logo
Expand description

Security Hub provides you with a comprehensive view of the security state of your AWS environment and resources. It also provides you with the readiness status of your environment based on controls from supported security standards. Security Hub collects security data from AWS accounts, services, and integrated third-party products and helps you analyze security trends in your environment to identify the highest priority security issues. For more information about Security Hub, see the AWS Security Hub User Guide .

When you use operations in the Security Hub API, the requests are executed only in the AWS Region that is currently active or in the specific AWS Region that you specify in your request. Any configuration or settings change that results from the operation is applied only to that Region. To make the same change in other Regions, execute the same command for each Region to apply the change to.

For example, if your Region is set to us-west-2, when you use CreateMembers to add a member account to Security Hub, the association of the member account with the administrator account is created only in the us-west-2 Region. Security Hub must be enabled for the member account in the same Region that the invitation was sent from.

The following throttling limits apply to using Security Hub API operations.

  • BatchEnableStandards - RateLimit of 1 request per second, BurstLimit of 1 request per second.

  • GetFindings - RateLimit of 3 requests per second. BurstLimit of 6 requests per second.

  • UpdateFindings - RateLimit of 1 request per second. BurstLimit of 5 requests per second.

  • UpdateStandardsControl - RateLimit of 1 request per second, BurstLimit of 5 requests per second.

  • All other operations - RateLimit of 10 requests per second. BurstLimit of 30 requests per second.

If you’re using the service, you’re probably looking for SecurityHubClient and SecurityHub.

Structs

The details of an AWS account.

Provides details about one of the following actions that affects or that was taken on a resource:

  • A remote IP address issued an AWS API call

  • A DNS request was received

  • A remote IP address attempted to connect to an EC2 instance

  • A remote IP address attempted a port probe on an EC2 instance

Provides information about the IP address where the scanned port is located.

For NetworkConnectionAction and PortProbeDetails, LocalPortDetails provides information about the local port that was involved in the action.

For AwsApiAction, NetworkConnectionAction, and PortProbeAction, RemoteIpDetails provides information about the remote IP address that was involved in the action.

Provides information about the remote port that was involved in an attempted network connection.

An ActionTarget object.

Represents a Security Hub administrator account designated by an organization management account.

Information about an Availability Zone.

Provided if ActionType is AWS_API_CALL. It provides details about the API call that was detected.

Provided if CallerType is domain. It provides information about the DNS domain that issued the API call.

Contains information about settings for logging access for the stage.

Contains information about settings for canary deployment in the stage.

Contains information about the endpoints for the API.

Defines settings for a method for the stage.

Contains information about a REST API in version 1 of Amazon API Gateway.

Provides information about a version 1 Amazon API Gateway stage.

Contains information about a version 2 API in Amazon API Gateway.

Contains route settings for a stage.

Contains information about a version 2 stage for Amazon API Gateway.

Provides details about an auto scaling group.

Provides details about an AWS Certificate Manager certificate.

Contains information about one of the following:

  • The initial validation of each domain name that occurs as a result of the RequestCertificate request

  • The validation of each domain name in the certificate, as it pertains to AWS Certificate Manager managed renewal

Contains information about an extended key usage X.509 v3 extension object.

Contains information about a key usage X.509 v3 extension object.

Contains other options for the certificate.

Contains information about the AWS Certificate Manager managed renewal for an AMAZON_ISSUED certificate.

Provides details about the CNAME record that is added to the DNS database for domain validation.

Information about a cache behavior for the distribution.

Provides information about caching for the distribution.

Contains information about the default cache configuration for the distribution.

A distribution configuration.

A complex type that controls whether access logs are written for the distribution.

Information about an origin group for the distribution.

Provides information about when an origin group fails over.

The status codes that cause an origin group to fail over.

Provides information about origin groups that are associated with the distribution.

A complex type that describes the Amazon S3 bucket, HTTP server (for example, a web server), Amazon Elemental MediaStore, or other server from which CloudFront gets your files.

Information about an origin that is an S3 bucket that is not configured with static website hosting.

A complex type that contains information about origins and origin groups for this distribution.

Provides details about a CloudTrail trail.

Information about an AWS CodeBuild project.

Information about the build environment for this build project.

The credentials for access to a private registry.

Information about the build input source code for this build project.

Information about the VPC configuration that AWS CodeBuild accesses.

Contains the cross-origin resource sharing (CORS) configuration for the API. CORS is only supported for HTTP APIs.

Contains a definition of an attribute for the table.

Provides information about the billing for read/write capacity on the table.

Provides details about a DynamoDB table.

Information abut a global secondary index for the table.

A component of the key schema for the DynamoDB table, a global secondary index, or a local secondary index.

Information about a local secondary index for a DynamoDB table.

For global and local secondary indexes, identifies the attributes that are copied from the table into the index.

Information about the provisioned throughput for the table or for a global secondary index.

Replica-specific configuration for the provisioned throughput.

Information about a replica of a DynamoDB table.

Information about a global secondary index for a DynamoDB table replica.

Information about the restore for the table.

Information about the server-side encryption for the table.

The current DynamoDB Streams configuration for the table.

Information about an Elastic IP address.

The details of an EC2 instance.

Identifies a network interface for the EC2 instance.

An association between the network ACL and a subnet.

Contains details about an EC2 network access control list (ACL).

A rule for the network ACL. Each rule allows or denies access based on the IP address, traffic direction, port, and protocol.

Information about the network interface attachment.

Details about the network interface

Provides information about an IPV6 address that is associated with the network interface.

Provides information about a private IPv4 address that is with the network interface.

A security group associated with the network interface.

Details about an EC2 security group.

An IP permission for an EC2 security group.

A range of IPv4 addresses.

A range of IPv6 addresses.

A relationship between a security group and a user.

Contains information about a subnet in EC2.

An attachment to an AWS EC2 volume.

Details about an EC2 volume.

Details about an EC2 VPC.

Indicates whether to enable CloudWatch Container Insights for the ECS cluster.

The run command configuration for the cluster.

Contains the run command configuration for the cluster.

The log configuration for the results of the run command actions.

The default capacity provider strategy for the cluster. The default capacity provider strategy is used when services or tasks are run without a specified launch type or capacity provider strategy.

provides details about an ECS cluster.

A dependency that is defined for container startup and shutdown.

A container definition that describes a container in the task.

An environment variable to pass to the container.

A file that contain environment variables to pass to a container.

A hostname and IP address mapping to append to the /etc/hosts file on the container.

The FireLens configuration for the container. The configuration specifies and configures a log router for container logs.

The container health check command and associated configuration parameters for the container.

The Linux capabilities for the container that are added to or dropped from the default configuration provided by Docker.

>Linux-specific modifications that are applied to the container, such as Linux kernel capabilities.

The container path, mount options, and size (in MiB) of a tmpfs mount.

The log configuration specification for the container.

A mount point for the data volumes in the container.

The private repository authentication credentials to use.

A namespaced kernel parameter to set in the container.

A data volume to mount from another container.

details about a task definition. A task definition describes the container and volume definitions of an Amazon Elastic Container Service task.

An Elastic Inference accelerator to use for the containers in the task.

A placement constraint object to use for tasks.

The configuration details for the App Mesh proxy.

A network configuration parameter to provide to the Container Network Interface (CNI) plugin.

A data volume to mount from another container.

Information about the Amazon Elastic File System file system that is used for task storage.

Information about a bind mount host volume.

Contains details about an Elastic Beanstalk environment.

Contains information about a link to another environment that is in the same group.

A configuration option setting for the environment.

Contains information about the tier of the environment.

Information about an Elasticsearch domain.

Additional options for the domain endpoint, such as whether to require HTTPS for all traffic.

Details about the configuration for encryption at rest.

configures the CloudWatch Logs to publish for the Elasticsearch domain.

Details about the configuration for node-to-node encryption.

Information about the state of the domain relative to the latest service software.

Information that Amazon ES derives based on VPCOptions for the domain.

Contains information about a stickiness policy that was created using CreateAppCookieStickinessPolicy.

Contains information about a stickiness policy that was created using CreateLBCookieStickinessPolicy.

Contains information about the access log configuration for the load balancer.

Contains attributes for the load balancer.

Provides information about the configuration of an EC2 instance for the load balancer.

Contains information about the connection draining configuration for the load balancer.

Contains connection settings for the load balancer.

Contains cross-zone load balancing settings for the load balancer.

Contains details about a Classic Load Balancer.

Contains information about the health checks that are conducted on the load balancer.

Provides information about an EC2 instance for a load balancer.

Information about a load balancer listener.

Lists the policies that are enabled for a load balancer listener.

Contains information about the policies for a load balancer.

Contains information about the security group for the load balancer.

Information about a load balancer.

IAM access key details related to a finding.

Provides information about the session that the key was used for.

Attributes of the session that the key was used for.

Information about the entity that created the session.

A managed policy that is attached to an IAM principal.

Contains details about an IAM group.

A managed policy that is attached to the IAM group.

Information about an instance profile.

Information about a role associated with an instance profile.

Information about the policy used to set the permissions boundary for an IAM principal.

Represents an IAM permissions policy.

A version of an IAM policy.

Contains information about an IAM role, including all of the role's policies.

An inline policy that is embedded in the role.

Information about an IAM user.

Information about an inline policy that is embedded in the user.

Contains metadata about a customer master key (CMK).

The code for the Lambda function. You can specify either an object in Amazon S3, or upload a deployment package directly.

The dead-letter queue for failed asynchronous invocations.

Details about a function's configuration.

A function's environment variable settings.

Error messages for environment variables that could not be applied.

An AWS Lambda layer.

The function's AWS X-Ray tracing configuration.

The VPC security groups and subnets that are attached to a Lambda function.

Details about a Lambda layer version.

An IAM role that is associated with the Amazon RDS DB cluster.

Information about an Amazon RDS DB cluster.

Information about an instance in the DB cluster.

Information about an option group membership for a DB cluster.

Information about an Amazon RDS DB cluster snapshot.

Information about an Active Directory domain membership record associated with the DB instance.

An AWS Identity and Access Management (IAM) role associated with the DB instance.

Contains the details of an Amazon RDS DB instance.

Specifies the connection endpoint.

A VPC security groups that the DB instance belongs to.

An option group membership.

Provides information about a parameter group for a DB instance.

Changes to a DB instance that are currently pending.

A processor feature.

Provides details about an Amazon RDS DB cluster snapshot.

Information about the status of a read replica.

Information about the subnet group for the database instance.

Information about a subnet in a subnet group.

An Availability Zone for a subnet in a subnet group.

Identifies the log types to enable and disable.

A node in an Amazon Redshift cluster.

A cluster parameter group that is associated with an Amazon Redshift cluster.

The status of a parameter in a cluster parameter group for an Amazon Redshift cluster.

A security group that is associated with the cluster.

Information about a cross-Region snapshot copy.

A time windows during which maintenance was deferred for an Amazon Redshift cluster.

Details about an Amazon Redshift cluster.

The status of the elastic IP (EIP) address for an Amazon Redshift cluster.

The connection endpoint for an Amazon Redshift cluster.

Information about whether an Amazon Redshift cluster finished applying any hardware changes to security module (HSM) settings that were specified in a modify cluster command.

An IAM role that the cluster can use to access other AWS services.

Changes to the Amazon Redshift cluster that are currently pending.

Information about the resize operation for the cluster.

Information about the status of a cluster restore action. It only applies if the cluster was created by restoring a snapshot.

A VPC security group that the cluster belongs to, if the cluster is in a VPC.

provides information about the Amazon S3 Public Access Block configuration for accounts.

The lifecycle configuration for the objects in the S3 bucket.

Information about what Amazon S3 does when a multipart upload is incomplete.

Configuration for a lifecycle rule.

Identifies the objects that a rule applies to.

A transition rule that describes when noncurrent objects transition to a specified storage class.

A rule for when objects transition to specific storage classes.

The details of an Amazon S3 bucket.

Specifies the default server-side encryption to apply to new objects in the bucket.

The encryption configuration for the S3 bucket.

An encryption rule to apply to the S3 bucket.

Details about an Amazon S3 object.

Details about an AWS Secrets Manager secret.

Defines the rotation schedule for the secret.

Provides consistent format for the contents of the Security Hub-aggregated findings. AwsSecurityFinding format enables you to share findings between AWS security services and third-party solutions, and security standards checks.

A finding is a potential security issue generated either by AWS services (Amazon GuardDuty, Amazon Inspector, and Amazon Macie) or by the integrated third-party solutions and standards checks.

A collection of attributes that are applied to all active Security Hub-aggregated findings and that result in a subset of findings that are included in this insight.

You can filter by up to 10 finding attributes. For each attribute, you can provide up to 20 filter values.

Identifies a finding to update using BatchUpdateFindings.

A wrapper type for the topic's ARN.

A wrapper type for the attributes of an Amazon SNS subscription.

Data about a queue.

Provides the details about the compliance status for a patch.

Provides details about the compliance for a patch.

Provides information about the state of a patch on an instance based on the patch baseline that was used to patch the instance.

Details about a WAF WebACL.

Details for a rule in a WAF WebACL.

A finding from a BatchUpdateFindings request that Security Hub was unable to update.

An occurrence of sensitive data detected in a Microsoft Excel workbook, comma-separated value (CSV) file, or tab-separated value (TSV) file.

An IPv4 CIDR block association.

Information about a city.

Details about the sensitive data that was detected on the resource.

Provides details about the current status of the sensitive data detection.

Contains finding details that are specific to control-based findings. Only returned for findings generated from controls.

Container details related to a finding.

Information about a country.

The list of detected instances of sensitive data.

Contains an instance of sensitive data that was detected by a customer-defined identifier.

CVSS scores from the advisory related to the vulnerability.

Provides details about sensitive data that was detected on a resource.

A date filter for querying findings.

A date range for the date filter.

Provided if ActionType is DNS_REQUEST. It provides details about the DNS request that was detected.

In a BatchImportFindings request, finding providers use FindingProviderFields to provide and update values for confidence, criticality, related findings, severity, and types.

The severity assigned to the finding by the finding provider.

Provides the latitude and longitude coordinates of a location.

An Internet Control Message Protocol (ICMP) type and code.

The list of the findings that cannot be imported. For each finding, the list provides the error.

Contains information about a Security Hub insight.

The insight result values returned by the GetInsightResults operation.

The insight results returned by the GetInsightResults operation.

Details about an invitation.

The IP filter for querying findings.

Provides information about an internet provider.

An IPV6 CIDR block association.

A keyword filter for querying findings.

Information about the state of the load balancer.

A list of malware related to a finding.

A map filter for querying findings. Each map filter provides the field to check, the value to look for, and the comparison operator.

The details about a member account.

The details of network-related information about a finding.

Provided if ActionType is NETWORK_CONNECTION. It provides details about the attempted network connection that was detected.

Details about a network path component that occurs before or after the current component.

Information about a network path component.

Information about the destination of the next component in the network path.

A user-defined note added to a finding.

The updated note.

A number filter for querying findings.

The detected occurrences of sensitive data.

An occurrence of sensitive data in an Adobe Portable Document Format (PDF) file.

Provides an overview of the patch compliance status for an instance against a selected compliance standard.

Provided if ActionType is PORT_PROBE. It provides details about the attempted port probe that was detected.

A port scan that was part of the port probe. For each scan, PortProbeDetails provides information about the local IP address and port that were scanned, and the remote IP address that the scan originated from.

A range of ports.

A range of ports.

The details of process-related information about a finding.

Contains details about a product.

Identifies where the sensitive data begins and ends.

A recommendation on how to remediate the issue identified in a finding.

An occurrence of sensitive data in an Apache Avro object container or an Apache Parquet file.

Details about a related finding.

Details about the remediation steps for a finding.

A resource related to a finding.

Additional details about a resource related to a finding.

To provide the details, use the object that corresponds to the resource type. For example, if the resource type is AwsEc2Instance, then you use the AwsEc2Instance object to provide the details.

If the type-specific object does not contain all of the fields you want to populate, then you use the Other object to populate those additional fields.

You also use the Other object to populate the details when the selected type does not have a corresponding object.

A client for the AWS SecurityHub API.

Details about the account that was not processed.

The list of detected instances of sensitive data.

Contains a detected instance of sensitive data that are based on built-in identifiers.

The severity of the finding.

The finding provider can provide the initial severity. The finding provider can only update the severity if it has not been updated using BatchUpdateFindings.

The finding must have either Label or Normalized populated. If only one of these attributes is populated, then Security Hub automatically populates the other one. If neither attribute is populated, then the finding is invalid. Label is the preferred attribute.

Updates to the severity information for a finding.

Information about a software package.

A collection of finding attributes used to sort findings.

Provides information about a specific standard.

Details for an individual security standard control.

A resource that represents your subscription to a supported standard.

The standard that you want to enable.

Provides additional context for the value of Compliance.Status.

A string filter for querying findings.

Details about the threat intelligence related to a finding.

A vulnerability associated with a finding.

A vendor that generates a vulnerability report.

Details about the action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule.

Details about a rule to exclude from a rule group.

Details about an override action for a rule.

Provides information about the status of the investigation into a finding.

Used to update information about the investigation into the finding.

Enums

Errors returned by AcceptAdministratorInvitation

Errors returned by AcceptInvitation

Errors returned by BatchDisableStandards

Errors returned by BatchEnableStandards

Errors returned by BatchImportFindings

Errors returned by BatchUpdateFindings

Errors returned by CreateActionTarget

Errors returned by CreateInsight

Errors returned by CreateMembers

Errors returned by DeclineInvitations

Errors returned by DeleteActionTarget

Errors returned by DeleteInsight

Errors returned by DeleteInvitations

Errors returned by DeleteMembers

Errors returned by DescribeActionTargets

Errors returned by DescribeHub

Errors returned by DescribeOrganizationConfiguration

Errors returned by DescribeProducts

Errors returned by DescribeStandardsControls

Errors returned by DescribeStandards

Errors returned by DisableImportFindingsForProduct

Errors returned by DisableOrganizationAdminAccount

Errors returned by DisableSecurityHub

Errors returned by DisassociateFromAdministratorAccount

Errors returned by DisassociateFromMasterAccount

Errors returned by DisassociateMembers

Errors returned by EnableImportFindingsForProduct

Errors returned by EnableOrganizationAdminAccount

Errors returned by EnableSecurityHub

Errors returned by GetAdministratorAccount

Errors returned by GetEnabledStandards

Errors returned by GetFindings

Errors returned by GetInsightResults

Errors returned by GetInsights

Errors returned by GetInvitationsCount

Errors returned by GetMasterAccount

Errors returned by GetMembers

Errors returned by InviteMembers

Errors returned by ListEnabledProductsForImport

Errors returned by ListInvitations

Errors returned by ListMembers

Errors returned by ListOrganizationAdminAccounts

Errors returned by ListTagsForResource

Errors returned by TagResource

Errors returned by UntagResource

Errors returned by UpdateActionTarget

Errors returned by UpdateFindings

Errors returned by UpdateInsight

Errors returned by UpdateOrganizationConfiguration

Errors returned by UpdateSecurityHubConfiguration

Errors returned by UpdateStandardsControl

Traits

Trait representing the capabilities of the AWS SecurityHub API. AWS SecurityHub clients implement this trait.