SecurityHubClient
Security Hub provides you with a comprehensive view of your security state in Amazon Web Services and helps you assess your Amazon Web Services environment against security industry standards and best practices.
Security Hub collects security data across Amazon Web Services accounts, Amazon Web Services services, and supported third-party products and helps you analyze your security trends and identify the highest priority security issues.
To help you manage the security state of your organization, Security Hub supports multiple security standards. These include the Amazon Web Services Foundational Security Best Practices (FSBP) standard developed by Amazon Web Services, and external compliance frameworks such as the Center for Internet Security (CIS), the Payment Card Industry Data Security Standard (PCI DSS), and the National Institute of Standards and Technology (NIST). Each standard includes several security controls, each of which represents a security best practice. Security Hub runs checks against security controls and generates control findings to help you assess your compliance against security best practices.
In addition to generating control findings, Security Hub also receives findings from other Amazon Web Services services, such as Amazon GuardDuty and Amazon Inspector, and supported third-party products. This gives you a single pane of glass into a variety of security-related issues. You can also send Security Hub findings to other Amazon Web Services services and supported third-party products.
Security Hub offers automation features that help you triage and remediate security issues. For example, you can use automation rules to automatically update critical findings when a security check fails. You can also leverage the integration with Amazon EventBridge to trigger automatic responses to specific findings.
This guide, the Security Hub API Reference, provides information about the Security Hub API. This includes supported resources, HTTP methods, parameters, and schemas. If you're new to Security Hub, you might find it helpful to also review the Security Hub User Guide. The user guide explains key concepts and provides procedures that demonstrate how to use Security Hub features. It also provides information about topics such as integrating Security Hub with other Amazon Web Services services.
In addition to interacting with Security Hub by making calls to the Security Hub API, you can use a current version of an Amazon Web Services command line tool or SDK. Amazon Web Services provides tools and SDKs that consist of libraries and sample code for various languages and platforms, such as PowerShell, Java, Go, Python, C++, and .NET. These tools and SDKs provide convenient, programmatic access to Security Hub and other Amazon Web Services services . They also handle tasks such as signing requests, managing errors, and retrying requests automatically. For information about installing and using the Amazon Web Services tools and SDKs, see Tools to Build on Amazon Web Services.
With the exception of operations that are related to central configuration, Security Hub API requests are executed only in the Amazon Web Services Region that is currently active or in the specific Amazon Web Services Region that you specify in your request. Any configuration or settings change that results from the operation is applied only to that Region. To make the same change in other Regions, call the same API operation in each Region in which you want to apply the change. When you use central configuration, API requests for enabling Security Hub, standards, and controls are executed in the home Region and all linked Regions. For a list of central configuration operations, see the Central configuration terms and concepts section of the Security Hub User Guide.
The following throttling limits apply to Security Hub API operations.
BatchEnableStandards-RateLimitof 1 request per second.BurstLimitof 1 request per second.GetFindings-RateLimitof 3 requests per second.BurstLimitof 6 requests per second.BatchImportFindings-RateLimitof 10 requests per second.BurstLimitof 30 requests per second.BatchUpdateFindings-RateLimitof 10 requests per second.BurstLimitof 30 requests per second.UpdateStandardsControl-RateLimitof 1 request per second.BurstLimitof 5 requests per second.All other operations -
RateLimitof 10 requests per second.BurstLimitof 30 requests per second.
Functions
We recommend using Organizations instead of Security Hub invitations to manage your member accounts. For information, see Managing Security Hub administrator and member accounts with Organizations in the Security Hub User Guide.
This method is deprecated. Instead, use AcceptAdministratorInvitation.
Deletes one or more automation rules.
Disables the standards specified by the provided StandardsSubscriptionArns.
Enables the standards specified by the provided StandardsArn. To obtain the ARN for a standard, use the DescribeStandards operation.
Retrieves a list of details for automation rules based on rule Amazon Resource Names (ARNs).
Returns associations between an Security Hub configuration and a batch of target accounts, organizational units, or the root. Only the Security Hub delegated administrator can invoke this operation from the home Region. A configuration can refer to a configuration policy or to a self-managed configuration.
Provides details about a batch of security controls for the current Amazon Web Services account and Amazon Web Services Region.
For a batch of security controls and standards, identifies whether each control is currently enabled or disabled in a standard.
Imports security findings generated by a finding provider into Security Hub. This action is requested by the finding provider to import its findings into Security Hub.
Updates one or more automation rules based on rule Amazon Resource Names (ARNs) and input parameters.
Used by Security Hub customers to update information about their investigation into one or more findings. Requested by administrator accounts or member accounts. Administrator accounts can update findings for their account and their member accounts. A member account can update findings only for their own account. Administrator and member accounts can use this operation to update the following fields and objects for one or more findings:
Used by customers to update information about their investigation into a finding. Requested by delegated administrator accounts or member accounts. Delegated administrator accounts can update findings for their account and their member accounts. Member accounts can update findings for their account. BatchUpdateFindings and BatchUpdateFindingV2 both use securityhub:BatchUpdateFindings in the Action element of an IAM policy statement. You must have permission to perform the securityhub:BatchUpdateFindings action. Updates from BatchUpdateFindingsV2 don't affect the value of finding_info.modified_time, finding_info.modified_time_dt, time, time_dt for a finding. This API is in private preview and subject to change.
For a batch of security controls and standards, this operation updates the enablement status of a control in a standard.
Grants permission to complete the authorization based on input parameters. This API is in preview release and subject to change.
Creates a custom action target in Security Hub.
Enables aggregation across Amazon Web Services Regions. This API is in private preview and subject to change.
Creates an automation rule based on input parameters.
Creates a V2 automation rule. This API is in private preview and subject to change.
Creates a configuration policy with the defined configuration. Only the Security Hub delegated administrator can invoke this operation from the home Region.
Grants permission to create a connectorV2 based on input parameters. This API is in preview release and subject to change.
The aggregation Region is now called the home Region.
Creates a custom insight in Security Hub. An insight is a consolidation of findings that relate to a security issue that requires attention or remediation.
Creates a member association in Security Hub between the specified accounts and the account used to make the request, which is the administrator account. If you are integrated with Organizations, then the administrator account is designated by the organization management account.
Grants permission to create a ticket in the chosen ITSM based on finding information for the provided finding metadata UID. This API is in preview release and subject to change.
We recommend using Organizations instead of Security Hub invitations to manage your member accounts. For information, see Managing Security Hub administrator and member accounts with Organizations in the Security Hub User Guide.
Deletes a custom action target from Security Hub.
Deletes the Aggregator V2. This API is in private preview and subject to change.
Deletes a V2 automation rule. This API is in private preview and subject to change.
Deletes a configuration policy. Only the Security Hub delegated administrator can invoke this operation from the home Region. For the deletion to succeed, you must first disassociate a configuration policy from target accounts, organizational units, or the root by invoking the StartConfigurationPolicyDisassociation operation.
Grants permission to delete a connectorV2. This API is in preview release and subject to change.
The aggregation Region is now called the home Region.
Deletes the insight specified by the InsightArn.
We recommend using Organizations instead of Security Hub invitations to manage your member accounts. For information, see Managing Security Hub administrator and member accounts with Organizations in the Security Hub User Guide.
Deletes the specified member accounts from Security Hub.
Returns a list of the custom action targets in Security Hub in your account.
Returns details about the Hub resource in your account, including the HubArn and the time when you enabled Security Hub.
Returns information about the way your organization is configured in Security Hub. Only the Security Hub administrator account can invoke this operation.
Returns information about product integrations in Security Hub.
Gets information about the product integration. This API is in private preview and subject to change.
Returns details about the service resource in your account. This API is in private preview and subject to change.
Returns a list of the available standards in Security Hub.
Returns a list of security standards controls.
Disables the integration of the specified product with Security Hub. After the integration is disabled, findings from that product are no longer sent to Security Hub.
Disables a Security Hub administrator account. Can only be called by the organization management account.
Disables Security Hub in your account only in the current Amazon Web Services Region. To disable Security Hub in all Regions, you must submit one request per Region where you have enabled Security Hub.
Disable the service for the current Amazon Web Services Region or specified Amazon Web Services Region. This API is in private preview and subject to change.
Disassociates the current Security Hub member account from the associated administrator account.
This method is deprecated. Instead, use DisassociateFromAdministratorAccount.
Disassociates the specified member accounts from the associated administrator account.
Enables the integration of a partner product with Security Hub. Integrated products send findings to Security Hub.
Designates the Security Hub administrator account for an organization. Can only be called by the organization management account.
Enables Security Hub for your account in the current Region or the Region you specify in the request.
Enables the service in account for the current Amazon Web Services Region or specified Amazon Web Services Region. This API is in private preview and subject to change.
Provides the details for the Security Hub administrator account for the current member account.
Returns the configuration of the specified Aggregator V2. This API is in private preview and subject to change.
Returns an automation rule for the V2 service. This API is in private preview and subject to change.
Provides information about a configuration policy. Only the Security Hub delegated administrator can invoke this operation from the home Region.
Returns the association between a configuration and a target account, organizational unit, or the root. The configuration can be a configuration policy or self-managed behavior. Only the Security Hub delegated administrator can invoke this operation from the home Region.
Grants permission to retrieve details for a connectorV2 based on connector id. This API is in preview release and subject to change.
Returns a list of the standards that are currently enabled.
The aggregation Region is now called the home Region.
Returns the history of a Security Hub finding for the past 90 days. The history includes changes made to any fields in the Amazon Web Services Security Finding Format (ASFF) except top-level timestamp fields, such as the CreatedAt and UpdatedAt fields.
Returns a list of findings that match the specified criteria.
Returns aggregated statistical data about findings. GetFindingStatisticsV2 use securityhub:GetAdhocInsightResults in the Action element of an IAM policy statement. You must have permission to perform the s action. This API is in private preview and subject to change.
Return a list of findings that match the specified criteria. GetFindings and GetFindingsV2 both use securityhub:GetFindings in the Action element of an IAM policy statement. You must have permission to perform the securityhub:GetFindings action. This API is in private preview and subject to change.
Lists the results of the Security Hub insight specified by the insight ARN.
Lists and describes insights for the specified insight ARNs.
We recommend using Organizations instead of Security Hub invitations to manage your member accounts. For information, see Managing Security Hub administrator and member accounts with Organizations in the Security Hub User Guide.
This method is deprecated. Instead, use GetAdministratorAccount.
Returns the details for the Security Hub member accounts for the specified account IDs.
Retrieves statistical information about Amazon Web Services resources and their associated security findings. This API is in private preview and subject to change.
Returns a list of resources. This API is in private preview and subject to change.
Retrieves the definition of a security control. The definition includes the control title, description, Region availability, parameter definitions, and other details.
We recommend using Organizations instead of Security Hub invitations to manage your member accounts. For information, see Managing Security Hub administrator and member accounts with Organizations in the Security Hub User Guide.
Retrieves a list of V2 aggregators. This API is in private preview and subject to change.
A list of automation rules and their metadata for the calling account.
Returns a list of automation rules and metadata for the calling account. This API is in private preview and subject to change.
Lists the configuration policies that the Security Hub delegated administrator has created for your organization. Only the delegated administrator can invoke this operation from the home Region.
Provides information about the associations for your configuration policies and self-managed behavior. Only the Security Hub delegated administrator can invoke this operation from the home Region.
Grants permission to retrieve a list of connectorsV2 and their metadata for the calling account. This API is in preview release and subject to change.
Lists all findings-generating solutions (products) that you are subscribed to receive findings from in Security Hub.
If cross-Region aggregation is enabled, then ListFindingAggregators returns the Amazon Resource Name (ARN) of the finding aggregator. You can run this operation from any Amazon Web Services Region.
We recommend using Organizations instead of Security Hub invitations to manage your member accounts. For information, see Managing Security Hub administrator and member accounts with Organizations in the Security Hub User Guide.
Lists details about all member accounts for the current Security Hub administrator account.
Lists the Security Hub administrator accounts. Can only be called by the organization management account.
Lists all of the security controls that apply to a specified standard.
Specifies whether a control is currently enabled or disabled in each enabled standard in the calling account.
Returns a list of tags associated with a resource.
Associates a target account, organizational unit, or the root with a specified configuration. The target can be associated with a configuration policy or self-managed behavior. Only the Security Hub delegated administrator can invoke this operation from the home Region.
Disassociates a target account, organizational unit, or the root from a specified configuration. When you disassociate a configuration from its target, the target inherits the configuration of the closest parent. If there’s no configuration to inherit, the target retains its settings but becomes a self-managed account. A target can be disassociated from a configuration policy or self-managed behavior. Only the Security Hub delegated administrator can invoke this operation from the home Region.
Adds one or more tags to a resource.
Removes one or more tags from a resource.
Updates the name and description of a custom action target in Security Hub.
Udpates the configuration for the Aggregator V2. This API is in private preview and subject to change.
Updates a V2 automation rule. This API is in private preview and subject to change.
Updates a configuration policy. Only the Security Hub delegated administrator can invoke this operation from the home Region.
Grants permission to update a connectorV2 based on its id and input parameters. This API is in preview release and subject to change.
The aggregation Region is now called the home Region.
UpdateFindings is a deprecated operation. Instead of UpdateFindings, use the BatchUpdateFindings operation.
Updates the Security Hub insight identified by the specified insight ARN.
Updates the configuration of your organization in Security Hub. Only the Security Hub administrator account can invoke this operation.
Updates the properties of a security control.
Updates configuration options for Security Hub.
Used to control whether an individual security standard control is enabled or disabled.
Inherited functions
We recommend using Organizations instead of Security Hub invitations to manage your member accounts. For information, see Managing Security Hub administrator and member accounts with Organizations in the Security Hub User Guide.
This method is deprecated. Instead, use AcceptAdministratorInvitation.
Deletes one or more automation rules.
Disables the standards specified by the provided StandardsSubscriptionArns.
Enables the standards specified by the provided StandardsArn. To obtain the ARN for a standard, use the DescribeStandards operation.
Retrieves a list of details for automation rules based on rule Amazon Resource Names (ARNs).
Returns associations between an Security Hub configuration and a batch of target accounts, organizational units, or the root. Only the Security Hub delegated administrator can invoke this operation from the home Region. A configuration can refer to a configuration policy or to a self-managed configuration.
Provides details about a batch of security controls for the current Amazon Web Services account and Amazon Web Services Region.
For a batch of security controls and standards, identifies whether each control is currently enabled or disabled in a standard.
Imports security findings generated by a finding provider into Security Hub. This action is requested by the finding provider to import its findings into Security Hub.
Updates one or more automation rules based on rule Amazon Resource Names (ARNs) and input parameters.
Used by Security Hub customers to update information about their investigation into one or more findings. Requested by administrator accounts or member accounts. Administrator accounts can update findings for their account and their member accounts. A member account can update findings only for their own account. Administrator and member accounts can use this operation to update the following fields and objects for one or more findings:
Used by customers to update information about their investigation into a finding. Requested by delegated administrator accounts or member accounts. Delegated administrator accounts can update findings for their account and their member accounts. Member accounts can update findings for their account. BatchUpdateFindings and BatchUpdateFindingV2 both use securityhub:BatchUpdateFindings in the Action element of an IAM policy statement. You must have permission to perform the securityhub:BatchUpdateFindings action. Updates from BatchUpdateFindingsV2 don't affect the value of finding_info.modified_time, finding_info.modified_time_dt, time, time_dt for a finding. This API is in private preview and subject to change.
For a batch of security controls and standards, this operation updates the enablement status of a control in a standard.
Grants permission to complete the authorization based on input parameters. This API is in preview release and subject to change.
Creates a custom action target in Security Hub.
Enables aggregation across Amazon Web Services Regions. This API is in private preview and subject to change.
Creates an automation rule based on input parameters.
Creates a V2 automation rule. This API is in private preview and subject to change.
Creates a configuration policy with the defined configuration. Only the Security Hub delegated administrator can invoke this operation from the home Region.
Grants permission to create a connectorV2 based on input parameters. This API is in preview release and subject to change.
The aggregation Region is now called the home Region.
Creates a custom insight in Security Hub. An insight is a consolidation of findings that relate to a security issue that requires attention or remediation.
Creates a member association in Security Hub between the specified accounts and the account used to make the request, which is the administrator account. If you are integrated with Organizations, then the administrator account is designated by the organization management account.
Grants permission to create a ticket in the chosen ITSM based on finding information for the provided finding metadata UID. This API is in preview release and subject to change.
We recommend using Organizations instead of Security Hub invitations to manage your member accounts. For information, see Managing Security Hub administrator and member accounts with Organizations in the Security Hub User Guide.
Deletes a custom action target from Security Hub.
Deletes the Aggregator V2. This API is in private preview and subject to change.
Deletes a V2 automation rule. This API is in private preview and subject to change.
Deletes a configuration policy. Only the Security Hub delegated administrator can invoke this operation from the home Region. For the deletion to succeed, you must first disassociate a configuration policy from target accounts, organizational units, or the root by invoking the StartConfigurationPolicyDisassociation operation.
Grants permission to delete a connectorV2. This API is in preview release and subject to change.
The aggregation Region is now called the home Region.
Deletes the insight specified by the InsightArn.
We recommend using Organizations instead of Security Hub invitations to manage your member accounts. For information, see Managing Security Hub administrator and member accounts with Organizations in the Security Hub User Guide.
Deletes the specified member accounts from Security Hub.
Returns a list of the custom action targets in Security Hub in your account.
Paginate over DescribeActionTargetsResponse results.
Returns details about the Hub resource in your account, including the HubArn and the time when you enabled Security Hub.
Returns information about the way your organization is configured in Security Hub. Only the Security Hub administrator account can invoke this operation.
Returns information about product integrations in Security Hub.
Paginate over DescribeProductsResponse results.
Gets information about the product integration. This API is in private preview and subject to change.
Paginate over DescribeProductsV2Response results.
Returns details about the service resource in your account. This API is in private preview and subject to change.
Returns a list of the available standards in Security Hub.
Returns a list of security standards controls.
Paginate over DescribeStandardsControlsResponse results.
Paginate over DescribeStandardsResponse results.
Disables the integration of the specified product with Security Hub. After the integration is disabled, findings from that product are no longer sent to Security Hub.
Disables a Security Hub administrator account. Can only be called by the organization management account.
Disables Security Hub in your account only in the current Amazon Web Services Region. To disable Security Hub in all Regions, you must submit one request per Region where you have enabled Security Hub.
Disable the service for the current Amazon Web Services Region or specified Amazon Web Services Region. This API is in private preview and subject to change.
Disassociates the current Security Hub member account from the associated administrator account.
This method is deprecated. Instead, use DisassociateFromAdministratorAccount.
Disassociates the specified member accounts from the associated administrator account.
Enables the integration of a partner product with Security Hub. Integrated products send findings to Security Hub.
Designates the Security Hub administrator account for an organization. Can only be called by the organization management account.
Enables Security Hub for your account in the current Region or the Region you specify in the request.
Enables the service in account for the current Amazon Web Services Region or specified Amazon Web Services Region. This API is in private preview and subject to change.
Provides the details for the Security Hub administrator account for the current member account.
Returns the configuration of the specified Aggregator V2. This API is in private preview and subject to change.
Returns an automation rule for the V2 service. This API is in private preview and subject to change.
Provides information about a configuration policy. Only the Security Hub delegated administrator can invoke this operation from the home Region.
Returns the association between a configuration and a target account, organizational unit, or the root. The configuration can be a configuration policy or self-managed behavior. Only the Security Hub delegated administrator can invoke this operation from the home Region.
Grants permission to retrieve details for a connectorV2 based on connector id. This API is in preview release and subject to change.
Returns a list of the standards that are currently enabled.
Paginate over GetEnabledStandardsResponse results.
The aggregation Region is now called the home Region.
Returns the history of a Security Hub finding for the past 90 days. The history includes changes made to any fields in the Amazon Web Services Security Finding Format (ASFF) except top-level timestamp fields, such as the CreatedAt and UpdatedAt fields.
Paginate over GetFindingHistoryResponse results.
Returns a list of findings that match the specified criteria.
Paginate over GetFindingsResponse results.
Returns aggregated statistical data about findings. GetFindingStatisticsV2 use securityhub:GetAdhocInsightResults in the Action element of an IAM policy statement. You must have permission to perform the s action. This API is in private preview and subject to change.
Return a list of findings that match the specified criteria. GetFindings and GetFindingsV2 both use securityhub:GetFindings in the Action element of an IAM policy statement. You must have permission to perform the securityhub:GetFindings action. This API is in private preview and subject to change.
Paginate over GetFindingsV2Response results.
Lists the results of the Security Hub insight specified by the insight ARN.
Lists and describes insights for the specified insight ARNs.
Paginate over GetInsightsResponse results.
We recommend using Organizations instead of Security Hub invitations to manage your member accounts. For information, see Managing Security Hub administrator and member accounts with Organizations in the Security Hub User Guide.
This method is deprecated. Instead, use GetAdministratorAccount.
Returns the details for the Security Hub member accounts for the specified account IDs.
Retrieves statistical information about Amazon Web Services resources and their associated security findings. This API is in private preview and subject to change.
Returns a list of resources. This API is in private preview and subject to change.
Paginate over GetResourcesV2Response results.
Retrieves the definition of a security control. The definition includes the control title, description, Region availability, parameter definitions, and other details.
We recommend using Organizations instead of Security Hub invitations to manage your member accounts. For information, see Managing Security Hub administrator and member accounts with Organizations in the Security Hub User Guide.
Retrieves a list of V2 aggregators. This API is in private preview and subject to change.
Paginate over ListAggregatorsV2Response results.
A list of automation rules and their metadata for the calling account.
Returns a list of automation rules and metadata for the calling account. This API is in private preview and subject to change.
Lists the configuration policies that the Security Hub delegated administrator has created for your organization. Only the delegated administrator can invoke this operation from the home Region.
Paginate over ListConfigurationPoliciesResponse results.
Provides information about the associations for your configuration policies and self-managed behavior. Only the Security Hub delegated administrator can invoke this operation from the home Region.
Paginate over ListConfigurationPolicyAssociationsResponse results.
Grants permission to retrieve a list of connectorsV2 and their metadata for the calling account. This API is in preview release and subject to change.
Lists all findings-generating solutions (products) that you are subscribed to receive findings from in Security Hub.
Paginate over ListEnabledProductsForImportResponse results.
If cross-Region aggregation is enabled, then ListFindingAggregators returns the Amazon Resource Name (ARN) of the finding aggregator. You can run this operation from any Amazon Web Services Region.
Paginate over ListFindingAggregatorsResponse results.
We recommend using Organizations instead of Security Hub invitations to manage your member accounts. For information, see Managing Security Hub administrator and member accounts with Organizations in the Security Hub User Guide.
Paginate over ListInvitationsResponse results.
Lists details about all member accounts for the current Security Hub administrator account.
Paginate over ListMembersResponse results.
Lists the Security Hub administrator accounts. Can only be called by the organization management account.
Paginate over ListOrganizationAdminAccountsResponse results.
Lists all of the security controls that apply to a specified standard.
Paginate over ListSecurityControlDefinitionsResponse results.
Specifies whether a control is currently enabled or disabled in each enabled standard in the calling account.
Paginate over ListStandardsControlAssociationsResponse results.
Returns a list of tags associated with a resource.
Associates a target account, organizational unit, or the root with a specified configuration. The target can be associated with a configuration policy or self-managed behavior. Only the Security Hub delegated administrator can invoke this operation from the home Region.
Disassociates a target account, organizational unit, or the root from a specified configuration. When you disassociate a configuration from its target, the target inherits the configuration of the closest parent. If there’s no configuration to inherit, the target retains its settings but becomes a self-managed account. A target can be disassociated from a configuration policy or self-managed behavior. Only the Security Hub delegated administrator can invoke this operation from the home Region.
Adds one or more tags to a resource.
Removes one or more tags from a resource.
Updates the name and description of a custom action target in Security Hub.
Udpates the configuration for the Aggregator V2. This API is in private preview and subject to change.
Updates a V2 automation rule. This API is in private preview and subject to change.
Updates a configuration policy. Only the Security Hub delegated administrator can invoke this operation from the home Region.
Grants permission to update a connectorV2 based on its id and input parameters. This API is in preview release and subject to change.
The aggregation Region is now called the home Region.
UpdateFindings is a deprecated operation. Instead of UpdateFindings, use the BatchUpdateFindings operation.
Updates the Security Hub insight identified by the specified insight ARN.
Updates the configuration of your organization in Security Hub. Only the Security Hub administrator account can invoke this operation.
Updates the properties of a security control.
Updates configuration options for Security Hub.
Used to control whether an individual security standard control is enabled or disabled.
Create a copy of the client with one or more configuration values overridden. This method allows the caller to perform scoped config overrides for one or more client operations.