Expand description
Security Hub provides you with a comprehensive view of the security state of your AWS environment and resources. It also provides you with the readiness status of your environment based on controls from supported security standards. Security Hub collects security data from AWS accounts, services, and integrated third-party products and helps you analyze security trends in your environment to identify the highest priority security issues. For more information about Security Hub, see the AWS Security Hub User Guide .
When you use operations in the Security Hub API, the requests are executed only in the AWS Region that is currently active or in the specific AWS Region that you specify in your request. Any configuration or settings change that results from the operation is applied only to that Region. To make the same change in other Regions, execute the same command for each Region to apply the change to.
For example, if your Region is set to us-west-2, when you use CreateMembers to add a member account to Security Hub, the association of the member account with the master account is created only in the us-west-2 Region. Security Hub must be enabled for the member account in the same Region that the invitation was sent from.
The following throttling limits apply to using Security Hub API operations.
-
GetFindings-RateLimitof 3 requests per second.BurstLimitof 6 requests per second. -
UpdateFindings-RateLimitof 1 request per second.BurstLimitof 5 requests per second. -
All other operations -
RateLimitof 10 requests per second.BurstLimitof 30 requests per second.
If you’re using the service, you’re probably looking for SecurityHubClient and SecurityHub.
Structs§
- Accept
Invitation Request - Accept
Invitation Response - Account
Details The details of an AWS account.
- Action
Target An
ActionTargetobject.- Availability
Zone Information about an Availability Zone.
- AwsAuto
Scaling Auto Scaling Group Details Provides details about an auto scaling group.
- AwsCloud
Front Distribution Details A distribution configuration.
- AwsCloud
Front Distribution Logging A complex type that controls whether access logs are written for the distribution.
- AwsCloud
Front Distribution Origin Item A complex type that describes the Amazon S3 bucket, HTTP server (for example, a web server), Amazon Elemental MediaStore, or other server from which CloudFront gets your files.
- AwsCloud
Front Distribution Origins A complex type that contains information about origins and origin groups for this distribution.
- AwsCode
Build Project Details Information about an AWS CodeBuild project.
- AwsCode
Build Project Environment Information about the build environment for this build project.
- AwsCode
Build Project Environment Registry Credential The credentials for access to a private registry.
- AwsCode
Build Project Source Information about the build input source code for this build project.
- AwsCode
Build Project VpcConfig Information about the VPC configuration that AWS CodeBuild accesses.
- AwsEc2
Instance Details The details of an Amazon EC2 instance.
- AwsEc2
Network Interface Attachment Information about the network interface attachment.
- AwsEc2
Network Interface Details Details about the network interface
- AwsEc2
Network Interface Security Group A security group associated with the network interface.
- AwsEc2
Security Group Details Details about an EC2 security group.
- AwsEc2
Security Group IpPermission An IP permission for an EC2 security group.
- AwsEc2
Security Group IpRange A range of IPv4 addresses.
- AwsEc2
Security Group Ipv6 Range A range of IPv6 addresses.
- AwsEc2
Security Group Prefix List Id A prefix list ID.
- AwsEc2
Security Group User IdGroup Pair A relationship between a security group and a user.
- AwsEc2
Volume Attachment An attachment to an AWS EC2 volume.
- AwsEc2
Volume Details Details about an EC2 volume.
- AwsEc2
VpcDetails Details about an EC2 VPC.
- AwsElasticsearch
Domain Details Information about an Elasticsearch domain.
- AwsElasticsearch
Domain Domain Endpoint Options Additional options for the domain endpoint, such as whether to require HTTPS for all traffic.
- AwsElasticsearch
Domain Encryption AtRest Options Details about the configuration for encryption at rest.
- AwsElasticsearch
Domain Node ToNode Encryption Options Details about the configuration for node-to-node encryption.
- AwsElasticsearch
DomainVPC Options Information that Amazon ES derives based on
VPCOptionsfor the domain.- AwsElbv2
Load Balancer Details Information about a load balancer.
- AwsIam
Access KeyDetails IAM access key details related to a finding.
- AwsIam
Role Details Contains information about an IAM role, including all of the role's policies.
- AwsKms
KeyDetails Contains metadata about a customer master key (CMK).
- AwsLambda
Function Code The code for the Lambda function. You can specify either an object in Amazon S3, or upload a deployment package directly.
- AwsLambda
Function Dead Letter Config The dead-letter queue for failed asynchronous invocations.
- AwsLambda
Function Details Details about a function's configuration.
- AwsLambda
Function Environment A function's environment variable settings.
- AwsLambda
Function Environment Error Error messages for environment variables that couldn't be applied.
- AwsLambda
Function Layer An AWS Lambda layer.
- AwsLambda
Function Tracing Config The function's AWS X-Ray tracing configuration.
- AwsLambda
Function VpcConfig The VPC security groups and subnets that are attached to a Lambda function. For more information, see VPC Settings.
- AwsLambda
Layer Version Details Details about a Lambda layer version.
- AwsRds
DbInstance Associated Role An AWS Identity and Access Management (IAM) role associated with the DB instance.
- AwsRds
DbInstance Details Contains the details of an Amazon RDS DB instance.
- AwsRds
DbInstance Endpoint Specifies the connection endpoint.
- AwsRds
DbInstance VpcSecurity Group A VPC security groups that the DB instance belongs to.
- AwsS3
Bucket Details The details of an Amazon S3 bucket.
- AwsS3
Bucket Server Side Encryption ByDefault Specifies the default server-side encryption to apply to new objects in the bucket.
- AwsS3
Bucket Server Side Encryption Configuration The encryption configuration for the S3 bucket.
- AwsS3
Bucket Server Side Encryption Rule An encryption rule to apply to the S3 bucket.
- AwsS3
Object Details Details about an Amazon S3 object.
- AwsSecurity
Finding Provides consistent format for the contents of the Security Hub-aggregated findings.
AwsSecurityFindingformat enables you to share findings between AWS security services and third-party solutions, and security standards checks.A finding is a potential security issue generated either by AWS services (Amazon GuardDuty, Amazon Inspector, and Amazon Macie) or by the integrated third-party solutions and standards checks.
- AwsSecurity
Finding Filters A collection of attributes that are applied to all active Security Hub-aggregated findings and that result in a subset of findings that are included in this insight.
- AwsSecurity
Finding Identifier Identifies a finding to update using
BatchUpdateFindings.- AwsSns
Topic Details A wrapper type for the topic's Amazon Resource Name (ARN).
- AwsSns
Topic Subscription A wrapper type for the attributes of an Amazon SNS subscription.
- AwsSqs
Queue Details Data about a queue.
- AwsWaf
WebAcl Details Details about a WAF WebACL.
- AwsWaf
WebAcl Rule Details for a rule in a WAF WebACL.
- Batch
Disable Standards Request - Batch
Disable Standards Response - Batch
Enable Standards Request - Batch
Enable Standards Response - Batch
Import Findings Request - Batch
Import Findings Response - Batch
Update Findings Request - Batch
Update Findings Response - Batch
Update Findings Unprocessed Finding A finding from a
BatchUpdateFindingsrequest that Security Hub was unable to update.- Cidr
Block Association An IPv4 CIDR block association.
- Compliance
Contains finding details that are specific to control-based findings. Only returned for findings generated from controls.
- Container
Details Container details related to a finding.
- Create
Action Target Request - Create
Action Target Response - Create
Insight Request - Create
Insight Response - Create
Members Request - Create
Members Response - Cvss
CVSS scores from the advisory related to the vulnerability.
- Date
Filter A date filter for querying findings.
- Date
Range A date range for the date filter.
- Decline
Invitations Request - Decline
Invitations Response - Delete
Action Target Request - Delete
Action Target Response - Delete
Insight Request - Delete
Insight Response - Delete
Invitations Request - Delete
Invitations Response - Delete
Members Request - Delete
Members Response - Describe
Action Targets Request - Describe
Action Targets Response - Describe
HubRequest - Describe
HubResponse - Describe
Products Request - Describe
Products Response - Describe
Standards Controls Request - Describe
Standards Controls Response - Describe
Standards Request - Describe
Standards Response - Disable
Import Findings ForProduct Request - Disable
Import Findings ForProduct Response - Disable
Security HubRequest - Disable
Security HubResponse - Disassociate
From Master Account Request - Disassociate
From Master Account Response - Disassociate
Members Request - Disassociate
Members Response - Enable
Import Findings ForProduct Request - Enable
Import Findings ForProduct Response - Enable
Security HubRequest - Enable
Security HubResponse - GetEnabled
Standards Request - GetEnabled
Standards Response - GetFindings
Request - GetFindings
Response - GetInsight
Results Request - GetInsight
Results Response - GetInsights
Request - GetInsights
Response - GetInvitations
Count Request - GetInvitations
Count Response - GetMaster
Account Request - GetMaster
Account Response - GetMembers
Request - GetMembers
Response - Import
Findings Error The list of the findings that cannot be imported. For each finding, the list provides the error.
- Insight
Contains information about a Security Hub insight.
- Insight
Result Value The insight result values returned by the
GetInsightResultsoperation.- Insight
Results The insight results returned by the
GetInsightResultsoperation.- Invitation
Details about an invitation.
- Invite
Members Request - Invite
Members Response - IpFilter
The IP filter for querying findings.
- Ipv6
Cidr Block Association An IPV6 CIDR block association.
- Keyword
Filter A keyword filter for querying findings.
- List
Enabled Products ForImport Request - List
Enabled Products ForImport Response - List
Invitations Request - List
Invitations Response - List
Members Request - List
Members Response - List
Tags ForResource Request - List
Tags ForResource Response - Load
Balancer State Information about the state of the load balancer.
- Malware
A list of malware related to a finding.
- MapFilter
The map filter for querying findings.
- Member
The details about a member account.
- Network
The details of network-related information about a finding.
- Network
Header Details about a network path component that occurs before or after the current component.
- Network
Path Component Information about a network path component.
- Network
Path Component Details Information about the destination of the next component in the network path.
- Note
A user-defined note added to a finding.
- Note
Update The updated note.
- Number
Filter A number filter for querying findings.
- Port
Range A range of ports.
- Process
Details The details of process-related information about a finding.
- Product
Contains details about a product.
- Recommendation
A recommendation on how to remediate the issue identified in a finding.
- Related
Finding Details about a related finding.
- Remediation
Details about the remediation steps for a finding.
- Resource
A resource related to a finding.
- Resource
Details Additional details about a resource related to a finding.
To provide the details, use the object that corresponds to the resource type. For example, if the resource type is
AwsEc2Instance, then you use theAwsEc2Instanceobject to provide the details.If the type-specific object does not contain all of the fields you want to populate, then you use the
Otherobject to populate those additional fields.You also use the
Otherobject to populate the details when the selected type does not have a corresponding object.- Security
HubClient - A client for the AWS SecurityHub API.
- Security
HubResult Details about the account that was not processed.
- Severity
The severity of the finding.
- Severity
Update Updates to the severity information for a finding.
- Software
Package Information about a software package.
- Sort
Criterion A collection of finding attributes used to sort findings.
- Standard
Provides information about a specific standard.
- Standards
Control Details for an individual security standard control.
- Standards
Subscription A resource that represents your subscription to a supported standard.
- Standards
Subscription Request The standard that you want to enable.
- Status
Reason Provides additional context for the value of
Compliance.Status.- String
Filter A string filter for querying findings.
- TagResource
Request - TagResource
Response - Threat
Intel Indicator Details about the threat intelligence related to a finding.
- Untag
Resource Request - Untag
Resource Response - Update
Action Target Request - Update
Action Target Response - Update
Findings Request - Update
Findings Response - Update
Insight Request - Update
Insight Response - Update
Standards Control Request - Update
Standards Control Response - Vulnerability
A vulnerability associated with a finding.
- Vulnerability
Vendor A vendor that generates a vulnerability report.
- WafAction
Details about the action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule.
- WafExcluded
Rule Details about a rule to exclude from a rule group.
- WafOverride
Action Details about an override action for a rule.
- Workflow
Provides information about the status of the investigation into a finding.
- Workflow
Update Used to update information about the investigation into the finding.
Enums§
- Accept
Invitation Error - Errors returned by AcceptInvitation
- Batch
Disable Standards Error - Errors returned by BatchDisableStandards
- Batch
Enable Standards Error - Errors returned by BatchEnableStandards
- Batch
Import Findings Error - Errors returned by BatchImportFindings
- Batch
Update Findings Error - Errors returned by BatchUpdateFindings
- Create
Action Target Error - Errors returned by CreateActionTarget
- Create
Insight Error - Errors returned by CreateInsight
- Create
Members Error - Errors returned by CreateMembers
- Decline
Invitations Error - Errors returned by DeclineInvitations
- Delete
Action Target Error - Errors returned by DeleteActionTarget
- Delete
Insight Error - Errors returned by DeleteInsight
- Delete
Invitations Error - Errors returned by DeleteInvitations
- Delete
Members Error - Errors returned by DeleteMembers
- Describe
Action Targets Error - Errors returned by DescribeActionTargets
- Describe
HubError - Errors returned by DescribeHub
- Describe
Products Error - Errors returned by DescribeProducts
- Describe
Standards Controls Error - Errors returned by DescribeStandardsControls
- Describe
Standards Error - Errors returned by DescribeStandards
- Disable
Import Findings ForProduct Error - Errors returned by DisableImportFindingsForProduct
- Disable
Security HubError - Errors returned by DisableSecurityHub
- Disassociate
From Master Account Error - Errors returned by DisassociateFromMasterAccount
- Disassociate
Members Error - Errors returned by DisassociateMembers
- Enable
Import Findings ForProduct Error - Errors returned by EnableImportFindingsForProduct
- Enable
Security HubError - Errors returned by EnableSecurityHub
- GetEnabled
Standards Error - Errors returned by GetEnabledStandards
- GetFindings
Error - Errors returned by GetFindings
- GetInsight
Results Error - Errors returned by GetInsightResults
- GetInsights
Error - Errors returned by GetInsights
- GetInvitations
Count Error - Errors returned by GetInvitationsCount
- GetMaster
Account Error - Errors returned by GetMasterAccount
- GetMembers
Error - Errors returned by GetMembers
- Invite
Members Error - Errors returned by InviteMembers
- List
Enabled Products ForImport Error - Errors returned by ListEnabledProductsForImport
- List
Invitations Error - Errors returned by ListInvitations
- List
Members Error - Errors returned by ListMembers
- List
Tags ForResource Error - Errors returned by ListTagsForResource
- TagResource
Error - Errors returned by TagResource
- Untag
Resource Error - Errors returned by UntagResource
- Update
Action Target Error - Errors returned by UpdateActionTarget
- Update
Findings Error - Errors returned by UpdateFindings
- Update
Insight Error - Errors returned by UpdateInsight
- Update
Standards Control Error - Errors returned by UpdateStandardsControl
Traits§
- Security
Hub - Trait representing the capabilities of the AWS SecurityHub API. AWS SecurityHub clients implement this trait.