Security Hub provides you with a comprehensive view of the security state of your AWS environment and resources. It also provides you with the readiness status of your environment based on controls from supported security standards. Security Hub collects security data from AWS accounts, services, and integrated third-party products and helps you analyze security trends in your environment to identify the highest priority security issues. For more information about Security Hub, see the AWS Security Hub User Guide .
When you use operations in the Security Hub API, the requests are executed only in the AWS Region that is currently active or in the specific AWS Region that you specify in your request. Any configuration or settings change that results from the operation is applied only to that Region. To make the same change in other Regions, execute the same command for each Region to apply the change to.
For example, if your Region is set to
us-west-2, when you use
CreateMembers to add a member account to Security Hub, the association of the member account with the master account is created only in the
us-west-2 Region. Security Hub must be enabled for the member account in the same Region that the invitation was sent from.
The following throttling limits apply to using Security Hub API operations.
RateLimitof 3 requests per second.
BurstLimitof 6 requests per second.
RateLimitof 1 request per second.
BurstLimitof 5 requests per second.
All other operations -
RateLimitof 10 requests per second.
BurstLimitof 30 requests per second.
The details of an AWS account.
Information about an Availability Zone.
Provides details about an auto scaling group.
A distribution configuration.
A complex type that controls whether access logs are written for the distribution.
A complex type that describes the Amazon S3 bucket, HTTP server (for example, a web server), Amazon Elemental MediaStore, or other server from which CloudFront gets your files.
A complex type that contains information about origins and origin groups for this distribution.
Information about an AWS CodeBuild project.
Information about the build environment for this build project.
The credentials for access to a private registry.
Information about the build input source code for this build project.
Information about the VPC configuration that AWS CodeBuild accesses.
The details of an Amazon EC2 instance.
Information about the network interface attachment.
Details about the network interface
A security group associated with the network interface.
Details about an EC2 security group.
An IP permission for an EC2 security group.
A range of IPv4 addresses.
A range of IPv6 addresses.
A prefix list ID.
A relationship between a security group and a user.
An attachment to an AWS EC2 volume.
Details about an EC2 volume.
Details about an EC2 VPC.
Information about an Elasticsearch domain.
Additional options for the domain endpoint, such as whether to require HTTPS for all traffic.
Details about the configuration for encryption at rest.
Details about the configuration for node-to-node encryption.
Information that Amazon ES derives based on
Information about a load balancer.
IAM access key details related to a finding.
Contains information about an IAM role, including all of the role's policies.
Contains metadata about a customer master key (CMK).
The code for the Lambda function. You can specify either an object in Amazon S3, or upload a deployment package directly.
The dead-letter queue for failed asynchronous invocations.
Details about a function's configuration.
A function's environment variable settings.
Error messages for environment variables that couldn't be applied.
An AWS Lambda layer.
The function's AWS X-Ray tracing configuration.
The VPC security groups and subnets that are attached to a Lambda function. For more information, see VPC Settings.
Details about a Lambda layer version.
An AWS Identity and Access Management (IAM) role associated with the DB instance.
Contains the details of an Amazon RDS DB instance.
Specifies the connection endpoint.
A VPC security groups that the DB instance belongs to.
The details of an Amazon S3 bucket.
Specifies the default server-side encryption to apply to new objects in the bucket.
The encryption configuration for the S3 bucket.
An encryption rule to apply to the S3 bucket.
Details about an Amazon S3 object.
Provides consistent format for the contents of the Security Hub-aggregated findings.
A finding is a potential security issue generated either by AWS services (Amazon GuardDuty, Amazon Inspector, and Amazon Macie) or by the integrated third-party solutions and standards checks.
A collection of attributes that are applied to all active Security Hub-aggregated findings and that result in a subset of findings that are included in this insight.
Identifies a finding to update using
A wrapper type for the topic's Amazon Resource Name (ARN).
A wrapper type for the attributes of an Amazon SNS subscription.
Data about a queue.
Details about a WAF WebACL.
Details for a rule in a WAF WebACL.
A finding from a
An IPv4 CIDR block association.
Contains finding details that are specific to control-based findings. Only returned for findings generated from controls.
Container details related to a finding.
CVSS scores from the advisory related to the vulnerability.
A date filter for querying findings.
A date range for the date filter.
The list of the findings that cannot be imported. For each finding, the list provides the error.
Contains information about a Security Hub insight.
The insight result values returned by the
The insight results returned by the
Details about an invitation.
The IP filter for querying findings.
An IPV6 CIDR block association.
A keyword filter for querying findings.
Information about the state of the load balancer.
A list of malware related to a finding.
The map filter for querying findings.
The details about a member account.
The details of network-related information about a finding.
Details about a network path component that occurs before or after the current component.
Information about a network path component.
Information about the destination of the next component in the network path.
A user-defined note added to a finding.
The updated note.
A number filter for querying findings.
A range of ports.
The details of process-related information about a finding.
Contains details about a product.
A recommendation on how to remediate the issue identified in a finding.
Details about a related finding.
Details about the remediation steps for a finding.
A resource related to a finding.
Additional details about a resource related to a finding.
To provide the details, use the object that corresponds to the resource type. For example, if the resource type is
If the type-specific object does not contain all of the fields you want to populate, then you use the
You also use the
A client for the AWS SecurityHub API.
Details about the account that was not processed.
The severity of the finding.
Updates to the severity information for a finding.
Information about a software package.
A collection of finding attributes used to sort findings.
Provides information about a specific standard.
Details for an individual security standard control.
A resource that represents your subscription to a supported standard.
The standard that you want to enable.
Provides additional context for the value of
A string filter for querying findings.
Details about the threat intelligence related to a finding.
A vulnerability associated with a finding.
A vendor that generates a vulnerability report.
Details about the action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule.
Details about a rule to exclude from a rule group.
Details about an override action for a rule.
Provides information about the status of the investigation into a finding.
Used to update information about the investigation into the finding.
Errors returned by AcceptInvitation
Errors returned by BatchDisableStandards
Errors returned by BatchEnableStandards
Errors returned by BatchImportFindings
Errors returned by BatchUpdateFindings
Errors returned by CreateActionTarget
Errors returned by CreateInsight
Errors returned by CreateMembers
Errors returned by DeclineInvitations
Errors returned by DeleteActionTarget
Errors returned by DeleteInsight
Errors returned by DeleteInvitations
Errors returned by DeleteMembers
Errors returned by DescribeActionTargets
Errors returned by DescribeHub
Errors returned by DescribeProducts
Errors returned by DescribeStandardsControls
Errors returned by DescribeStandards
Errors returned by DisableImportFindingsForProduct
Errors returned by DisableSecurityHub
Errors returned by DisassociateFromMasterAccount
Errors returned by DisassociateMembers
Errors returned by EnableImportFindingsForProduct
Errors returned by EnableSecurityHub
Errors returned by GetEnabledStandards
Errors returned by GetFindings
Errors returned by GetInsightResults
Errors returned by GetInsights
Errors returned by GetInvitationsCount
Errors returned by GetMasterAccount
Errors returned by GetMembers
Errors returned by InviteMembers
Errors returned by ListEnabledProductsForImport
Errors returned by ListInvitations
Errors returned by ListMembers
Errors returned by ListTagsForResource
Errors returned by TagResource
Errors returned by UntagResource
Errors returned by UpdateActionTarget
Errors returned by UpdateFindings
Errors returned by UpdateInsight
Errors returned by UpdateStandardsControl
Trait representing the capabilities of the AWS SecurityHub API. AWS SecurityHub clients implement this trait.