See Also - AWS Security Hub

For more information about using this API in one of the language-speciﬁc AWS SDKs, see the following:

• AWS Command Line Interface

• AWS SDK for .NET

• AWS SDK for C++

• AWS SDK for Go

• AWS SDK for Java V2

• AWS SDK for JavaScript

• AWS SDK for PHP V3

• AWS SDK for Python

• AWS SDK for Ruby V3

AcceptInvitation

This method is deprecated. Instead, use AcceptAdministratorInvitation.

The Security Hub console continues to use AcceptInvitation. It will eventually change to use AcceptAdministratorInvitation. Any IAM policies that speciﬁcally control access to this function must continue to use AcceptInvitation. You should also add AcceptAdministratorInvitation to your policies to ensure that the correct permissions are in place after the console begins to use AcceptAdministratorInvitation.

Accepts the invitation to be a member account and be monitored by the Security Hub administrator account that the invitation was sent from.

This operation is only used by member accounts that are not added through Organizations.

When the member account accepts the invitation, permission is granted to the administrator account to view ﬁndings generated in the member account.

Request Syntax

POST /master HTTP/1.1

Content-type: application/json { "InvitationId": "string", "MasterId": "string"

}

URI Request Parameters

The request does not use any URI parameters.

Request Body

The request accepts the following data in JSON format.

InvitationId (p. 6)

The identiﬁer of the invitation sent from the Security Hub administrator account.

Type: String Pattern: .*\S.*

Required: Yes MasterId (p. 6)

The account ID of the Security Hub administrator account that sent the invitation.

Type: String Pattern: .*\S.*

Required: Yes

Response Syntax

HTTP/1.1 200

Response Elements

If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

Errors

For information about the errors that are common to all actions, see Common Errors (p. 911).

InternalException Internal server error.

HTTP Status Code: 500 InvalidAccessException

There is an issue with the account used to make the request. Either Security Hub is not enabled for the account, or the account does not have permission to perform this action.

HTTP Status Code: 401 InvalidInputException

The request was rejected because you supplied an invalid or out-of-range value for an input parameter.

HTTP Status Code: 400 LimitExceededException

The request was rejected because it attempted to create resources beyond the current AWS account or throttling limits. The error code describes the limit exceeded.

HTTP Status Code: 429 ResourceNotFoundException

The request was rejected because we can't ﬁnd the speciﬁed resource.

HTTP Status Code: 404

BatchDisableStandards

Disables the standards speciﬁed by the provided StandardsSubscriptionArns.

For more information, see Security Standards section of the AWS Security Hub User Guide.

Request Syntax

POST /standards/deregister HTTP/1.1 Content-type: application/json {

"StandardsSubscriptionArns": [ "string" ] }

URI Request Parameters

The request does not use any URI parameters.

Request Body

The request accepts the following data in JSON format.

StandardsSubscriptionArns (p. 9)

The ARNs of the standards subscriptions to disable.

Type: Array of strings

Array Members: Minimum number of 1 item. Maximum number of 25 items.

Pattern: .*\S.*

Required: Yes

Response Syntax

HTTP/1.1 200

Content-type: application/json { "StandardsSubscriptions": [ {

"StandardsArn": "string", "StandardsInput": { "string" : "string"

"StandardsStatus": "string", "StandardsStatusReason": { "StatusReasonCode": "string"

"StandardsSubscriptionArn": "string"

} ]}

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

StandardsSubscriptions (p. 9)

The details of the standards subscriptions that were disabled.

Type: Array of StandardsSubscription (p. 889) objects

Errors

For information about the errors that are common to all actions, see Common Errors (p. 911).

InternalException Internal server error.

HTTP Status Code: 500 InvalidAccessException

There is an issue with the account used to make the request. Either Security Hub is not enabled for the account, or the account does not have permission to perform this action.

HTTP Status Code: 401 InvalidInputException

The request was rejected because you supplied an invalid or out-of-range value for an input parameter.

HTTP Status Code: 400 LimitExceededException

The request was rejected because it attempted to create resources beyond the current AWS account or throttling limits. The error code describes the limit exceeded.

HTTP Status Code: 429

BatchEnableStandards

Enables the standards speciﬁed by the provided StandardsArn. To obtain the ARN for a standard, use the DescribeStandards operation.

For more information, see the Security Standards section of the AWS Security Hub User Guide.

Request Syntax

POST /standards/register HTTP/1.1 Content-type: application/json {

"StandardsSubscriptionRequests": [ {

"StandardsArn": "string", "StandardsInput": { "string" : "string"

} } ]}

URI Request Parameters

The request does not use any URI parameters.

Request Body

The request accepts the following data in JSON format.

StandardsSubscriptionRequests (p. 12) The list of standards checks to enable.

Type: Array of StandardsSubscriptionRequest (p. 891) objects

Array Members: Minimum number of 1 item. Maximum number of 25 items.

Required: Yes

Response Syntax

HTTP/1.1 200

Content-type: application/json { "StandardsSubscriptions": [ {

"StandardsArn": "string", "StandardsInput": { "string" : "string"

"StandardsStatus": "string", "StandardsStatusReason": { "StatusReasonCode": "string"

"StandardsSubscriptionArn": "string"

} ] }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

StandardsSubscriptions (p. 12)

The details of the standards subscriptions that were enabled.

Type: Array of StandardsSubscription (p. 889) objects

Errors

For information about the errors that are common to all actions, see Common Errors (p. 911).

InternalException Internal server error.

HTTP Status Code: 500 InvalidAccessException

There is an issue with the account used to make the request. Either Security Hub is not enabled for the account, or the account does not have permission to perform this action.

HTTP Status Code: 401 InvalidInputException

The request was rejected because you supplied an invalid or out-of-range value for an input parameter.

HTTP Status Code: 400 LimitExceededException

The request was rejected because it attempted to create resources beyond the current AWS account or throttling limits. The error code describes the limit exceeded.

HTTP Status Code: 429

BatchImportFindings

Imports security ﬁndings generated by a ﬁnding provider into Security Hub. This action is requested by the ﬁnding provider to import its ﬁndings into Security Hub.

BatchImportFindings must be called by one of the following:

• The account that is associated with the ﬁndings. The identiﬁer of the associated account is the value of the AwsAccountId attribute for the ﬁnding.

• An account that is allow-listed for an oﬃcial Security Hub partner integration.

The maximum allowed size for a ﬁnding is 240 Kb. An error is returned for any ﬁnding larger than 240 Kb.

After a ﬁnding is created, BatchImportFindings cannot be used to update the following ﬁnding ﬁelds and objects, which Security Hub customers use to manage their investigation workﬂow.

• Note

• UserDefinedFields

• VerificationState

• Workflow

Finding providers also should not use BatchImportFindings to update the following attributes.

• Confidence

• Criticality

• RelatedFindings

• Severity

• Types

Instead, ﬁnding providers use FindingProviderFields to provide values for these attributes.

Request Syntax

POST /findings/import HTTP/1.1 Content-type: application/json { "Findings": [

{

"Action": {

"ActionType": "string", "AwsApiCallAction": { "AffectedResources": { "string" : "string"

"Api": "string",

"CallerType": "string", "DomainDetails": { "Domain": "string"

"FirstSeen": "string", "LastSeen": "string", "RemoteIpDetails": {

"City": {

"LocalPortDetails": {

"Path": "string",

}

"ColumnName": "string",

"DeploymentId": "string",

"DetailedMetricsEnabled": boolean,

"VolumeSize": number,

"NotAfter": "string",

"Items": [

"RegistryCredential": {

"ReadCapacityUnits": number,

"SseType": "string",

"IsDefault": boolean,

"VpcId": "string",

"DeleteOnTermination": boolean,

"PreSharedKey": "string",

"S3EncryptionEnabled": boolean,

"Timeout": number

{

"TaskRoleArn": "string",

"AutomatedUpdateDate": "string",

"Enabled": boolean

"SessionIssuer": {

"AssumeRolePolicyDocument": "string",

"Environment": {

"ActionDefinition": {

"InstanceCount": number,

"Status": "string"

"DbClusterIdentifier": "string",

"IamRoleName": "string",

{

"CustSubscriptionId": "string",

"ElasticResizeNumberOfNodeOptions": "string",

"BlockPublicAcls": boolean,

"S3KeyFilter": {

"SSEKMSKeyId": "string",

"RateKey": "string",

"Sample": boolean,

"Status": "string"

"WorkflowState": "string"

} ]}

URI Request Parameters

The request does not use any URI parameters.

Request Body

The request accepts the following data in JSON format.

Findings (p. 15)

A list of ﬁndings to import. To successfully import a ﬁnding, it must follow the AWS Security Finding Format. Maximum of 100 ﬁndings per request.

Type: Array of AwsSecurityFinding (p. 731) objects

Array Members: Minimum number of 1 item. Maximum number of 100 items.

Required: Yes

Response Syntax

HTTP/1.1 200

Content-type: application/json {

"FailedCount": number, "FailedFindings": [ {

"ErrorCode": "string", "ErrorMessage": "string", "Id": "string"

} ],

"SuccessCount": number }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

FailedCount (p. 59)

The number of ﬁndings that failed to import.

Type: Integer FailedFindings (p. 59)

The list of ﬁndings that failed to import.

Type: Array of ImportFindingsError (p. 801) objects SuccessCount (p. 59)

The number of ﬁndings that were successfully imported.

Type: Integer

Errors

For information about the errors that are common to all actions, see Common Errors (p. 911).

InternalException Internal server error.

HTTP Status Code: 500 InvalidAccessException

There is an issue with the account used to make the request. Either Security Hub is not enabled for the account, or the account does not have permission to perform this action.

HTTP Status Code: 401 InvalidInputException

The request was rejected because you supplied an invalid or out-of-range value for an input parameter.

HTTP Status Code: 400 LimitExceededException

The request was rejected because it attempted to create resources beyond the current AWS account or throttling limits. The error code describes the limit exceeded.

HTTP Status Code: 429

BatchUpdateFindings

Used by Security Hub customers to update information about their investigation into a ﬁnding.

Requested by administrator accounts or member accounts. Administrator accounts can update ﬁndings for their account and their member accounts. Member accounts can update ﬁndings for their account.

Updates from BatchUpdateFindings do not aﬀect the value of UpdatedAt for a ﬁnding.

Administrator and member accounts can use BatchUpdateFindings to update the following ﬁnding ﬁelds and objects.

• Confidence

• Criticality

• Note

• RelatedFindings

• Severity

• Types

• UserDefinedFields

• VerificationState

• Workflow

You can conﬁgure IAM policies to restrict access to ﬁelds and ﬁeld values. For example, you might not want member accounts to be able to suppress ﬁndings or change the ﬁnding severity. See Conﬁguring access to BatchUpdateFindings in the AWS Security Hub User Guide.

Request Syntax

PATCH /findings/batchupdate HTTP/1.1 Content-type: application/json { "Confidence": number, "Criticality": number, "FindingIdentifiers": [ {

"Id": "string",

"ProductArn": "string"

} ],

"Note": {

"Text": "string", "UpdatedBy": "string"

"RelatedFindings": [ {

"Id": "string",

"ProductArn": "string"

} ],

"Severity": { "Label": "string", "Normalized": number, "Product": number },

"Types": [ "string" ], "UserDefinedFields": { "string" : "string"

"VerificationState": "string", "Workflow": {

"Status": "string"

}}

URI Request Parameters

The request does not use any URI parameters.

Request Body

The request accepts the following data in JSON format.

Conﬁdence (p. 61)

The updated value for the ﬁnding conﬁdence. Conﬁdence is deﬁned as the likelihood that a ﬁnding accurately identiﬁes the behavior or issue that it was intended to identify.

Conﬁdence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent conﬁdence and 100 means 100 percent conﬁdence.

Type: Integer

Valid Range: Minimum value of 0. Maximum value of 100.

Required: No Criticality (p. 61)

The updated value for the level of importance assigned to the resources associated with the ﬁndings.

A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.

Type: Integer

Valid Range: Minimum value of 0. Maximum value of 100.

Required: No

FindingIdentiﬁers (p. 61)

The list of ﬁndings to update. BatchUpdateFindings can be used to update up to 100 ﬁndings at a time.

For each ﬁnding, the list provides the ﬁnding identiﬁer and the ARN of the ﬁnding provider.

Type: Array of AwsSecurityFindingIdentiﬁer (p. 752) objects Required: Yes

Note (p. 61)

The updated note.

Type: NoteUpdate (p. 825) object Required: No

RelatedFindings (p. 61)

A list of ﬁndings that are related to the updated ﬁndings.

Type: Array of RelatedFinding (p. 842) objects Required: No

Severity (p. 61)

Used to update the ﬁnding severity.

Type: SeverityUpdate (p. 880) object Required: No

Types (p. 61)

One or more ﬁnding types in the format of namespace/category/classiﬁer that classify a ﬁnding.

Valid namespace values are as follows.

• Software and Conﬁguration Checks

• TTPs

• Eﬀects

• Unusual Behaviors

• Sensitive Data Identiﬁcations Type: Array of strings

Pattern: .*\S.*

Required: No

UserDeﬁnedFields (p. 61)

A list of name/value string pairs associated with the ﬁnding. These are custom, user-deﬁned ﬁelds added to a ﬁnding.

Type: String to string map Key Pattern: .*\S.*

Value Pattern: .*\S.*

Required: No VeriﬁcationState (p. 61)

Indicates the veracity of a ﬁnding.

The available values for VerificationState are as follows.

• UNKNOWN – The default disposition of a security ﬁnding

• TRUE_POSITIVE – The security ﬁnding is conﬁrmed

• FALSE_POSITIVE – The security ﬁnding was determined to be a false alarm

• BENIGN_POSITIVE – A special case of TRUE_POSITIVE where the ﬁnding doesn't pose any threat, is expected, or both

Type: String

Valid Values: UNKNOWN | TRUE_POSITIVE | FALSE_POSITIVE | BENIGN_POSITIVE Required: No

Workﬂow (p. 61)

Used to update the workﬂow status of a ﬁnding.

The workﬂow status indicates the progress of the investigation into the ﬁnding.

Type: WorkﬂowUpdate (p. 908) object Required: No

Response Syntax

HTTP/1.1 200

Content-type: application/json { "ProcessedFindings": [ {

"Id": "string",

"ProductArn": "string"

} ],

"UnprocessedFindings": [ {

"ErrorCode": "string", "ErrorMessage": "string", "FindingIdentifier": { "Id": "string", "ProductArn": "string"

} } ] }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

ProcessedFindings (p. 64)

The list of ﬁndings that were updated successfully.

Type: Array of AwsSecurityFindingIdentiﬁer (p. 752) objects UnprocessedFindings (p. 64)

The list of ﬁndings that were not updated.

Type: Array of BatchUpdateFindingsUnprocessedFinding (p. 771) objects

Errors

For information about the errors that are common to all actions, see Common Errors (p. 911).

InternalException Internal server error.

HTTP Status Code: 500 InvalidAccessException

There is an issue with the account used to make the request. Either Security Hub is not enabled for the account, or the account does not have permission to perform this action.

HTTP Status Code: 401 InvalidInputException

The request was rejected because you supplied an invalid or out-of-range value for an input parameter.

HTTP Status Code: 400 LimitExceededException

The request was rejected because it attempted to create resources beyond the current AWS account or throttling limits. The error code describes the limit exceeded.

HTTP Status Code: 429

CreateActionTarget

Creates a custom action target in Security Hub.

You can use custom actions on ﬁndings and insights in Security Hub to trigger target actions in Amazon CloudWatch Events.

Request Syntax

POST /actionTargets HTTP/1.1 Content-type: application/json {

"Description": "string", "Id": "string",

"Name": "string"

}

URI Request Parameters

The request does not use any URI parameters.

Request Body

The request accepts the following data in JSON format.

Description (p. 66)

The description for the custom action target.

Type: String Pattern: .*\S.*

Required: Yes Id (p. 66)

The ID for the custom action target. Can contain up to 20 alphanumeric characters.

Type: String Pattern: .*\S.*

Required: Yes Name (p. 66)

The name of the custom action target. Can contain up to 20 characters.

Type: String Pattern: .*\S.*

Required: Yes

Response Syntax

HTTP/1.1 200

Content-type: application/json { "ActionTargetArn": "string"

}

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

ActionTargetArn (p. 66)

The ARN for the custom action target.

Type: String Pattern: .*\S.*

Errors

For information about the errors that are common to all actions, see Common Errors (p. 911).

InternalException Internal server error.

HTTP Status Code: 500 InvalidAccessException

There is an issue with the account used to make the request. Either Security Hub is not enabled for the account, or the account does not have permission to perform this action.

HTTP Status Code: 401 InvalidInputException

The request was rejected because you supplied an invalid or out-of-range value for an input parameter.

HTTP Status Code: 400 LimitExceededException

The request was rejected because it attempted to create resources beyond the current AWS account or throttling limits. The error code describes the limit exceeded.

HTTP Status Code: 429 ResourceConﬂictException

The resource speciﬁed in the request conﬂicts with an existing resource.

HTTP Status Code: 409

CreateFindingAggregator

Used to enable ﬁnding aggregation. Must be called from the aggregation Region.

For more details about cross-Region replication, see Conﬁguring ﬁnding aggregation in the AWS Security Hub User Guide.

Request Syntax

POST /findingAggregator/create HTTP/1.1 Content-type: application/json

{

"RegionLinkingMode": "string", "Regions": [ "string" ] }

URI Request Parameters

The request does not use any URI parameters.

Request Body

The request accepts the following data in JSON format.

RegionLinkingMode (p. 69)

Indicates whether to aggregate ﬁndings from all of the available Regions in the current partition.

Also determines whether to automatically aggregate ﬁndings from new Regions as Security Hub supports them and you opt into them.

The selected option also determines how to use the Regions provided in the Regions list.

The options are as follows:

• ALL_REGIONS - Indicates to aggregate ﬁndings from all of the Regions where Security Hub is enabled. When you choose this option, Security Hub also automatically aggregates ﬁndings from new Regions as Security Hub supports them and you opt into them.

• ALL_REGIONS_EXCEPT_SPECIFIED - Indicates to aggregate ﬁndings from all of the Regions where Security Hub is enabled, except for the Regions listed in the Regions parameter. When you choose this option, Security Hub also automatically aggregates ﬁndings from new Regions as Security Hub supports them and you opt into them.

• SPECIFIED_REGIONS - Indicates to aggregate ﬁndings only from the Regions listed in the Regions parameter. Security Hub does not automatically aggregate ﬁndings from new Regions.

Type: String Pattern: .*\S.*

Required: Yes Regions (p. 69)

If RegionLinkingMode is ALL_REGIONS_EXCEPT_SPECIFIED, then this is a comma-separated list of Regions that do not aggregate ﬁndings to the aggregation Region.

If RegionLinkingMode is SPECIFIED_REGIONS, then this is a comma-separated list of Regions that do aggregate ﬁndings to the aggregation Region.

Type: Array of strings Pattern: .*\S.*

Required: No

Response Syntax

HTTP/1.1 200

Content-type: application/json

{ "FindingAggregationRegion": "string", "FindingAggregatorArn": "string", "RegionLinkingMode": "string", "Regions": [ "string" ] }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

在文檔中 AWS Security Hub (頁 38-140)