityhub-hub-autoenablecontrols
-        '''
-        result = self._values.get("auto_enable_controls")
-        return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], result)
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
 
-    @builtins.property
-    def control_finding_generator(self) -> typing.Optional[builtins.str]:
-        '''Specifies whether an account has consolidated control findings turned on or off.
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
 
-        If the value for this field is set to ``SECURITY_CONTROL`` , Security Hub generates a single finding for a control check even when the check applies to multiple enabled standards.
+        def __repr__(self) -> str:
+            return "PolicyProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
 
-        If the value for this field is set to ``STANDARD_CONTROL`` , Security Hub generates separate findings for a control check when the check applies to multiple enabled standards.
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_securityhub.CfnConfigurationPolicy.SecurityControlCustomParameterProperty",
+        jsii_struct_bases=[],
+        name_mapping={
+            "parameters": "parameters",
+            "security_control_id": "securityControlId",
+        },
+    )
+    class SecurityControlCustomParameterProperty:
+        def __init__(
+            self,
+            *,
+            parameters: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, typing.Union[_IResolvable_da3f097b, typing.Union["CfnConfigurationPolicy.ParameterConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
+            security_control_id: typing.Optional[builtins.str] = None,
+        ) -> None:
+            '''An object of security control and control parameter value that are included in a configuration policy.
 
-        The value for this field in a member account matches the value in the administrator account. For accounts that aren't part of an organization, the default value of this field is ``SECURITY_CONTROL`` if you enabled Security Hub on or after February 23, 2023.
+            :param parameters: An object that specifies parameter values for a control in a configuration policy.
+            :param security_control_id: The ID of the security control.
 
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-hub.html#cfn-securityhub-hub-controlfindinggenerator
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-securitycontrolcustomparameter.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_securityhub as securityhub
+                
+                security_control_custom_parameter_property = securityhub.CfnConfigurationPolicy.SecurityControlCustomParameterProperty(
+                    parameters={
+                        "parameters_key": securityhub.CfnConfigurationPolicy.ParameterConfigurationProperty(
+                            value_type="valueType",
+                
+                            # the properties below are optional
+                            value=securityhub.CfnConfigurationPolicy.ParameterValueProperty(
+                                boolean=False,
+                                double=123,
+                                enum="enum",
+                                enum_list=["enumList"],
+                                integer=123,
+                                integer_list=[123],
+                                string="string",
+                                string_list=["stringList"]
+                            )
+                        )
+                    },
+                    security_control_id="securityControlId"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__e2e264804926f4cf652225b9fc8713e91d7c135436850ecde7193ccfd4464014)
+                check_type(argname="argument parameters", value=parameters, expected_type=type_hints["parameters"])
+                check_type(argname="argument security_control_id", value=security_control_id, expected_type=type_hints["security_control_id"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if parameters is not None:
+                self._values["parameters"] = parameters
+            if security_control_id is not None:
+                self._values["security_control_id"] = security_control_id
+
+        @builtins.property
+        def parameters(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, typing.Union[_IResolvable_da3f097b, "CfnConfigurationPolicy.ParameterConfigurationProperty"]]]]:
+            '''An object that specifies parameter values for a control in a configuration policy.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-securitycontrolcustomparameter.html#cfn-securityhub-configurationpolicy-securitycontrolcustomparameter-parameters
+            '''
+            result = self._values.get("parameters")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, typing.Union[_IResolvable_da3f097b, "CfnConfigurationPolicy.ParameterConfigurationProperty"]]]], result)
+
+        @builtins.property
+        def security_control_id(self) -> typing.Optional[builtins.str]:
+            '''The ID of the security control.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-securitycontrolcustomparameter.html#cfn-securityhub-configurationpolicy-securitycontrolcustomparameter-securitycontrolid
+            '''
+            result = self._values.get("security_control_id")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "SecurityControlCustomParameterProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_securityhub.CfnConfigurationPolicy.SecurityControlsConfigurationProperty",
+        jsii_struct_bases=[],
+        name_mapping={
+            "disabled_security_control_identifiers": "disabledSecurityControlIdentifiers",
+            "enabled_security_control_identifiers": "enabledSecurityControlIdentifiers",
+            "security_control_custom_parameters": "securityControlCustomParameters",
+        },
+    )
+    class SecurityControlsConfigurationProperty:
+        def __init__(
+            self,
+            *,
+            disabled_security_control_identifiers: typing.Optional[typing.Sequence[builtins.str]] = None,
+            enabled_security_control_identifiers: typing.Optional[typing.Sequence[builtins.str]] = None,
+            security_control_custom_parameters: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnConfigurationPolicy.SecurityControlCustomParameterProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
+        ) -> None:
+            '''An object that defines which security controls are enabled in an AWS Security Hub configuration policy.
+
+            :param disabled_security_control_identifiers: A list of security controls that are disabled in the configuration policy.
+            :param enabled_security_control_identifiers: A list of security controls that are enabled in the configuration policy.
+            :param security_control_custom_parameters: A list of security controls and control parameter values that are included in a configuration policy.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-securitycontrolsconfiguration.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_securityhub as securityhub
+                
+                security_controls_configuration_property = securityhub.CfnConfigurationPolicy.SecurityControlsConfigurationProperty(
+                    disabled_security_control_identifiers=["disabledSecurityControlIdentifiers"],
+                    enabled_security_control_identifiers=["enabledSecurityControlIdentifiers"],
+                    security_control_custom_parameters=[securityhub.CfnConfigurationPolicy.SecurityControlCustomParameterProperty(
+                        parameters={
+                            "parameters_key": securityhub.CfnConfigurationPolicy.ParameterConfigurationProperty(
+                                value_type="valueType",
+                
+                                # the properties below are optional
+                                value=securityhub.CfnConfigurationPolicy.ParameterValueProperty(
+                                    boolean=False,
+                                    double=123,
+                                    enum="enum",
+                                    enum_list=["enumList"],
+                                    integer=123,
+                                    integer_list=[123],
+                                    string="string",
+                                    string_list=["stringList"]
+                                )
+                            )
+                        },
+                        security_control_id="securityControlId"
+                    )]
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__8978e0c4327c8995530e22f049a9b31f96402b88be3e220ea4340c89d3a2e1d2)
+                check_type(argname="argument disabled_security_control_identifiers", value=disabled_security_control_identifiers, expected_type=type_hints["disabled_security_control_identifiers"])
+                check_type(argname="argument enabled_security_control_identifiers", value=enabled_security_control_identifiers, expected_type=type_hints["enabled_security_control_identifiers"])
+                check_type(argname="argument security_control_custom_parameters", value=security_control_custom_parameters, expected_type=type_hints["security_control_custom_parameters"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if disabled_security_control_identifiers is not None:
+                self._values["disabled_security_control_identifiers"] = disabled_security_control_identifiers
+            if enabled_security_control_identifiers is not None:
+                self._values["enabled_security_control_identifiers"] = enabled_security_control_identifiers
+            if security_control_custom_parameters is not None:
+                self._values["security_control_custom_parameters"] = security_control_custom_parameters
+
+        @builtins.property
+        def disabled_security_control_identifiers(
+            self,
+        ) -> typing.Optional[typing.List[builtins.str]]:
+            '''A list of security controls that are disabled in the configuration policy.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-securitycontrolsconfiguration.html#cfn-securityhub-configurationpolicy-securitycontrolsconfiguration-disabledsecuritycontrolidentifiers
+            '''
+            result = self._values.get("disabled_security_control_identifiers")
+            return typing.cast(typing.Optional[typing.List[builtins.str]], result)
+
+        @builtins.property
+        def enabled_security_control_identifiers(
+            self,
+        ) -> typing.Optional[typing.List[builtins.str]]:
+            '''A list of security controls that are enabled in the configuration policy.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-securitycontrolsconfiguration.html#cfn-securityhub-configurationpolicy-securitycontrolsconfiguration-enabledsecuritycontrolidentifiers
+            '''
+            result = self._values.get("enabled_security_control_identifiers")
+            return typing.cast(typing.Optional[typing.List[builtins.str]], result)
+
+        @builtins.property
+        def security_control_custom_parameters(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnConfigurationPolicy.SecurityControlCustomParameterProperty"]]]]:
+            '''A list of security controls and control parameter values that are included in a configuration policy.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-securitycontrolsconfiguration.html#cfn-securityhub-configurationpolicy-securitycontrolsconfiguration-securitycontrolcustomparameters
+            '''
+            result = self._values.get("security_control_custom_parameters")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnConfigurationPolicy.SecurityControlCustomParameterProperty"]]]], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "SecurityControlsConfigurationProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_securityhub.CfnConfigurationPolicy.SecurityHubPolicyProperty",
+        jsii_struct_bases=[],
+        name_mapping={
+            "enabled_standard_identifiers": "enabledStandardIdentifiers",
+            "security_controls_configuration": "securityControlsConfiguration",
+            "service_enabled": "serviceEnabled",
+        },
+    )
+    class SecurityHubPolicyProperty:
+        def __init__(
+            self,
+            *,
+            enabled_standard_identifiers: typing.Optional[typing.Sequence[builtins.str]] = None,
+            security_controls_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnConfigurationPolicy.SecurityControlsConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+            service_enabled: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+        ) -> None:
+            '''An object that defines how AWS Security Hub is configured.
+
+            :param enabled_standard_identifiers: A list that defines which security standards are enabled in the configuration policy.
+            :param security_controls_configuration: An object that defines which security controls are enabled in an AWS Security Hub configuration policy.
+            :param service_enabled: Indicates whether Security Hub is enabled in the policy.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-securityhubpolicy.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_securityhub as securityhub
+                
+                security_hub_policy_property = securityhub.CfnConfigurationPolicy.SecurityHubPolicyProperty(
+                    enabled_standard_identifiers=["enabledStandardIdentifiers"],
+                    security_controls_configuration=securityhub.CfnConfigurationPolicy.SecurityControlsConfigurationProperty(
+                        disabled_security_control_identifiers=["disabledSecurityControlIdentifiers"],
+                        enabled_security_control_identifiers=["enabledSecurityControlIdentifiers"],
+                        security_control_custom_parameters=[securityhub.CfnConfigurationPolicy.SecurityControlCustomParameterProperty(
+                            parameters={
+                                "parameters_key": securityhub.CfnConfigurationPolicy.ParameterConfigurationProperty(
+                                    value_type="valueType",
+                
+                                    # the properties below are optional
+                                    value=securityhub.CfnConfigurationPolicy.ParameterValueProperty(
+                                        boolean=False,
+                                        double=123,
+                                        enum="enum",
+                                        enum_list=["enumList"],
+                                        integer=123,
+                                        integer_list=[123],
+                                        string="string",
+                                        string_list=["stringList"]
+                                    )
+                                )
+                            },
+                            security_control_id="securityControlId"
+                        )]
+                    ),
+                    service_enabled=False
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__6a1f60581e7a327c6c6d837a42e963fe4a8810a6d9642040c0f78837b8533f0f)
+                check_type(argname="argument enabled_standard_identifiers", value=enabled_standard_identifiers, expected_type=type_hints["enabled_standard_identifiers"])
+                check_type(argname="argument security_controls_configuration", value=security_controls_configuration, expected_type=type_hints["security_controls_configuration"])
+                check_type(argname="argument service_enabled", value=service_enabled, expected_type=type_hints["service_enabled"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if enabled_standard_identifiers is not None:
+                self._values["enabled_standard_identifiers"] = enabled_standard_identifiers
+            if security_controls_configuration is not None:
+                self._values["security_controls_configuration"] = security_controls_configuration
+            if service_enabled is not None:
+                self._values["service_enabled"] = service_enabled
+
+        @builtins.property
+        def enabled_standard_identifiers(
+            self,
+        ) -> typing.Optional[typing.List[builtins.str]]:
+            '''A list that defines which security standards are enabled in the configuration policy.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-securityhubpolicy.html#cfn-securityhub-configurationpolicy-securityhubpolicy-enabledstandardidentifiers
+            '''
+            result = self._values.get("enabled_standard_identifiers")
+            return typing.cast(typing.Optional[typing.List[builtins.str]], result)
+
+        @builtins.property
+        def security_controls_configuration(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnConfigurationPolicy.SecurityControlsConfigurationProperty"]]:
+            '''An object that defines which security controls are enabled in an AWS Security Hub configuration policy.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-securityhubpolicy.html#cfn-securityhub-configurationpolicy-securityhubpolicy-securitycontrolsconfiguration
+            '''
+            result = self._values.get("security_controls_configuration")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnConfigurationPolicy.SecurityControlsConfigurationProperty"]], result)
+
+        @builtins.property
+        def service_enabled(
+            self,
+        ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
+            '''Indicates whether Security Hub is enabled in the policy.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-securityhubpolicy.html#cfn-securityhub-configurationpolicy-securityhubpolicy-serviceenabled
+            '''
+            result = self._values.get("service_enabled")
+            return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "SecurityHubPolicyProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_securityhub.CfnConfigurationPolicyProps",
+    jsii_struct_bases=[],
+    name_mapping={
+        "configuration_policy": "configurationPolicy",
+        "name": "name",
+        "description": "description",
+        "tags": "tags",
+    },
+)
+class CfnConfigurationPolicyProps:
+    def __init__(
+        self,
+        *,
+        configuration_policy: typing.Union[_IResolvable_da3f097b, typing.Union[CfnConfigurationPolicy.PolicyProperty, typing.Dict[builtins.str, typing.Any]]],
+        name: builtins.str,
+        description: typing.Optional[builtins.str] = None,
+        tags: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    ) -> None:
+        '''Properties for defining a ``CfnConfigurationPolicy``.
+
+        :param configuration_policy: An object that defines how Security Hub is configured.
+        :param name: The name of the configuration policy.
+        :param description: The description of the configuration policy.
+        :param tags: A key-value pair to associate with a resource.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-configurationpolicy.html
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_securityhub as securityhub
+            
+            cfn_configuration_policy_props = securityhub.CfnConfigurationPolicyProps(
+                configuration_policy=securityhub.CfnConfigurationPolicy.PolicyProperty(
+                    security_hub=securityhub.CfnConfigurationPolicy.SecurityHubPolicyProperty(
+                        enabled_standard_identifiers=["enabledStandardIdentifiers"],
+                        security_controls_configuration=securityhub.CfnConfigurationPolicy.SecurityControlsConfigurationProperty(
+                            disabled_security_control_identifiers=["disabledSecurityControlIdentifiers"],
+                            enabled_security_control_identifiers=["enabledSecurityControlIdentifiers"],
+                            security_control_custom_parameters=[securityhub.CfnConfigurationPolicy.SecurityControlCustomParameterProperty(
+                                parameters={
+                                    "parameters_key": securityhub.CfnConfigurationPolicy.ParameterConfigurationProperty(
+                                        value_type="valueType",
+            
+                                        # the properties below are optional
+                                        value=securityhub.CfnConfigurationPolicy.ParameterValueProperty(
+                                            boolean=False,
+                                            double=123,
+                                            enum="enum",
+                                            enum_list=["enumList"],
+                                            integer=123,
+                                            integer_list=[123],
+                                            string="string",
+                                            string_list=["stringList"]
+                                        )
+                                    )
+                                },
+                                security_control_id="securityControlId"
+                            )]
+                        ),
+                        service_enabled=False
+                    )
+                ),
+                name="name",
+            
+                # the properties below are optional
+                description="description",
+                tags={
+                    "tags_key": "tags"
+                }
+            )
         '''
-        result = self._values.get("control_finding_generator")
-        return typing.cast(typing.Optional[builtins.str], result)
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__9df36e470a5cb19a48e0918f07ba5c7fe4f2f6e13983d94bef33b262d3aa6d74)
+            check_type(argname="argument configuration_policy", value=configuration_policy, expected_type=type_hints["configuration_policy"])
+            check_type(argname="argument name", value=name, expected_type=type_hints["name"])
+            check_type(argname="argument description", value=description, expected_type=type_hints["description"])
+            check_type(argname="argument tags", value=tags, expected_type=type_hints["tags"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "configuration_policy": configuration_policy,
+            "name": name,
+        }
+        if description is not None:
+            self._values["description"] = description
+        if tags is not None:
+            self._values["tags"] = tags
 
     @builtins.property
-    def enable_default_standards(
+    def configuration_policy(
         self,
-    ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-        '''Whether to enable the security standards that Security Hub has designated as automatically enabled.
+    ) -> typing.Union[_IResolvable_da3f097b, CfnConfigurationPolicy.PolicyProperty]:
+        '''An object that defines how Security Hub is configured.
 
-        If you don't provide a value for ``EnableDefaultStandards`` , it is set to ``true`` , and the designated standards are automatically enabled in each AWS Region where you enable Security Hub . If you don't want to enable the designated standards, set ``EnableDefaultStandards`` to ``false`` .
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-configurationpolicy.html#cfn-securityhub-configurationpolicy-configurationpolicy
+        '''
+        result = self._values.get("configuration_policy")
+        assert result is not None, "Required property 'configuration_policy' is missing"
+        return typing.cast(typing.Union[_IResolvable_da3f097b, CfnConfigurationPolicy.PolicyProperty], result)
 
-        Currently, the automatically enabled standards are the Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0 and AWS Foundational Security Best Practices (FSBP).
+    @builtins.property
+    def name(self) -> builtins.str:
+        '''The name of the configuration policy.
 
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-hub.html#cfn-securityhub-hub-enabledefaultstandards
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-configurationpolicy.html#cfn-securityhub-configurationpolicy-name
         '''
-        result = self._values.get("enable_default_standards")
-        return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], result)
+        result = self._values.get("name")
+        assert result is not None, "Required property 'name' is missing"
+        return typing.cast(builtins.str, result)
 
     @builtins.property
-    def tags(self) -> typing.Any:
-        '''An array of key-value pairs to apply to this resource.
+    def description(self) -> typing.Optional[builtins.str]:
+        '''The description of the configuration policy.
 
-        For more information, see `Tag <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html>`_ .
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-configurationpolicy.html#cfn-securityhub-configurationpolicy-description
+        '''
+        result = self._values.get("description")
+        return typing.cast(typing.Optional[builtins.str], result)
 
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-hub.html#cfn-securityhub-hub-tags
+    @builtins.property
+    def tags(self) -> typing.Optional[typing.Mapping[builtins.str, builtins.str]]:
+        '''A key-value pair to associate with a resource.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-configurationpolicy.html#cfn-securityhub-configurationpolicy-tags
         '''
         result = self._values.get("tags")
-        return typing.cast(typing.Any, result)
+        return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
 
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
@@ -3408,25 +3965,29 @@ class CfnHubProps:
         return not (rhs == self)
 
     def __repr__(self) -> str:
-        return "CfnHubProps(%s)" % ", ".join(
+        return "CfnConfigurationPolicyProps(%s)" % ", ".join(
             k + "=" + repr(v) for k, v in self._values.items()
         )
 
 
 @jsii.implements(_IInspectable_c2943556)
-class CfnInsight(
+class CfnDelegatedAdmin(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
-    jsii_type="aws-cdk-lib.aws_securityhub.CfnInsight",
+    jsii_type="aws-cdk-lib.aws_securityhub.CfnDelegatedAdmin",
 ):
-    '''The ``AWS::SecurityHub::Insight`` resource creates a custom insight in AWS Security Hub .
+    '''The ``AWS::SecurityHub::DelegatedAdmin`` resource designates the delegated AWS Security Hub administrator account for an organization.
 
-    An insight is a collection of findings that relate to a security issue that requires attention or remediation. For more information, see `Insights in AWS Security Hub <https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-insights.html>`_ in the *AWS Security Hub User Guide* .
+    You must enable the integration between Security Hub and AWS Organizations before you can designate a delegated Security Hub administrator. Only the management account for an organization can designate the delegated Security Hub administrator account. For more information, see `Designating the delegated Security Hub administrator <https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html#designate-admin-instructions>`_ in the *AWS Security Hub User Guide* .
+
+    To change the delegated administrator account, remove the current delegated administrator account, and then designate the new account.
+
+    To designate multiple delegated administrators in different organizations and AWS Regions , we recommend using `AWS CloudFormation mappings <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/mappings-section-structure.html>`_ .
 
     Tags aren't supported for this resource.
 
-    :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-insight.html
-    :cloudformationResource: AWS::SecurityHub::Insight
+    :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-delegatedadmin.html
+    :cloudformationResource: AWS::SecurityHub::DelegatedAdmin
     :exampleMetadata: fixture=_generated
 
     Example::
@@ -3435,14 +3996,701 @@ class CfnInsight(
         # The values are placeholders you should change.
         from aws_cdk import aws_securityhub as securityhub
         
-        cfn_insight = securityhub.CfnInsight(self, "MyCfnInsight",
-            filters=securityhub.CfnInsight.AwsSecurityFindingFiltersProperty(
-                aws_account_id=[securityhub.CfnInsight.StringFilterProperty(
-                    comparison="comparison",
-                    value="value"
-                )],
-                aws_account_name=[securityhub.CfnInsight.StringFilterProperty(
-                    comparison="comparison",
+        cfn_delegated_admin = securityhub.CfnDelegatedAdmin(self, "MyCfnDelegatedAdmin",
+            admin_account_id="adminAccountId"
+        )
+    '''
+
+    def __init__(
+        self,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        *,
+        admin_account_id: builtins.str,
+    ) -> None:
+        '''
+        :param scope: Scope in which this resource is defined.
+        :param id: Construct identifier for this resource (unique in its scope).
+        :param admin_account_id: The AWS account identifier of the account to designate as the Security Hub administrator account.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__e27e329e801cb67f6ec71f03a054a574103f5946def22c1bfdcd99ba50827d58)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+        props = CfnDelegatedAdminProps(admin_account_id=admin_account_id)
+
+        jsii.create(self.__class__, self, [scope, id, props])
+
+    @jsii.member(jsii_name="inspect")
+    def inspect(self, inspector: _TreeInspector_488e0dd5) -> None:
+        '''Examines the CloudFormation resource and discloses attributes.
+
+        :param inspector: tree inspector to collect and process attributes.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__baaaa369299b88b2085a28b2af39aa2abf07ab6772dc8c3ce8044a9ef9ea4df7)
+            check_type(argname="argument inspector", value=inspector, expected_type=type_hints["inspector"])
+        return typing.cast(None, jsii.invoke(self, "inspect", [inspector]))
+
+    @jsii.member(jsii_name="renderProperties")
+    def _render_properties(
+        self,
+        props: typing.Mapping[builtins.str, typing.Any],
+    ) -> typing.Mapping[builtins.str, typing.Any]:
+        '''
+        :param props: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__2c0e442efc9a3d07aaf74da8d8d9132c602da0b1c240bc4589e6ce7e3e2459a3)
+            check_type(argname="argument props", value=props, expected_type=type_hints["props"])
+        return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.invoke(self, "renderProperties", [props]))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="CFN_RESOURCE_TYPE_NAME")
+    def CFN_RESOURCE_TYPE_NAME(cls) -> builtins.str:
+        '''The CloudFormation resource type name for this resource class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
+
+    @builtins.property
+    @jsii.member(jsii_name="attrDelegatedAdminIdentifier")
+    def attr_delegated_admin_identifier(self) -> builtins.str:
+        '''The ID of the delegated Security Hub administrator account, in the format of ``accountID/Region`` .
+
+        :cloudformationAttribute: DelegatedAdminIdentifier
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrDelegatedAdminIdentifier"))
+
+    @builtins.property
+    @jsii.member(jsii_name="attrStatus")
+    def attr_status(self) -> builtins.str:
+        '''Whether the delegated Security Hub administrator is set for the organization.
+
+        :cloudformationAttribute: Status
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrStatus"))
+
+    @builtins.property
+    @jsii.member(jsii_name="cfnProperties")
+    def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
+        return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
+
+    @builtins.property
+    @jsii.member(jsii_name="adminAccountId")
+    def admin_account_id(self) -> builtins.str:
+        '''The AWS account identifier of the account to designate as the Security Hub administrator account.'''
+        return typing.cast(builtins.str, jsii.get(self, "adminAccountId"))
+
+    @admin_account_id.setter
+    def admin_account_id(self, value: builtins.str) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__f5fdd5db8baf5624dbb4185acb8020d5499aa459d03967b97375912c3e6844c5)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "adminAccountId", value)
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_securityhub.CfnDelegatedAdminProps",
+    jsii_struct_bases=[],
+    name_mapping={"admin_account_id": "adminAccountId"},
+)
+class CfnDelegatedAdminProps:
+    def __init__(self, *, admin_account_id: builtins.str) -> None:
+        '''Properties for defining a ``CfnDelegatedAdmin``.
+
+        :param admin_account_id: The AWS account identifier of the account to designate as the Security Hub administrator account.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-delegatedadmin.html
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_securityhub as securityhub
+            
+            cfn_delegated_admin_props = securityhub.CfnDelegatedAdminProps(
+                admin_account_id="adminAccountId"
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__bccd0acf2d461662eef1addff325ba8fe883439d680f7762ea393681a481c0ca)
+            check_type(argname="argument admin_account_id", value=admin_account_id, expected_type=type_hints["admin_account_id"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "admin_account_id": admin_account_id,
+        }
+
+    @builtins.property
+    def admin_account_id(self) -> builtins.str:
+        '''The AWS account identifier of the account to designate as the Security Hub administrator account.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-delegatedadmin.html#cfn-securityhub-delegatedadmin-adminaccountid
+        '''
+        result = self._values.get("admin_account_id")
+        assert result is not None, "Required property 'admin_account_id' is missing"
+        return typing.cast(builtins.str, result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "CfnDelegatedAdminProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.implements(_IInspectable_c2943556)
+class CfnFindingAggregator(
+    _CfnResource_9df397a6,
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_securityhub.CfnFindingAggregator",
+):
+    '''The AWS::SecurityHub::FindingAggregator resource represents the AWS Security Hub Finding Aggregator in your account.
+
+    One finding aggregator resource is created for each account in non opt-in region in which you configure region linking mode.
+
+    :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-findingaggregator.html
+    :cloudformationResource: AWS::SecurityHub::FindingAggregator
+    :exampleMetadata: fixture=_generated
+
+    Example::
+
+        # The code below shows an example of how to instantiate this type.
+        # The values are placeholders you should change.
+        from aws_cdk import aws_securityhub as securityhub
+        
+        cfn_finding_aggregator = securityhub.CfnFindingAggregator(self, "MyCfnFindingAggregator",
+            region_linking_mode="regionLinkingMode",
+        
+            # the properties below are optional
+            regions=["regions"]
+        )
+    '''
+
+    def __init__(
+        self,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        *,
+        region_linking_mode: builtins.str,
+        regions: typing.Optional[typing.Sequence[builtins.str]] = None,
+    ) -> None:
+        '''
+        :param scope: Scope in which this resource is defined.
+        :param id: Construct identifier for this resource (unique in its scope).
+        :param region_linking_mode: Indicates whether to link all Regions, all Regions except for a list of excluded Regions, or a list of included Regions.
+        :param regions: The list of excluded Regions or included Regions.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__def955d28b5fec6358172b72efd12a764fe7f7be8d0ea9076bc99608ed72dd3c)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+        props = CfnFindingAggregatorProps(
+            region_linking_mode=region_linking_mode, regions=regions
+        )
+
+        jsii.create(self.__class__, self, [scope, id, props])
+
+    @jsii.member(jsii_name="inspect")
+    def inspect(self, inspector: _TreeInspector_488e0dd5) -> None:
+        '''Examines the CloudFormation resource and discloses attributes.
+
+        :param inspector: tree inspector to collect and process attributes.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__a7329a558d2c83a1557a17b5d0d96aa45bb0f3f54c5f2f90a5cb6c75ff90bf2b)
+            check_type(argname="argument inspector", value=inspector, expected_type=type_hints["inspector"])
+        return typing.cast(None, jsii.invoke(self, "inspect", [inspector]))
+
+    @jsii.member(jsii_name="renderProperties")
+    def _render_properties(
+        self,
+        props: typing.Mapping[builtins.str, typing.Any],
+    ) -> typing.Mapping[builtins.str, typing.Any]:
+        '''
+        :param props: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__eca9c6b033a7a2d97a20e47bd85628a6592ed83b9fa515c784d7e1d8efddecd2)
+            check_type(argname="argument props", value=props, expected_type=type_hints["props"])
+        return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.invoke(self, "renderProperties", [props]))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="CFN_RESOURCE_TYPE_NAME")
+    def CFN_RESOURCE_TYPE_NAME(cls) -> builtins.str:
+        '''The CloudFormation resource type name for this resource class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
+
+    @builtins.property
+    @jsii.member(jsii_name="attrFindingAggregationRegion")
+    def attr_finding_aggregation_region(self) -> builtins.str:
+        '''
+        :cloudformationAttribute: FindingAggregationRegion
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrFindingAggregationRegion"))
+
+    @builtins.property
+    @jsii.member(jsii_name="attrFindingAggregatorArn")
+    def attr_finding_aggregator_arn(self) -> builtins.str:
+        '''The ARN of the FindingAggregator being created and assigned as the unique identifier.
+
+        :cloudformationAttribute: FindingAggregatorArn
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrFindingAggregatorArn"))
+
+    @builtins.property
+    @jsii.member(jsii_name="cfnProperties")
+    def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
+        return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
+
+    @builtins.property
+    @jsii.member(jsii_name="regionLinkingMode")
+    def region_linking_mode(self) -> builtins.str:
+        '''Indicates whether to link all Regions, all Regions except for a list of excluded Regions, or a list of included Regions.'''
+        return typing.cast(builtins.str, jsii.get(self, "regionLinkingMode"))
+
+    @region_linking_mode.setter
+    def region_linking_mode(self, value: builtins.str) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__475994d9cd8d46f8f3a69625c313f5aeede3069bc0a97c77f4287886450a34ba)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "regionLinkingMode", value)
+
+    @builtins.property
+    @jsii.member(jsii_name="regions")
+    def regions(self) -> typing.Optional[typing.List[builtins.str]]:
+        '''The list of excluded Regions or included Regions.'''
+        return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "regions"))
+
+    @regions.setter
+    def regions(self, value: typing.Optional[typing.List[builtins.str]]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__8df27b51aae55bb4c2c3ab84a0b047bdd2763b4077910af8afa3825bbe83283d)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "regions", value)
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_securityhub.CfnFindingAggregatorProps",
+    jsii_struct_bases=[],
+    name_mapping={"region_linking_mode": "regionLinkingMode", "regions": "regions"},
+)
+class CfnFindingAggregatorProps:
+    def __init__(
+        self,
+        *,
+        region_linking_mode: builtins.str,
+        regions: typing.Optional[typing.Sequence[builtins.str]] = None,
+    ) -> None:
+        '''Properties for defining a ``CfnFindingAggregator``.
+
+        :param region_linking_mode: Indicates whether to link all Regions, all Regions except for a list of excluded Regions, or a list of included Regions.
+        :param regions: The list of excluded Regions or included Regions.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-findingaggregator.html
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_securityhub as securityhub
+            
+            cfn_finding_aggregator_props = securityhub.CfnFindingAggregatorProps(
+                region_linking_mode="regionLinkingMode",
+            
+                # the properties below are optional
+                regions=["regions"]
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__da8ea981397b9b6c6a280597905a46066379d6756790684f43ea4354282836a9)
+            check_type(argname="argument region_linking_mode", value=region_linking_mode, expected_type=type_hints["region_linking_mode"])
+            check_type(argname="argument regions", value=regions, expected_type=type_hints["regions"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "region_linking_mode": region_linking_mode,
+        }
+        if regions is not None:
+            self._values["regions"] = regions
+
+    @builtins.property
+    def region_linking_mode(self) -> builtins.str:
+        '''Indicates whether to link all Regions, all Regions except for a list of excluded Regions, or a list of included Regions.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-findingaggregator.html#cfn-securityhub-findingaggregator-regionlinkingmode
+        '''
+        result = self._values.get("region_linking_mode")
+        assert result is not None, "Required property 'region_linking_mode' is missing"
+        return typing.cast(builtins.str, result)
+
+    @builtins.property
+    def regions(self) -> typing.Optional[typing.List[builtins.str]]:
+        '''The list of excluded Regions or included Regions.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-findingaggregator.html#cfn-securityhub-findingaggregator-regions
+        '''
+        result = self._values.get("regions")
+        return typing.cast(typing.Optional[typing.List[builtins.str]], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "CfnFindingAggregatorProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+class CfnHub(
+    _CfnResource_9df397a6,
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_securityhub.CfnHub",
+):
+    '''The ``AWS::SecurityHub::Hub`` resource specifies the enablement of the AWS Security Hub service in your AWS account .
+
+    The service is enabled in the current AWS Region or the specified Region. You create a separate ``Hub`` resource in each Region in which you want to enable Security Hub .
+
+    When you use this resource to enable Security Hub , default security standards are enabled. To disable default standards, set the ``EnableDefaultStandards`` property to ``false`` . You can use the ```AWS::SecurityHub::Standard`` <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-standard.html>`_ resource to enable additional standards.
+
+    When you use this resource to enable Security Hub , new controls are automatically enabled for your enabled standards. To disable automatic enablement of new controls, set the ``AutoEnableControls`` property to ``false`` .
+
+    You must create an ``AWS::SecurityHub::Hub`` resource for an account before you can create other types of Security Hub resources for the account through AWS CloudFormation . Use a `DependsOn attribute <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html>`_ , such as ``"DependsOn": "Hub"`` , to ensure that you've created an ``AWS::SecurityHub::Hub`` resource before creating other Security Hub resources for an account.
+
+    :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-hub.html
+    :cloudformationResource: AWS::SecurityHub::Hub
+    :exampleMetadata: fixture=_generated
+
+    Example::
+
+        # The code below shows an example of how to instantiate this type.
+        # The values are placeholders you should change.
+        from aws_cdk import aws_securityhub as securityhub
+        
+        # tags: Any
+        
+        cfn_hub = securityhub.CfnHub(self, "MyCfnHub",
+            auto_enable_controls=False,
+            control_finding_generator="controlFindingGenerator",
+            enable_default_standards=False,
+            tags=tags
+        )
+    '''
+
+    def __init__(
+        self,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        *,
+        auto_enable_controls: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+        control_finding_generator: typing.Optional[builtins.str] = None,
+        enable_default_standards: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+        tags: typing.Any = None,
+    ) -> None:
+        '''
+        :param scope: Scope in which this resource is defined.
+        :param id: Construct identifier for this resource (unique in its scope).
+        :param auto_enable_controls: Whether to automatically enable new controls when they are added to standards that are enabled. By default, this is set to ``true`` , and new controls are enabled automatically. To not automatically enable new controls, set this to ``false`` .
+        :param control_finding_generator: Specifies whether an account has consolidated control findings turned on or off. If the value for this field is set to ``SECURITY_CONTROL`` , Security Hub generates a single finding for a control check even when the check applies to multiple enabled standards. If the value for this field is set to ``STANDARD_CONTROL`` , Security Hub generates separate findings for a control check when the check applies to multiple enabled standards. The value for this field in a member account matches the value in the administrator account. For accounts that aren't part of an organization, the default value of this field is ``SECURITY_CONTROL`` if you enabled Security Hub on or after February 23, 2023.
+        :param enable_default_standards: Whether to enable the security standards that Security Hub has designated as automatically enabled. If you don't provide a value for ``EnableDefaultStandards`` , it is set to ``true`` , and the designated standards are automatically enabled in each AWS Region where you enable Security Hub . If you don't want to enable the designated standards, set ``EnableDefaultStandards`` to ``false`` . Currently, the automatically enabled standards are the Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0 and AWS Foundational Security Best Practices (FSBP).
+        :param tags: An array of key-value pairs to apply to this resource. For more information, see `Tag <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html>`_ .
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__b5258d6906cbc8ea3b7ed82ec2c832e2751a0a1255445e6f3e81ea5935e2defb)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+        props = CfnHubProps(
+            auto_enable_controls=auto_enable_controls,
+            control_finding_generator=control_finding_generator,
+            enable_default_standards=enable_default_standards,
+            tags=tags,
+        )
+
+        jsii.create(self.__class__, self, [scope, id, props])
+
+    @jsii.member(jsii_name="inspect")
+    def inspect(self, inspector: _TreeInspector_488e0dd5) -> None:
+        '''Examines the CloudFormation resource and discloses attributes.
+
+        :param inspector: tree inspector to collect and process attributes.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__afc1b02284691f4fac4c50413d7e6e3c86b4db4f8702643ba4c85dd68b5cb0b4)
+            check_type(argname="argument inspector", value=inspector, expected_type=type_hints["inspector"])
+        return typing.cast(None, jsii.invoke(self, "inspect", [inspector]))
+
+    @jsii.member(jsii_name="renderProperties")
+    def _render_properties(
+        self,
+        props: typing.Mapping[builtins.str, typing.Any],
+    ) -> typing.Mapping[builtins.str, typing.Any]:
+        '''
+        :param props: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__db4b61e6830fa5a7557c941ad1ea7690d59d4d1ea7c453b10a17081c25ba2e27)
+            check_type(argname="argument props", value=props, expected_type=type_hints["props"])
+        return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.invoke(self, "renderProperties", [props]))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="CFN_RESOURCE_TYPE_NAME")
+    def CFN_RESOURCE_TYPE_NAME(cls) -> builtins.str:
+        '''The CloudFormation resource type name for this resource class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
+
+    @builtins.property
+    @jsii.member(jsii_name="attrArn")
+    def attr_arn(self) -> builtins.str:
+        '''The Amazon Resource Name (ARN) of the ``Hub`` resource that was retrieved.
+
+        :cloudformationAttribute: ARN
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrArn"))
+
+    @builtins.property
+    @jsii.member(jsii_name="attrSubscribedAt")
+    def attr_subscribed_at(self) -> builtins.str:
+        '''The date and time when Security Hub was enabled in your account.
+
+        :cloudformationAttribute: SubscribedAt
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrSubscribedAt"))
+
+    @builtins.property
+    @jsii.member(jsii_name="cfnProperties")
+    def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
+        return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
+
+    @builtins.property
+    @jsii.member(jsii_name="tags")
+    def tags(self) -> _TagManager_0a598cb3:
+        '''Tag Manager which manages the tags for this resource.'''
+        return typing.cast(_TagManager_0a598cb3, jsii.get(self, "tags"))
+
+    @builtins.property
+    @jsii.member(jsii_name="autoEnableControls")
+    def auto_enable_controls(
+        self,
+    ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
+        '''Whether to automatically enable new controls when they are added to standards that are enabled.'''
+        return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], jsii.get(self, "autoEnableControls"))
+
+    @auto_enable_controls.setter
+    def auto_enable_controls(
+        self,
+        value: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__f8111fb2c58ed3e1e0c85928b084d60f2c8b02b604055e3087ce38f249967a54)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "autoEnableControls", value)
+
+    @builtins.property
+    @jsii.member(jsii_name="controlFindingGenerator")
+    def control_finding_generator(self) -> typing.Optional[builtins.str]:
+        '''Specifies whether an account has consolidated control findings turned on or off.'''
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "controlFindingGenerator"))
+
+    @control_finding_generator.setter
+    def control_finding_generator(self, value: typing.Optional[builtins.str]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__6647ce06efe713d1b36ec98af92808e5bf616a683fa68b2fb4fe64fafe92bf35)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "controlFindingGenerator", value)
+
+    @builtins.property
+    @jsii.member(jsii_name="enableDefaultStandards")
+    def enable_default_standards(
+        self,
+    ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
+        '''Whether to enable the security standards that Security Hub has designated as automatically enabled.'''
+        return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], jsii.get(self, "enableDefaultStandards"))
+
+    @enable_default_standards.setter
+    def enable_default_standards(
+        self,
+        value: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__4d118847a7bb58b794458a6afe88e0a8324a3a4e1590aba4f028de455ee8c624)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "enableDefaultStandards", value)
+
+    @builtins.property
+    @jsii.member(jsii_name="tagsRaw")
+    def tags_raw(self) -> typing.Any:
+        '''An array of key-value pairs to apply to this resource.'''
+        return typing.cast(typing.Any, jsii.get(self, "tagsRaw"))
+
+    @tags_raw.setter
+    def tags_raw(self, value: typing.Any) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__e17fb796b4e0971555823ae1c97a99f19e5677ae303ff0ef984cd00ac919ea87)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "tagsRaw", value)
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_securityhub.CfnHubProps",
+    jsii_struct_bases=[],
+    name_mapping={
+        "auto_enable_controls": "autoEnableControls",
+        "control_finding_generator": "controlFindingGenerator",
+        "enable_default_standards": "enableDefaultStandards",
+        "tags": "tags",
+    },
+)
+class CfnHubProps:
+    def __init__(
+        self,
+        *,
+        auto_enable_controls: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+        control_finding_generator: typing.Optional[builtins.str] = None,
+        enable_default_standards: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+        tags: typing.Any = None,
+    ) -> None:
+        '''Properties for defining a ``CfnHub``.
+
+        :param auto_enable_controls: Whether to automatically enable new controls when they are added to standards that are enabled. By default, this is set to ``true`` , and new controls are enabled automatically. To not automatically enable new controls, set this to ``false`` .
+        :param control_finding_generator: Specifies whether an account has consolidated control findings turned on or off. If the value for this field is set to ``SECURITY_CONTROL`` , Security Hub generates a single finding for a control check even when the check applies to multiple enabled standards. If the value for this field is set to ``STANDARD_CONTROL`` , Security Hub generates separate findings for a control check when the check applies to multiple enabled standards. The value for this field in a member account matches the value in the administrator account. For accounts that aren't part of an organization, the default value of this field is ``SECURITY_CONTROL`` if you enabled Security Hub on or after February 23, 2023.
+        :param enable_default_standards: Whether to enable the security standards that Security Hub has designated as automatically enabled. If you don't provide a value for ``EnableDefaultStandards`` , it is set to ``true`` , and the designated standards are automatically enabled in each AWS Region where you enable Security Hub . If you don't want to enable the designated standards, set ``EnableDefaultStandards`` to ``false`` . Currently, the automatically enabled standards are the Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0 and AWS Foundational Security Best Practices (FSBP).
+        :param tags: An array of key-value pairs to apply to this resource. For more information, see `Tag <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html>`_ .
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-hub.html
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_securityhub as securityhub
+            
+            # tags: Any
+            
+            cfn_hub_props = securityhub.CfnHubProps(
+                auto_enable_controls=False,
+                control_finding_generator="controlFindingGenerator",
+                enable_default_standards=False,
+                tags=tags
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__9a38c34c1f2742403521eb4af2098475d7afb878d3f9aba37048ae543b43e29c)
+            check_type(argname="argument auto_enable_controls", value=auto_enable_controls, expected_type=type_hints["auto_enable_controls"])
+            check_type(argname="argument control_finding_generator", value=control_finding_generator, expected_type=type_hints["control_finding_generator"])
+            check_type(argname="argument enable_default_standards", value=enable_default_standards, expected_type=type_hints["enable_default_standards"])
+            check_type(argname="argument tags", value=tags, expected_type=type_hints["tags"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if auto_enable_controls is not None:
+            self._values["auto_enable_controls"] = auto_enable_controls
+        if control_finding_generator is not None:
+            self._values["control_finding_generator"] = control_finding_generator
+        if enable_default_standards is not None:
+            self._values["enable_default_standards"] = enable_default_standards
+        if tags is not None:
+            self._values["tags"] = tags
+
+    @builtins.property
+    def auto_enable_controls(
+        self,
+    ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
+        '''Whether to automatically enable new controls when they are added to standards that are enabled.
+
+        By default, this is set to ``true`` , and new controls are enabled automatically. To not automatically enable new controls, set this to ``false`` .
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-hub.html#cfn-securityhub-hub-autoenablecontrols
+        '''
+        result = self._values.get("auto_enable_controls")
+        return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], result)
+
+    @builtins.property
+    def control_finding_generator(self) -> typing.Optional[builtins.str]:
+        '''Specifies whether an account has consolidated control findings turned on or off.
+
+        If the value for this field is set to ``SECURITY_CONTROL`` , Security Hub generates a single finding for a control check even when the check applies to multiple enabled standards.
+
+        If the value for this field is set to ``STANDARD_CONTROL`` , Security Hub generates separate findings for a control check when the check applies to multiple enabled standards.
+
+        The value for this field in a member account matches the value in the administrator account. For accounts that aren't part of an organization, the default value of this field is ``SECURITY_CONTROL`` if you enabled Security Hub on or after February 23, 2023.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-hub.html#cfn-securityhub-hub-controlfindinggenerator
+        '''
+        result = self._values.get("control_finding_generator")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def enable_default_standards(
+        self,
+    ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
+        '''Whether to enable the security standards that Security Hub has designated as automatically enabled.
+
+        If you don't provide a value for ``EnableDefaultStandards`` , it is set to ``true`` , and the designated standards are automatically enabled in each AWS Region where you enable Security Hub . If you don't want to enable the designated standards, set ``EnableDefaultStandards`` to ``false`` .
+
+        Currently, the automatically enabled standards are the Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0 and AWS Foundational Security Best Practices (FSBP).
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-hub.html#cfn-securityhub-hub-enabledefaultstandards
+        '''
+        result = self._values.get("enable_default_standards")
+        return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], result)
+
+    @builtins.property
+    def tags(self) -> typing.Any:
+        '''An array of key-value pairs to apply to this resource.
+
+        For more information, see `Tag <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html>`_ .
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-hub.html#cfn-securityhub-hub-tags
+        '''
+        result = self._values.get("tags")
+        return typing.cast(typing.Any, result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "CfnHubProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.implements(_IInspectable_c2943556)
+class CfnInsight(
+    _CfnResource_9df397a6,
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_securityhub.CfnInsight",
+):
+    '''The ``AWS::SecurityHub::Insight`` resource creates a custom insight in AWS Security Hub .
+
+    An insight is a collection of findings that relate to a security issue that requires attention or remediation. For more information, see `Insights in AWS Security Hub <https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-insights.html>`_ in the *AWS Security Hub User Guide* .
+
+    Tags aren't supported for this resource.
+
+    :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-insight.html
+    :cloudformationResource: AWS::SecurityHub::Insight
+    :exampleMetadata: fixture=_generated
+
+    Example::
+
+        # The code below shows an example of how to instantiate this type.
+        # The values are placeholders you should change.
+        from aws_cdk import aws_securityhub as securityhub
+        
+        cfn_insight = securityhub.CfnInsight(self, "MyCfnInsight",
+            filters=securityhub.CfnInsight.AwsSecurityFindingFiltersProperty(
+                aws_account_id=[securityhub.CfnInsight.StringFilterProperty(
+                    comparison="comparison",
+                    value="value"
+                )],
+                aws_account_name=[securityhub.CfnInsight.StringFilterProperty(
+                    comparison="comparison",
                     value="value"
                 )],
                 company_name=[securityhub.CfnInsight.StringFilterProperty(
@@ -7566,50 +8814,580 @@ class CfnInsightProps:
             )
         '''
         if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__592cb12c63690d3f829ab7f245b3d227f77eaa3657e0fd4c8452bc7d2a8ed3f8)
-            check_type(argname="argument filters", value=filters, expected_type=type_hints["filters"])
-            check_type(argname="argument group_by_attribute", value=group_by_attribute, expected_type=type_hints["group_by_attribute"])
-            check_type(argname="argument name", value=name, expected_type=type_hints["name"])
+            type_hints = typing.get_type_hints(_typecheckingstub__592cb12c63690d3f829ab7f245b3d227f77eaa3657e0fd4c8452bc7d2a8ed3f8)
+            check_type(argname="argument filters", value=filters, expected_type=type_hints["filters"])
+            check_type(argname="argument group_by_attribute", value=group_by_attribute, expected_type=type_hints["group_by_attribute"])
+            check_type(argname="argument name", value=name, expected_type=type_hints["name"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "filters": filters,
+            "group_by_attribute": group_by_attribute,
+            "name": name,
+        }
+
+    @builtins.property
+    def filters(
+        self,
+    ) -> typing.Union[_IResolvable_da3f097b, CfnInsight.AwsSecurityFindingFiltersProperty]:
+        '''One or more attributes used to filter the findings included in the insight.
+
+        The insight only includes findings that match the criteria defined in the filters. You can filter by up to ten finding attributes. For each attribute, you can provide up to 20 filter values.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-insight.html#cfn-securityhub-insight-filters
+        '''
+        result = self._values.get("filters")
+        assert result is not None, "Required property 'filters' is missing"
+        return typing.cast(typing.Union[_IResolvable_da3f097b, CfnInsight.AwsSecurityFindingFiltersProperty], result)
+
+    @builtins.property
+    def group_by_attribute(self) -> builtins.str:
+        '''The grouping attribute for the insight's findings.
+
+        Indicates how to group the matching findings, and identifies the type of item that the insight applies to. For example, if an insight is grouped by resource identifier, then the insight produces a list of resource identifiers.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-insight.html#cfn-securityhub-insight-groupbyattribute
+        '''
+        result = self._values.get("group_by_attribute")
+        assert result is not None, "Required property 'group_by_attribute' is missing"
+        return typing.cast(builtins.str, result)
+
+    @builtins.property
+    def name(self) -> builtins.str:
+        '''The name of a Security Hub insight.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-insight.html#cfn-securityhub-insight-name
+        '''
+        result = self._values.get("name")
+        assert result is not None, "Required property 'name' is missing"
+        return typing.cast(builtins.str, result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "CfnInsightProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.implements(_IInspectable_c2943556)
+class CfnOrganizationConfiguration(
+    _CfnResource_9df397a6,
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_securityhub.CfnOrganizationConfiguration",
+):
+    '''The AWS::SecurityHub::OrganizationConfiguration resource represents the configuration of your organization in Security Hub.
+
+    Only the Security Hub administrator account can create Organization Configuration resource in each region and can opt-in to Central Configuration only in the aggregation region of FindingAggregator.
+
+    :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-organizationconfiguration.html
+    :cloudformationResource: AWS::SecurityHub::OrganizationConfiguration
+    :exampleMetadata: fixture=_generated
+
+    Example::
+
+        # The code below shows an example of how to instantiate this type.
+        # The values are placeholders you should change.
+        from aws_cdk import aws_securityhub as securityhub
+        
+        cfn_organization_configuration = securityhub.CfnOrganizationConfiguration(self, "MyCfnOrganizationConfiguration",
+            auto_enable=False,
+        
+            # the properties below are optional
+            auto_enable_standards="autoEnableStandards",
+            configuration_type="configurationType"
+        )
+    '''
+
+    def __init__(
+        self,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        *,
+        auto_enable: typing.Union[builtins.bool, _IResolvable_da3f097b],
+        auto_enable_standards: typing.Optional[builtins.str] = None,
+        configuration_type: typing.Optional[builtins.str] = None,
+    ) -> None:
+        '''
+        :param scope: Scope in which this resource is defined.
+        :param id: Construct identifier for this resource (unique in its scope).
+        :param auto_enable: Whether to automatically enable Security Hub in new member accounts when they join the organization.
+        :param auto_enable_standards: Whether to automatically enable Security Hub default standards in new member accounts when they join the organization.
+        :param configuration_type: Indicates whether the organization uses local or central configuration.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__186515c514aa6c3a2fef9e692700a118bb6ae2548e12249056898382ffeb0d85)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+        props = CfnOrganizationConfigurationProps(
+            auto_enable=auto_enable,
+            auto_enable_standards=auto_enable_standards,
+            configuration_type=configuration_type,
+        )
+
+        jsii.create(self.__class__, self, [scope, id, props])
+
+    @jsii.member(jsii_name="inspect")
+    def inspect(self, inspector: _TreeInspector_488e0dd5) -> None:
+        '''Examines the CloudFormation resource and discloses attributes.
+
+        :param inspector: tree inspector to collect and process attributes.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__8f961b20a9d500d9e5ab10dd27f9cb6ffa585dc6e18e6edd2dee650fe9889f32)
+            check_type(argname="argument inspector", value=inspector, expected_type=type_hints["inspector"])
+        return typing.cast(None, jsii.invoke(self, "inspect", [inspector]))
+
+    @jsii.member(jsii_name="renderProperties")
+    def _render_properties(
+        self,
+        props: typing.Mapping[builtins.str, typing.Any],
+    ) -> typing.Mapping[builtins.str, typing.Any]:
+        '''
+        :param props: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__61ea6b4977e8136acf137cb187f5d9389836485016c3f34ee676ac35063b0566)
+            check_type(argname="argument props", value=props, expected_type=type_hints["props"])
+        return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.invoke(self, "renderProperties", [props]))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="CFN_RESOURCE_TYPE_NAME")
+    def CFN_RESOURCE_TYPE_NAME(cls) -> builtins.str:
+        '''The CloudFormation resource type name for this resource class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
+
+    @builtins.property
+    @jsii.member(jsii_name="attrMemberAccountLimitReached")
+    def attr_member_account_limit_reached(self) -> _IResolvable_da3f097b:
+        '''Whether the maximum number of allowed member accounts are already associated with the Security Hub administrator account.
+
+        :cloudformationAttribute: MemberAccountLimitReached
+        '''
+        return typing.cast(_IResolvable_da3f097b, jsii.get(self, "attrMemberAccountLimitReached"))
+
+    @builtins.property
+    @jsii.member(jsii_name="attrOrganizationConfigurationIdentifier")
+    def attr_organization_configuration_identifier(self) -> builtins.str:
+        '''The identifier of the OrganizationConfiguration being created and assigned as the unique identifier.
+
+        :cloudformationAttribute: OrganizationConfigurationIdentifier
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrOrganizationConfigurationIdentifier"))
+
+    @builtins.property
+    @jsii.member(jsii_name="attrStatus")
+    def attr_status(self) -> builtins.str:
+        '''Describes whether central configuration could be enabled as the ConfigurationType for the organization.
+
+        :cloudformationAttribute: Status
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrStatus"))
+
+    @builtins.property
+    @jsii.member(jsii_name="attrStatusMessage")
+    def attr_status_message(self) -> builtins.str:
+        '''Provides an explanation if the value of Status is equal to FAILED when ConfigurationType is equal to CENTRAL.
+
+        :cloudformationAttribute: StatusMessage
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrStatusMessage"))
+
+    @builtins.property
+    @jsii.member(jsii_name="cfnProperties")
+    def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
+        return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
+
+    @builtins.property
+    @jsii.member(jsii_name="autoEnable")
+    def auto_enable(self) -> typing.Union[builtins.bool, _IResolvable_da3f097b]:
+        '''Whether to automatically enable Security Hub in new member accounts when they join the organization.'''
+        return typing.cast(typing.Union[builtins.bool, _IResolvable_da3f097b], jsii.get(self, "autoEnable"))
+
+    @auto_enable.setter
+    def auto_enable(
+        self,
+        value: typing.Union[builtins.bool, _IResolvable_da3f097b],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__c9c68b5ed857f20db52a9ddd608779c26714ad57f3e5ec020cd2ec205b0b4686)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "autoEnable", value)
+
+    @builtins.property
+    @jsii.member(jsii_name="autoEnableStandards")
+    def auto_enable_standards(self) -> typing.Optional[builtins.str]:
+        '''Whether to automatically enable Security Hub default standards in new member accounts when they join the organization.'''
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "autoEnableStandards"))
+
+    @auto_enable_standards.setter
+    def auto_enable_standards(self, value: typing.Optional[builtins.str]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__a91a9e8125723c3bbf2b823016143a56e3921498aeef3bea3e38ab2507456375)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "autoEnableStandards", value)
+
+    @builtins.property
+    @jsii.member(jsii_name="configurationType")
+    def configuration_type(self) -> typing.Optional[builtins.str]:
+        '''Indicates whether the organization uses local or central configuration.'''
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "configurationType"))
+
+    @configuration_type.setter
+    def configuration_type(self, value: typing.Optional[builtins.str]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__a9716e72aa1123497cebad00869227a883554f1d22c3001478ca2aa367e4480e)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "configurationType", value)
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_securityhub.CfnOrganizationConfigurationProps",
+    jsii_struct_bases=[],
+    name_mapping={
+        "auto_enable": "autoEnable",
+        "auto_enable_standards": "autoEnableStandards",
+        "configuration_type": "configurationType",
+    },
+)
+class CfnOrganizationConfigurationProps:
+    def __init__(
+        self,
+        *,
+        auto_enable: typing.Union[builtins.bool, _IResolvable_da3f097b],
+        auto_enable_standards: typing.Optional[builtins.str] = None,
+        configuration_type: typing.Optional[builtins.str] = None,
+    ) -> None:
+        '''Properties for defining a ``CfnOrganizationConfiguration``.
+
+        :param auto_enable: Whether to automatically enable Security Hub in new member accounts when they join the organization.
+        :param auto_enable_standards: Whether to automatically enable Security Hub default standards in new member accounts when they join the organization.
+        :param configuration_type: Indicates whether the organization uses local or central configuration.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-organizationconfiguration.html
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_securityhub as securityhub
+            
+            cfn_organization_configuration_props = securityhub.CfnOrganizationConfigurationProps(
+                auto_enable=False,
+            
+                # the properties below are optional
+                auto_enable_standards="autoEnableStandards",
+                configuration_type="configurationType"
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__5ecf45ca90d45aaa80bedc86eb8694d0887c6098fd444f073808d0642111f565)
+            check_type(argname="argument auto_enable", value=auto_enable, expected_type=type_hints["auto_enable"])
+            check_type(argname="argument auto_enable_standards", value=auto_enable_standards, expected_type=type_hints["auto_enable_standards"])
+            check_type(argname="argument configuration_type", value=configuration_type, expected_type=type_hints["configuration_type"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "auto_enable": auto_enable,
+        }
+        if auto_enable_standards is not None:
+            self._values["auto_enable_standards"] = auto_enable_standards
+        if configuration_type is not None:
+            self._values["configuration_type"] = configuration_type
+
+    @builtins.property
+    def auto_enable(self) -> typing.Union[builtins.bool, _IResolvable_da3f097b]:
+        '''Whether to automatically enable Security Hub in new member accounts when they join the organization.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-organizationconfiguration.html#cfn-securityhub-organizationconfiguration-autoenable
+        '''
+        result = self._values.get("auto_enable")
+        assert result is not None, "Required property 'auto_enable' is missing"
+        return typing.cast(typing.Union[builtins.bool, _IResolvable_da3f097b], result)
+
+    @builtins.property
+    def auto_enable_standards(self) -> typing.Optional[builtins.str]:
+        '''Whether to automatically enable Security Hub default standards in new member accounts when they join the organization.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-organizationconfiguration.html#cfn-securityhub-organizationconfiguration-autoenablestandards
+        '''
+        result = self._values.get("auto_enable_standards")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def configuration_type(self) -> typing.Optional[builtins.str]:
+        '''Indicates whether the organization uses local or central configuration.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-organizationconfiguration.html#cfn-securityhub-organizationconfiguration-configurationtype
+        '''
+        result = self._values.get("configuration_type")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "CfnOrganizationConfigurationProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.implements(_IInspectable_c2943556)
+class CfnPolicyAssociation(
+    _CfnResource_9df397a6,
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_securityhub.CfnPolicyAssociation",
+):
+    '''The AWS::SecurityHub::PolicyAssociation resource represents the AWS Security Hub Central Configuration Policy associations in your Target.
+
+    Only the AWS Security Hub delegated administrator can create the resouce from the home region.
+
+    :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-policyassociation.html
+    :cloudformationResource: AWS::SecurityHub::PolicyAssociation
+    :exampleMetadata: fixture=_generated
+
+    Example::
+
+        # The code below shows an example of how to instantiate this type.
+        # The values are placeholders you should change.
+        from aws_cdk import aws_securityhub as securityhub
+        
+        cfn_policy_association = securityhub.CfnPolicyAssociation(self, "MyCfnPolicyAssociation",
+            configuration_policy_id="configurationPolicyId",
+            target_id="targetId",
+            target_type="targetType"
+        )
+    '''
+
+    def __init__(
+        self,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        *,
+        configuration_policy_id: builtins.str,
+        target_id: builtins.str,
+        target_type: builtins.str,
+    ) -> None:
+        '''
+        :param scope: Scope in which this resource is defined.
+        :param id: Construct identifier for this resource (unique in its scope).
+        :param configuration_policy_id: The universally unique identifier (UUID) of the configuration policy or a value of SELF_MANAGED_SECURITY_HUB for a self-managed configuration.
+        :param target_id: The identifier of the target account, organizational unit, or the root.
+        :param target_type: Indicates whether the target is an AWS account, organizational unit, or the organization root.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__692795b18a46bd27d463b04c85753cc984649b4661bf3ac69e7b6db22ea687f8)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+        props = CfnPolicyAssociationProps(
+            configuration_policy_id=configuration_policy_id,
+            target_id=target_id,
+            target_type=target_type,
+        )
+
+        jsii.create(self.__class__, self, [scope, id, props])
+
+    @jsii.member(jsii_name="inspect")
+    def inspect(self, inspector: _TreeInspector_488e0dd5) -> None:
+        '''Examines the CloudFormation resource and discloses attributes.
+
+        :param inspector: tree inspector to collect and process attributes.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__5584bafcc86f50800ea4518660b55277dffdf5f5ee8e121384b85ad191c00bfc)
+            check_type(argname="argument inspector", value=inspector, expected_type=type_hints["inspector"])
+        return typing.cast(None, jsii.invoke(self, "inspect", [inspector]))
+
+    @jsii.member(jsii_name="renderProperties")
+    def _render_properties(
+        self,
+        props: typing.Mapping[builtins.str, typing.Any],
+    ) -> typing.Mapping[builtins.str, typing.Any]:
+        '''
+        :param props: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__df1c70255e827fd04e301f8328ff1e4b5740bd4582c8218af83b96f51a2cdd46)
+            check_type(argname="argument props", value=props, expected_type=type_hints["props"])
+        return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.invoke(self, "renderProperties", [props]))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="CFN_RESOURCE_TYPE_NAME")
+    def CFN_RESOURCE_TYPE_NAME(cls) -> builtins.str:
+        '''The CloudFormation resource type name for this resource class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
+
+    @builtins.property
+    @jsii.member(jsii_name="attrAssociationIdentifier")
+    def attr_association_identifier(self) -> builtins.str:
+        '''A unique identifier to indicates if the target has an association.
+
+        :cloudformationAttribute: AssociationIdentifier
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrAssociationIdentifier"))
+
+    @builtins.property
+    @jsii.member(jsii_name="attrAssociationStatus")
+    def attr_association_status(self) -> builtins.str:
+        '''The current status of the association between the specified target and the configuration.
+
+        :cloudformationAttribute: AssociationStatus
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrAssociationStatus"))
+
+    @builtins.property
+    @jsii.member(jsii_name="attrAssociationStatusMessage")
+    def attr_association_status_message(self) -> builtins.str:
+        '''An explanation for a FAILED value for AssociationStatus.
+
+        :cloudformationAttribute: AssociationStatusMessage
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrAssociationStatusMessage"))
+
+    @builtins.property
+    @jsii.member(jsii_name="attrAssociationType")
+    def attr_association_type(self) -> builtins.str:
+        '''Indicates whether the association between the specified target and the configuration was directly applied by the Security Hub delegated administrator or inherited from a parent.
+
+        :cloudformationAttribute: AssociationType
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrAssociationType"))
+
+    @builtins.property
+    @jsii.member(jsii_name="attrUpdatedAt")
+    def attr_updated_at(self) -> builtins.str:
+        '''The date and time, in UTC and ISO 8601 format, that the configuration policy association was last updated.
+
+        :cloudformationAttribute: UpdatedAt
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrUpdatedAt"))
+
+    @builtins.property
+    @jsii.member(jsii_name="cfnProperties")
+    def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
+        return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
+
+    @builtins.property
+    @jsii.member(jsii_name="configurationPolicyId")
+    def configuration_policy_id(self) -> builtins.str:
+        '''The universally unique identifier (UUID) of the configuration policy or a value of SELF_MANAGED_SECURITY_HUB for a self-managed configuration.'''
+        return typing.cast(builtins.str, jsii.get(self, "configurationPolicyId"))
+
+    @configuration_policy_id.setter
+    def configuration_policy_id(self, value: builtins.str) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__099694d0e3019ff95f4caf646c1f0281841f787418a0d3d41abadbc38cec77cb)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "configurationPolicyId", value)
+
+    @builtins.property
+    @jsii.member(jsii_name="targetId")
+    def target_id(self) -> builtins.str:
+        '''The identifier of the target account, organizational unit, or the root.'''
+        return typing.cast(builtins.str, jsii.get(self, "targetId"))
+
+    @target_id.setter
+    def target_id(self, value: builtins.str) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__af8804051f98d2fff348049fe6c76b9cb9a5e095f2b7216509e1bbc6c1557271)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "targetId", value)
+
+    @builtins.property
+    @jsii.member(jsii_name="targetType")
+    def target_type(self) -> builtins.str:
+        '''Indicates whether the target is an AWS account, organizational unit, or the organization root.'''
+        return typing.cast(builtins.str, jsii.get(self, "targetType"))
+
+    @target_type.setter
+    def target_type(self, value: builtins.str) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__ecc5d3f7535d58c2be7c9d763790a7e3c9fe6b64d4feea0c9122267c1bb09e15)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "targetType", value)
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_securityhub.CfnPolicyAssociationProps",
+    jsii_struct_bases=[],
+    name_mapping={
+        "configuration_policy_id": "configurationPolicyId",
+        "target_id": "targetId",
+        "target_type": "targetType",
+    },
+)
+class CfnPolicyAssociationProps:
+    def __init__(
+        self,
+        *,
+        configuration_policy_id: builtins.str,
+        target_id: builtins.str,
+        target_type: builtins.str,
+    ) -> None:
+        '''Properties for defining a ``CfnPolicyAssociation``.
+
+        :param configuration_policy_id: The universally unique identifier (UUID) of the configuration policy or a value of SELF_MANAGED_SECURITY_HUB for a self-managed configuration.
+        :param target_id: The identifier of the target account, organizational unit, or the root.
+        :param target_type: Indicates whether the target is an AWS account, organizational unit, or the organization root.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-policyassociation.html
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_securityhub as securityhub
+            
+            cfn_policy_association_props = securityhub.CfnPolicyAssociationProps(
+                configuration_policy_id="configurationPolicyId",
+                target_id="targetId",
+                target_type="targetType"
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__a3aaebd41d827b42b51371d194682a0933ab2ac5e1a75e6cbbd1e269c3a37afc)
+            check_type(argname="argument configuration_policy_id", value=configuration_policy_id, expected_type=type_hints["configuration_policy_id"])
+            check_type(argname="argument target_id", value=target_id, expected_type=type_hints["target_id"])
+            check_type(argname="argument target_type", value=target_type, expected_type=type_hints["target_type"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
-            "filters": filters,
-            "group_by_attribute": group_by_attribute,
-            "name": name,
+            "configuration_policy_id": configuration_policy_id,
+            "target_id": target_id,
+            "target_type": target_type,
         }
 
     @builtins.property
-    def filters(
-        self,
-    ) -> typing.Union[_IResolvable_da3f097b, CfnInsight.AwsSecurityFindingFiltersProperty]:
-        '''One or more attributes used to filter the findings included in the insight.
+    def configuration_policy_id(self) -> builtins.str:
+        '''The universally unique identifier (UUID) of the configuration policy or a value of SELF_MANAGED_SECURITY_HUB for a self-managed configuration.
 
-        The insight only includes findings that match the criteria defined in the filters. You can filter by up to ten finding attributes. For each attribute, you can provide up to 20 filter values.
-
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-insight.html#cfn-securityhub-insight-filters
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-policyassociation.html#cfn-securityhub-policyassociation-configurationpolicyid
         '''
-        result = self._values.get("filters")
-        assert result is not None, "Required property 'filters' is missing"
-        return typing.cast(typing.Union[_IResolvable_da3f097b, CfnInsight.AwsSecurityFindingFiltersProperty], result)
+        result = self._values.get("configuration_policy_id")
+        assert result is not None, "Required property 'configuration_policy_id' is missing"
+        return typing.cast(builtins.str, result)
 
     @builtins.property
-    def group_by_attribute(self) -> builtins.str:
-        '''The grouping attribute for the insight's findings.
-
-        Indicates how to group the matching findings, and identifies the type of item that the insight applies to. For example, if an insight is grouped by resource identifier, then the insight produces a list of resource identifiers.
+    def target_id(self) -> builtins.str:
+        '''The identifier of the target account, organizational unit, or the root.
 
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-insight.html#cfn-securityhub-insight-groupbyattribute
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-policyassociation.html#cfn-securityhub-policyassociation-targetid
         '''
-        result = self._values.get("group_by_attribute")
-        assert result is not None, "Required property 'group_by_attribute' is missing"
+        result = self._values.get("target_id")
+        assert result is not None, "Required property 'target_id' is missing"
         return typing.cast(builtins.str, result)
 
     @builtins.property
-    def name(self) -> builtins.str:
-        '''The name of a Security Hub insight.
+    def target_type(self) -> builtins.str:
+        '''Indicates whether the target is an AWS account, organizational unit, or the organization root.
 
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-insight.html#cfn-securityhub-insight-name
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-policyassociation.html#cfn-securityhub-policyassociation-targettype
         '''
-        result = self._values.get("name")
-        assert result is not None, "Required property 'name' is missing"
+        result = self._values.get("target_type")
+        assert result is not None, "Required property 'target_type' is missing"
         return typing.cast(builtins.str, result)
 
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
@@ -7619,7 +9397,7 @@ class CfnInsightProps:
         return not (rhs == self)
 
     def __repr__(self) -> str:
-        return "CfnInsightProps(%s)" % ", ".join(
+        return "CfnPolicyAssociationProps(%s)" % ", ".join(
             k + "=" + repr(v) for k, v in self._values.items()
         )
 
@@ -8410,12 +10188,20 @@ class CfnStandardProps:
 __all__ = [
     "CfnAutomationRule",
     "CfnAutomationRuleProps",
+    "CfnConfigurationPolicy",
+    "CfnConfigurationPolicyProps",
     "CfnDelegatedAdmin",
     "CfnDelegatedAdminProps",
+    "CfnFindingAggregator",
+    "CfnFindingAggregatorProps",
     "CfnHub",
     "CfnHubProps",
     "CfnInsight",
     "CfnInsightProps",
+    "CfnOrganizationConfiguration",
+    "CfnOrganizationConfigurationProps",
+    "CfnPolicyAssociation",
+    "CfnPolicyAssociationProps",
     "CfnProductSubscription",
     "CfnProductSubscriptionProps",
     "CfnSecurityControl",
@@ -8655,6 +10441,119 @@ def _typecheckingstub__221241b44c93ea569fcf69aaaade0ce7cf31b7343bc3d072d74ccd168
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__e2cee5cf3fe5ba0b354ff30ea357f97d4a69893bed692305ae2919f0061404d2(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    *,
+    configuration_policy: typing.Union[_IResolvable_da3f097b, typing.Union[CfnConfigurationPolicy.PolicyProperty, typing.Dict[builtins.str, typing.Any]]],
+    name: builtins.str,
+    description: typing.Optional[builtins.str] = None,
+    tags: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__7db746216d4af7625aa0207d7a7c29b228b046ca193581d4486931471769f9e7(
+    inspector: _TreeInspector_488e0dd5,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__66e713d67f1f54ace155bb5c7fe5334bde6b3843a28e97e26e40c575ec7d505e(
+    props: typing.Mapping[builtins.str, typing.Any],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__dcfe8504c7335f76a4bad5bb43755a142eab48d80958f837dfc86c94989b8b0b(
+    value: typing.Union[_IResolvable_da3f097b, CfnConfigurationPolicy.PolicyProperty],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__0c731f4e7d50837bdafa92a4f5cb8478dc20fafa27c5a4f08cdf841e2570899f(
+    value: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__04301850c858bba803007d4d9502ff9c879ed1e1d926fa157899bd92a915c3cd(
+    value: typing.Optional[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__418f84486ff1ec65f898c97538e438a38d2ee43b4f9ed6260595a25dfa039629(
+    value: typing.Optional[typing.Mapping[builtins.str, builtins.str]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__bb7172387b04074df24e1743dd558a99d470acadb8c73ad883b45213f409832e(
+    *,
+    value_type: builtins.str,
+    value: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnConfigurationPolicy.ParameterValueProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__969ca8061fcd5bd0e97fbdd1aa2f0797cdbe22b447375480430ca26de8051846(
+    *,
+    boolean: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+    double: typing.Optional[jsii.Number] = None,
+    enum: typing.Optional[builtins.str] = None,
+    enum_list: typing.Optional[typing.Sequence[builtins.str]] = None,
+    integer: typing.Optional[jsii.Number] = None,
+    integer_list: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[jsii.Number]]] = None,
+    string: typing.Optional[builtins.str] = None,
+    string_list: typing.Optional[typing.Sequence[builtins.str]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__e1ba9b51d0a7fd087e8cf10fa5291c42d61f90148e1a8a190e3c90fecacd0e7a(
+    *,
+    security_hub: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnConfigurationPolicy.SecurityHubPolicyProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__e2e264804926f4cf652225b9fc8713e91d7c135436850ecde7193ccfd4464014(
+    *,
+    parameters: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, typing.Union[_IResolvable_da3f097b, typing.Union[CfnConfigurationPolicy.ParameterConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
+    security_control_id: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__8978e0c4327c8995530e22f049a9b31f96402b88be3e220ea4340c89d3a2e1d2(
+    *,
+    disabled_security_control_identifiers: typing.Optional[typing.Sequence[builtins.str]] = None,
+    enabled_security_control_identifiers: typing.Optional[typing.Sequence[builtins.str]] = None,
+    security_control_custom_parameters: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnConfigurationPolicy.SecurityControlCustomParameterProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__6a1f60581e7a327c6c6d837a42e963fe4a8810a6d9642040c0f78837b8533f0f(
+    *,
+    enabled_standard_identifiers: typing.Optional[typing.Sequence[builtins.str]] = None,
+    security_controls_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnConfigurationPolicy.SecurityControlsConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    service_enabled: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__9df36e470a5cb19a48e0918f07ba5c7fe4f2f6e13983d94bef33b262d3aa6d74(
+    *,
+    configuration_policy: typing.Union[_IResolvable_da3f097b, typing.Union[CfnConfigurationPolicy.PolicyProperty, typing.Dict[builtins.str, typing.Any]]],
+    name: builtins.str,
+    description: typing.Optional[builtins.str] = None,
+    tags: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__e27e329e801cb67f6ec71f03a054a574103f5946def22c1bfdcd99ba50827d58(
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
@@ -8689,6 +10588,48 @@ def _typecheckingstub__bccd0acf2d461662eef1addff325ba8fe883439d680f7762ea393681a
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__def955d28b5fec6358172b72efd12a764fe7f7be8d0ea9076bc99608ed72dd3c(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    *,
+    region_linking_mode: builtins.str,
+    regions: typing.Optional[typing.Sequence[builtins.str]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__a7329a558d2c83a1557a17b5d0d96aa45bb0f3f54c5f2f90a5cb6c75ff90bf2b(
+    inspector: _TreeInspector_488e0dd5,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__eca9c6b033a7a2d97a20e47bd85628a6592ed83b9fa515c784d7e1d8efddecd2(
+    props: typing.Mapping[builtins.str, typing.Any],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__475994d9cd8d46f8f3a69625c313f5aeede3069bc0a97c77f4287886450a34ba(
+    value: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__8df27b51aae55bb4c2c3ab84a0b047bdd2763b4077910af8afa3825bbe83283d(
+    value: typing.Optional[typing.List[builtins.str]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__da8ea981397b9b6c6a280597905a46066379d6756790684f43ea4354282836a9(
+    *,
+    region_linking_mode: builtins.str,
+    regions: typing.Optional[typing.Sequence[builtins.str]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__b5258d6906cbc8ea3b7ed82ec2c832e2751a0a1255445e6f3e81ea5935e2defb(
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
@@ -8971,6 +10912,106 @@ def _typecheckingstub__592cb12c63690d3f829ab7f245b3d227f77eaa3657e0fd4c8452bc7d2
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__186515c514aa6c3a2fef9e692700a118bb6ae2548e12249056898382ffeb0d85(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    *,
+    auto_enable: typing.Union[builtins.bool, _IResolvable_da3f097b],
+    auto_enable_standards: typing.Optional[builtins.str] = None,
+    configuration_type: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__8f961b20a9d500d9e5ab10dd27f9cb6ffa585dc6e18e6edd2dee650fe9889f32(
+    inspector: _TreeInspector_488e0dd5,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__61ea6b4977e8136acf137cb187f5d9389836485016c3f34ee676ac35063b0566(
+    props: typing.Mapping[builtins.str, typing.Any],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__c9c68b5ed857f20db52a9ddd608779c26714ad57f3e5ec020cd2ec205b0b4686(
+    value: typing.Union[builtins.bool, _IResolvable_da3f097b],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__a91a9e8125723c3bbf2b823016143a56e3921498aeef3bea3e38ab2507456375(
+    value: typing.Optional[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__a9716e72aa1123497cebad00869227a883554f1d22c3001478ca2aa367e4480e(
+    value: typing.Optional[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__5ecf45ca90d45aaa80bedc86eb8694d0887c6098fd444f073808d0642111f565(
+    *,
+    auto_enable: typing.Union[builtins.bool, _IResolvable_da3f097b],
+    auto_enable_standards: typing.Optional[builtins.str] = None,
+    configuration_type: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__692795b18a46bd27d463b04c85753cc984649b4661bf3ac69e7b6db22ea687f8(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    *,
+    configuration_policy_id: builtins.str,
+    target_id: builtins.str,
+    target_type: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__5584bafcc86f50800ea4518660b55277dffdf5f5ee8e121384b85ad191c00bfc(
+    inspector: _TreeInspector_488e0dd5,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__df1c70255e827fd04e301f8328ff1e4b5740bd4582c8218af83b96f51a2cdd46(
+    props: typing.Mapping[builtins.str, typing.Any],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__099694d0e3019ff95f4caf646c1f0281841f787418a0d3d41abadbc38cec77cb(
+    value: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__af8804051f98d2fff348049fe6c76b9cb9a5e095f2b7216509e1bbc6c1557271(
+    value: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__ecc5d3f7535d58c2be7c9d763790a7e3c9fe6b64d4feea0c9122267c1bb09e15(
+    value: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__a3aaebd41d827b42b51371d194682a0933ab2ac5e1a75e6cbbd1e269c3a37afc(
+    *,
+    configuration_policy_id: builtins.str,
+    target_id: builtins.str,
+    target_type: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__45ff00dc1d7d1ca799678f5a142f5b951b1d37a1f101efd45167c0d18d8a8593(
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,