AWS Security Hub

(1)

AWS Security Hub

API Reference

API Version 2018-10-26

(2)

AWS Security Hub: API Reference

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be aﬃliated with, connected to, or sponsored by Amazon.

(3)

See Also ... 593 AwsKmsKeyDetails ... 594 Contents ... 594 See Also ... 595 AwsLambdaFunctionCode ... 596 Contents ... 596 See Also ... 596 AwsLambdaFunctionDeadLetterConfig ... 597 Contents ... 597 See Also ... 597 AwsLambdaFunctionDetails ... 598 Contents ... 598 See Also ... 600 AwsLambdaFunctionEnvironment ... 601 Contents ... 601 See Also ... 601 AwsLambdaFunctionEnvironmentError ... 602 Contents ... 602 See Also ... 602 AwsLambdaFunctionLayer ... 603 Contents ... 603 See Also ... 603 AwsLambdaFunctionTracingConfig ... 604 Contents ... 604 See Also ... 604 AwsLambdaFunctionVpcConfig ... 605 Contents ... 605 See Also ... 605 AwsLambdaLayerVersionDetails ... 606 Contents ... 606 See Also ... 606 AwsNetworkFirewallFirewallDetails ... 607 Contents ... 607 See Also ... 608 AwsNetworkFirewallFirewallPolicyDetails ... 609 Contents ... 609 See Also ... 609 AwsNetworkFirewallFirewallSubnetMappingsDetails ... 611 Contents ... 611 See Also ... 611 AwsNetworkFirewallRuleGroupDetails ... 612 Contents ... 612 See Also ... 613 AwsOpenSearchServiceDomainClusterConfigDetails ... 614 Contents ... 614 See Also ... 615 AwsOpenSearchServiceDomainClusterConfigZoneAwarenessConfigDetails ... 616 Contents ... 616 See Also ... 616 AwsOpenSearchServiceDomainDetails ... 617 Contents ... 617 See Also ... 619 AwsOpenSearchServiceDomainDomainEndpointOptionsDetails ... 620 Contents ... 620 See Also ... 620 AwsOpenSearchServiceDomainEncryptionAtRestOptionsDetails ... 622 Contents ... 622

(23)

See Also ... 622 AwsOpenSearchServiceDomainLogPublishingOption ... 623 Contents ... 623 See Also ... 623 AwsOpenSearchServiceDomainLogPublishingOptionsDetails ... 624 Contents ... 624 See Also ... 624 AwsOpenSearchServiceDomainNodeToNodeEncryptionOptionsDetails ... 625 Contents ... 625 See Also ... 625 AwsOpenSearchServiceDomainServiceSoftwareOptionsDetails ... 626 Contents ... 626 See Also ... 627 AwsOpenSearchServiceDomainVpcOptionsDetails ... 628 Contents ... 628 See Also ... 628 AwsRdsDbClusterAssociatedRole ... 629 Contents ... 629 See Also ... 629 AwsRdsDbClusterDetails ... 630 Contents ... 630 See Also ... 635 AwsRdsDbClusterMember ... 636 Contents ... 636 See Also ... 636 AwsRdsDbClusterOptionGroupMembership ... 637 Contents ... 637 See Also ... 637 AwsRdsDbClusterSnapshotDetails ... 638 Contents ... 638 See Also ... 640 AwsRdsDbDomainMembership ... 641 Contents ... 641 See Also ... 641 AwsRdsDbInstanceAssociatedRole ... 642 Contents ... 642 See Also ... 642 AwsRdsDbInstanceDetails ... 643 Contents ... 643 See Also ... 651 AwsRdsDbInstanceEndpoint ... 652 Contents ... 652 See Also ... 652 AwsRdsDbInstanceVpcSecurityGroup ... 653 Contents ... 653 See Also ... 653 AwsRdsDbOptionGroupMembership ... 654 Contents ... 654 See Also ... 654 AwsRdsDbParameterGroup ... 655 Contents ... 655 See Also ... 655 AwsRdsDbPendingModiﬁedValues ... 656 Contents ... 656 See Also ... 658 AwsRdsDbProcessorFeature ... 659 Contents ... 659

(24)

See Also ... 659 AwsRdsDbSnapshotDetails ... 660 Contents ... 660 See Also ... 664 AwsRdsDbStatusInfo ... 665 Contents ... 665 See Also ... 665 AwsRdsDbSubnetGroup ... 666 Contents ... 666 See Also ... 667 AwsRdsDbSubnetGroupSubnet ... 668 Contents ... 668 See Also ... 668 AwsRdsDbSubnetGroupSubnetAvailabilityZone ... 669 Contents ... 669 See Also ... 669 AwsRdsEventSubscriptionDetails ... 670 Contents ... 670 See Also ... 671 AwsRdsPendingCloudWatchLogsExports ... 672 Contents ... 672 See Also ... 672 AwsRedshiftClusterClusterNode ... 673 Contents ... 673 See Also ... 673 AwsRedshiftClusterClusterParameterGroup ... 674 Contents ... 674 See Also ... 674 AwsRedshiftClusterClusterParameterStatus ... 675 Contents ... 675 See Also ... 675 AwsRedshiftClusterClusterSecurityGroup ... 676 Contents ... 676 See Also ... 676 AwsRedshiftClusterClusterSnapshotCopyStatus ... 677 Contents ... 677 See Also ... 677 AwsRedshiftClusterDeferredMaintenanceWindow ... 678 Contents ... 678 See Also ... 678 AwsRedshiftClusterDetails ... 679 Contents ... 679 See Also ... 685 AwsRedshiftClusterElasticIpStatus ... 686 Contents ... 686 See Also ... 686 AwsRedshiftClusterEndpoint ... 687 Contents ... 687 See Also ... 687 AwsRedshiftClusterHsmStatus ... 688 Contents ... 688 See Also ... 688 AwsRedshiftClusterIamRole ... 689 Contents ... 689 See Also ... 689 AwsRedshiftClusterPendingModiﬁedValues ... 690 Contents ... 690

(25)

See Also ... 691 AwsRedshiftClusterResizeInfo ... 692 Contents ... 692 See Also ... 692 AwsRedshiftClusterRestoreStatus ... 693 Contents ... 693 See Also ... 694 AwsRedshiftClusterVpcSecurityGroup ... 695 Contents ... 695 See Also ... 695 AwsS3AccountPublicAccessBlockDetails ... 696 Contents ... 696 See Also ... 696 AwsS3BucketBucketLifecycleConfigurationDetails ... 697 Contents ... 697 See Also ... 697 AwsS3BucketBucketLifecycleConfigurationRulesAbortIncompleteMultipartUploadDetails ... 698 Contents ... 698 See Also ... 698 AwsS3BucketBucketLifecycleConfigurationRulesDetails ... 699 Contents ... 699 See Also ... 700 AwsS3BucketBucketLifecycleConfigurationRulesFilterDetails ... 701 Contents ... 701 See Also ... 701 AwsS3BucketBucketLifecycleConfigurationRulesFilterPredicateDetails ... 702 Contents ... 702 See Also ... 702 AwsS3BucketBucketLifecycleConfigurationRulesFilterPredicateOperandsDetails ... 703 Contents ... 703 See Also ... 703 AwsS3BucketBucketLifecycleConfigurationRulesFilterPredicateOperandsTagDetails ... 704 Contents ... 704 See Also ... 704 AwsS3BucketBucketLifecycleConfigurationRulesFilterPredicateTagDetails ... 705 Contents ... 705 See Also ... 705 AwsS3BucketBucketLifecycleConfigurationRulesNoncurrentVersionTransitionsDetails ... 706 Contents ... 706 See Also ... 706 AwsS3BucketBucketLifecycleConfigurationRulesTransitionsDetails ... 707 Contents ... 707 See Also ... 707 AwsS3BucketBucketVersioningConfiguration ... 708 Contents ... 708 See Also ... 708 AwsS3BucketDetails ... 709 Contents ... 709 See Also ... 710 AwsS3BucketLoggingConfiguration ... 711 Contents ... 711 See Also ... 711 AwsS3BucketNotificationConfiguration ... 712 Contents ... 712 See Also ... 712 AwsS3BucketNotificationConfigurationDetail ... 713 Contents ... 713

(26)

See Also ... 713 AwsS3BucketNotificationConfigurationFilter ... 714 Contents ... 714 See Also ... 714 AwsS3BucketNotificationConfigurationS3KeyFilter ... 715 Contents ... 715 See Also ... 715 AwsS3BucketNotificationConfigurationS3KeyFilterRule ... 716 Contents ... 716 See Also ... 716 AwsS3BucketServerSideEncryptionByDefault ... 717 Contents ... 717 See Also ... 717 AwsS3BucketServerSideEncryptionConfiguration ... 718 Contents ... 718 See Also ... 718 AwsS3BucketServerSideEncryptionRule ... 719 Contents ... 719 See Also ... 719 AwsS3BucketWebsiteConfiguration ... 720 Contents ... 720 See Also ... 720 AwsS3BucketWebsiteConfigurationRedirectTo ... 721 Contents ... 721 See Also ... 721 AwsS3BucketWebsiteConfigurationRoutingRule ... 722 Contents ... 722 See Also ... 722 AwsS3BucketWebsiteConfigurationRoutingRuleCondition ... 723 Contents ... 723 See Also ... 723 AwsS3BucketWebsiteConfigurationRoutingRuleRedirect ... 724 Contents ... 724 See Also ... 724 AwsS3ObjectDetails ... 726 Contents ... 726 See Also ... 727 AwsSecretsManagerSecretDetails ... 728 Contents ... 728 See Also ... 729 AwsSecretsManagerSecretRotationRules ... 730 Contents ... 730 See Also ... 730 AwsSecurityFinding ... 731 Contents ... 731 See Also ... 737 AwsSecurityFindingFilters ... 739 Contents ... 739 See Also ... 751 AwsSecurityFindingIdentifier ... 752 Contents ... 752 See Also ... 752 AwsSnsTopicDetails ... 753 Contents ... 753 See Also ... 753 AwsSnsTopicSubscription ... 754 Contents ... 754

(27)

See Also ... 754 AwsSqsQueueDetails ... 755 Contents ... 755 See Also ... 755 AwsSsmComplianceSummary ... 756 Contents ... 756 See Also ... 758 AwsSsmPatch ... 759 Contents ... 759 See Also ... 759 AwsSsmPatchComplianceDetails ... 760 Contents ... 760 See Also ... 760 AwsWafRateBasedRuleDetails ... 761 Contents ... 761 See Also ... 762 AwsWafRateBasedRuleMatchPredicate ... 763 Contents ... 763 See Also ... 763 AwsWafRegionalRateBasedRuleDetails ... 764 Contents ... 764 See Also ... 765 AwsWafRegionalRateBasedRuleMatchPredicate ... 766 Contents ... 766 See Also ... 766 AwsWafWebAclDetails ... 767 Contents ... 767 See Also ... 767 AwsWafWebAclRule ... 768 Contents ... 768 See Also ... 769 AwsXrayEncryptionConfigDetails ... 770 Contents ... 770 See Also ... 770 BatchUpdateFindingsUnprocessedFinding ... 771 Contents ... 771 See Also ... 771 BooleanFilter ... 772 Contents ... 772 See Also ... 772 Cell ... 773 Contents ... 773 See Also ... 773 CidrBlockAssociation ... 774 Contents ... 774 See Also ... 774 City ... 775 Contents ... 775 See Also ... 775 ClassificationResult ... 776 Contents ... 776 See Also ... 776 ClassificationStatus ... 778 Contents ... 778 See Also ... 778 Compliance ... 779 Contents ... 779

(28)

See Also ... 779 ContainerDetails ... 780 Contents ... 780 See Also ... 780 Country ... 781 Contents ... 781 See Also ... 781 CustomDataIdentifiersDetections ... 782 Contents ... 782 See Also ... 782 CustomDataIdentifiersResult ... 783 Contents ... 783 See Also ... 783 Cvss ... 784 Contents ... 784 See Also ... 784 DataClassificationDetails ... 786 Contents ... 786 See Also ... 786 DateFilter ... 787 Contents ... 787 See Also ... 787 DateRange ... 788 Contents ... 788 See Also ... 788 DnsRequestAction ... 789 Contents ... 789 See Also ... 789 FindingAggregator ... 790 Contents ... 790 See Also ... 790 FindingProviderFields ... 791 Contents ... 791 See Also ... 792 FindingProviderSeverity ... 793 Contents ... 793 See Also ... 793 FirewallPolicyDetails ... 794 Contents ... 794 See Also ... 794 FirewallPolicyStatefulRuleGroupReferencesDetails ... 796 Contents ... 796 See Also ... 796 FirewallPolicyStatelessCustomActionsDetails ... 797 Contents ... 797 See Also ... 797 FirewallPolicyStatelessRuleGroupReferencesDetails ... 798 Contents ... 798 See Also ... 798 GeoLocation ... 799 Contents ... 799 See Also ... 799 IcmpTypeCode ... 800 Contents ... 800 See Also ... 800 ImportFindingsError ... 801 Contents ... 801

(29)

See Also ... 801 Insight ... 802 Contents ... 802 See Also ... 802 InsightResults ... 803 Contents ... 803 See Also ... 803 InsightResultValue ... 804 Contents ... 804 See Also ... 804 Invitation ... 805 Contents ... 805 See Also ... 805 IpFilter ... 806 Contents ... 806 See Also ... 806 IpOrganizationDetails ... 807 Contents ... 807 See Also ... 807 Ipv6CidrBlockAssociation ... 808 Contents ... 808 See Also ... 808 KeywordFilter ... 809 Contents ... 809 See Also ... 809 LoadBalancerState ... 810 Contents ... 810 See Also ... 810 Malware ... 811 Contents ... 811 See Also ... 811 MapFilter ... 812 Contents ... 812 See Also ... 812 Member ... 814 Contents ... 814 See Also ... 815 Network ... 816 Contents ... 816 See Also ... 817 NetworkConnectionAction ... 819 Contents ... 819 See Also ... 819 NetworkHeader ... 821 Contents ... 821 See Also ... 821 NetworkPathComponent ... 822 Contents ... 822 See Also ... 822 NetworkPathComponentDetails ... 823 Contents ... 823 See Also ... 823 Note ... 824 Contents ... 824 See Also ... 824 NoteUpdate ... 825 Contents ... 825

(30)

See Also ... 825 NumberFilter ... 826 Contents ... 826 See Also ... 826 Occurrences ... 827 Contents ... 827 See Also ... 827 Page ... 828 Contents ... 828 See Also ... 828 PatchSummary ... 829 Contents ... 829 See Also ... 830 PortProbeAction ... 831 Contents ... 831 See Also ... 831 PortProbeDetail ... 832 Contents ... 832 See Also ... 832 PortRange ... 833 Contents ... 833 See Also ... 833 PortRangeFromTo ... 834 Contents ... 834 See Also ... 834 ProcessDetails ... 835 Contents ... 835 See Also ... 836 Product ... 837 Contents ... 837 See Also ... 838 Range ... 839 Contents ... 839 See Also ... 839 Recommendation ... 840 Contents ... 840 See Also ... 840 Record ... 841 Contents ... 841 See Also ... 841 RelatedFinding ... 842 Contents ... 842 See Also ... 842 Remediation ... 843 Contents ... 843 See Also ... 843 Resource ... 844 Contents ... 844 See Also ... 845 ResourceDetails ... 846 Contents ... 846 See Also ... 853 Result ... 854 Contents ... 854 See Also ... 854 RuleGroupDetails ... 855 Contents ... 855

(31)

See Also ... 855 RuleGroupSource ... 856 Contents ... 856 See Also ... 856 RuleGroupSourceCustomActionsDetails ... 857 Contents ... 857 See Also ... 857 RuleGroupSourceListDetails ... 858 Contents ... 858 See Also ... 858 RuleGroupSourceStatefulRulesDetails ... 859 Contents ... 859 See Also ... 859 RuleGroupSourceStatefulRulesHeaderDetails ... 860 Contents ... 860 See Also ... 861 RuleGroupSourceStatefulRulesOptionsDetails ... 862 Contents ... 862 See Also ... 862 RuleGroupSourceStatelessRuleDeﬁnition ... 863 Contents ... 863 See Also ... 863 RuleGroupSourceStatelessRuleMatchAttributes ... 864 Contents ... 864 See Also ... 864 RuleGroupSourceStatelessRuleMatchAttributesDestinationPorts ... 866 Contents ... 866 See Also ... 866 RuleGroupSourceStatelessRuleMatchAttributesDestinations ... 867 Contents ... 867 See Also ... 867 RuleGroupSourceStatelessRuleMatchAttributesSourcePorts ... 868 Contents ... 868 See Also ... 868 RuleGroupSourceStatelessRuleMatchAttributesSources ... 869 Contents ... 869 See Also ... 869 RuleGroupSourceStatelessRuleMatchAttributesTcpFlags ... 870 Contents ... 870 See Also ... 870 RuleGroupSourceStatelessRulesAndCustomActionsDetails ... 871 Contents ... 871 See Also ... 871 RuleGroupSourceStatelessRulesDetails ... 872 Contents ... 872 See Also ... 872 RuleGroupVariables ... 873 Contents ... 873 See Also ... 873 RuleGroupVariablesIpSetsDetails ... 874 Contents ... 874 See Also ... 874 RuleGroupVariablesPortSetsDetails ... 875 Contents ... 875 See Also ... 875 SensitiveDataDetections ... 876 Contents ... 876

(32)

See Also ... 876 SensitiveDataResult ... 877 Contents ... 877 See Also ... 877 Severity ... 878 Contents ... 878 See Also ... 879 SeverityUpdate ... 880 Contents ... 880 See Also ... 880 SoftwarePackage ... 882 Contents ... 882 See Also ... 883 SortCriterion ... 884 Contents ... 884 See Also ... 884 Standard ... 885 Contents ... 885 See Also ... 885 StandardsControl ... 886 Contents ... 886 See Also ... 887 StandardsStatusReason ... 888 Contents ... 888 See Also ... 888 StandardsSubscription ... 889 Contents ... 889 See Also ... 890 StandardsSubscriptionRequest ... 891 Contents ... 891 See Also ... 891 StatelessCustomActionDeﬁnition ... 892 Contents ... 892 See Also ... 892 StatelessCustomPublishMetricAction ... 893 Contents ... 893 See Also ... 893 StatelessCustomPublishMetricActionDimension ... 894 Contents ... 894 See Also ... 894 StatusReason ... 895 Contents ... 895 See Also ... 895 StringFilter ... 896 Contents ... 896 See Also ... 897 ThreatIntelIndicator ... 898 Contents ... 898 See Also ... 899 Vulnerability ... 900 Contents ... 900 See Also ... 900 VulnerabilityVendor ... 902 Contents ... 902 See Also ... 903 WafAction ... 904 Contents ... 904

(33)

See Also ... 904 WafExcludedRule ... 905 Contents ... 905 See Also ... 905 WafOverrideAction ... 906 Contents ... 906 See Also ... 906 Workﬂow ... 907 Contents ... 907 See Also ... 907 WorkﬂowUpdate ... 908 Contents ... 908 See Also ... 908 Common Parameters ... 909 Common Errors ... 911

(34)

Welcome

Security Hub provides you with a comprehensive view of the security state of your AWS environment and resources. It also provides you with the readiness status of your environment based on controls from supported security standards. Security Hub collects security data from AWS accounts, services, and integrated third-party products and helps you analyze security trends in your environment to identify the highest priority security issues. For more information about Security Hub, see the AWS Security Hub User Guide .

When you use operations in the Security Hub API, the requests are executed only in the AWS Region that is currently active or in the speciﬁc AWS Region that you specify in your request. Any conﬁguration or settings change that results from the operation is applied only to that Region. To make the same change in other Regions, execute the same command for each Region to apply the change to.

For example, if your Region is set to us-west-2, when you use CreateMembers to add a member account to Security Hub, the association of the member account with the administrator account is created only in the us-west-2 Region. Security Hub must be enabled for the member account in the same Region that the invitation was sent from.

The following throttling limits apply to using Security Hub API operations.

• BatchEnableStandards - RateLimit of 1 request per second, BurstLimit of 1 request per second.

• GetFindings - RateLimit of 3 requests per second. BurstLimit of 6 requests per second.

• UpdateFindings - RateLimit of 1 request per second. BurstLimit of 5 requests per second.

• UpdateStandardsControl - RateLimit of 1 request per second, BurstLimit of 5 requests per second.

• All other operations - RateLimit of 10 requests per second. BurstLimit of 30 requests per second.

This document was last published on March 6, 2022.

(35)

Actions

The following actions are supported:

• AcceptAdministratorInvitation (p. 4)

• AcceptInvitation (p. 6)

• BatchDisableStandards (p. 9)

• BatchEnableStandards (p. 12)

• BatchImportFindings (p. 15)

• BatchUpdateFindings (p. 61)

• CreateActionTarget (p. 66)

• CreateFindingAggregator (p. 69)

• CreateInsight (p. 72)

• CreateMembers (p. 84)

• DeclineInvitations (p. 87)

• DeleteActionTarget (p. 89)

• DeleteFindingAggregator (p. 91)

• DeleteInsight (p. 93)

• DeleteInvitations (p. 95)

• DeleteMembers (p. 98)

• DescribeActionTargets (p. 101)

• DescribeHub (p. 104)

• DescribeOrganizationConﬁguration (p. 107)

• DescribeProducts (p. 109)

• DescribeStandards (p. 112)

• DescribeStandardsControls (p. 114)

• DisableImportFindingsForProduct (p. 117)

• DisableOrganizationAdminAccount (p. 119)

• DisableSecurityHub (p. 121)

• DisassociateFromAdministratorAccount (p. 123)

• DisassociateFromMasterAccount (p. 125)

• DisassociateMembers (p. 127)

• EnableImportFindingsForProduct (p. 129)

• EnableOrganizationAdminAccount (p. 131)

• EnableSecurityHub (p. 133)

• GetAdministratorAccount (p. 136)

• GetEnabledStandards (p. 138)

• GetFindingAggregator (p. 141)

• GetFindings (p. 144)

• GetInsightResults (p. 200)

• GetInsights (p. 202)

• GetInvitationsCount (p. 214)

• GetMasterAccount (p. 216)

• GetMembers (p. 218)

(36)

• InviteMembers (p. 221)

• ListEnabledProductsForImport (p. 224)

• ListFindingAggregators (p. 226)

• ListInvitations (p. 228)

• ListMembers (p. 231)

• ListOrganizationAdminAccounts (p. 234)

• ListTagsForResource (p. 236)

• TagResource (p. 238)

• UntagResource (p. 240)

• UpdateActionTarget (p. 242)

• UpdateFindingAggregator (p. 244)

• UpdateFindings (p. 248)

• UpdateInsight (p. 260)

• UpdateOrganizationConﬁguration (p. 272)

• UpdateSecurityHubConﬁguration (p. 274)

• UpdateStandardsControl (p. 276)

(37)

AcceptAdministratorInvitation

Accepts the invitation to be a member account and be monitored by the Security Hub administrator account that the invitation was sent from.

This operation is only used by member accounts that are not added through Organizations.

When the member account accepts the invitation, permission is granted to the administrator account to view ﬁndings generated in the member account.

Request Syntax

POST /administrator HTTP/1.1 Content-type: application/json {

"AdministratorId": "string", "InvitationId": "string"

}

URI Request Parameters

The request does not use any URI parameters.

Request Body

The request accepts the following data in JSON format.

AdministratorId (p. 4)

The account ID of the Security Hub administrator account that sent the invitation.

Type: String Pattern: .*\S.*

Required: Yes InvitationId (p. 4)

The identiﬁer of the invitation sent from the Security Hub administrator account.

Required: Yes

Response Syntax

HTTP/1.1 200

Response Elements

If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

(38)

Errors

For information about the errors that are common to all actions, see Common Errors (p. 911).

InternalException Internal server error.

HTTP Status Code: 500 InvalidAccessException

There is an issue with the account used to make the request. Either Security Hub is not enabled for the account, or the account does not have permission to perform this action.

HTTP Status Code: 401 InvalidInputException

The request was rejected because you supplied an invalid or out-of-range value for an input parameter.

HTTP Status Code: 400 LimitExceededException

The request was rejected because it attempted to create resources beyond the current AWS account or throttling limits. The error code describes the limit exceeded.

HTTP Status Code: 429 ResourceNotFoundException

The request was rejected because we can't ﬁnd the speciﬁed resource.

HTTP Status Code: 404

AcceptInvitation

This method is deprecated. Instead, use AcceptAdministratorInvitation.

The Security Hub console continues to use AcceptInvitation. It will eventually change to use AcceptAdministratorInvitation. Any IAM policies that speciﬁcally control access to this function must continue to use AcceptInvitation. You should also add AcceptAdministratorInvitation to your policies to ensure that the correct permissions are in place after the console begins to use AcceptAdministratorInvitation.

Accepts the invitation to be a member account and be monitored by the Security Hub administrator account that the invitation was sent from.

This operation is only used by member accounts that are not added through Organizations.

When the member account accepts the invitation, permission is granted to the administrator account to view ﬁndings generated in the member account.

Request Syntax

POST /master HTTP/1.1

Content-type: application/json { "InvitationId": "string", "MasterId": "string"

}

URI Request Parameters

Request Body

InvitationId (p. 6)

The identiﬁer of the invitation sent from the Security Hub administrator account.

Required: Yes MasterId (p. 6)

The account ID of the Security Hub administrator account that sent the invitation.

Required: Yes

(40)

Response Syntax

HTTP/1.1 200

Response Elements

If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

Errors

HTTP Status Code: 429 ResourceNotFoundException

The request was rejected because we can't ﬁnd the speciﬁed resource.

BatchDisableStandards

Disables the standards speciﬁed by the provided StandardsSubscriptionArns.

For more information, see Security Standards section of the AWS Security Hub User Guide.

Request Syntax

POST /standards/deregister HTTP/1.1 Content-type: application/json {

"StandardsSubscriptionArns": [ "string" ] }

URI Request Parameters

Request Body

StandardsSubscriptionArns (p. 9)

The ARNs of the standards subscriptions to disable.

Type: Array of strings

Array Members: Minimum number of 1 item. Maximum number of 25 items.

Pattern: .*\S.*

Required: Yes

Response Syntax

HTTP/1.1 200

Content-type: application/json { "StandardsSubscriptions": [ {

"StandardsArn": "string", "StandardsInput": { "string" : "string"

},

"StandardsStatus": "string", "StandardsStatusReason": { "StatusReasonCode": "string"

},

"StandardsSubscriptionArn": "string"

} ]}

(43)

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

StandardsSubscriptions (p. 9)

The details of the standards subscriptions that were disabled.

Type: Array of StandardsSubscription (p. 889) objects

Errors

BatchEnableStandards

Enables the standards speciﬁed by the provided StandardsArn. To obtain the ARN for a standard, use the DescribeStandards operation.

For more information, see the Security Standards section of the AWS Security Hub User Guide.

Request Syntax

POST /standards/register HTTP/1.1 Content-type: application/json {

"StandardsSubscriptionRequests": [ {

"StandardsArn": "string", "StandardsInput": { "string" : "string"

} } ]}

URI Request Parameters

Request Body

StandardsSubscriptionRequests (p. 12) The list of standards checks to enable.

Type: Array of StandardsSubscriptionRequest (p. 891) objects

Array Members: Minimum number of 1 item. Maximum number of 25 items.

Required: Yes

Response Syntax

HTTP/1.1 200

Content-type: application/json { "StandardsSubscriptions": [ {

"StandardsArn": "string", "StandardsInput": { "string" : "string"

},

"StandardsStatus": "string", "StandardsStatusReason": { "StatusReasonCode": "string"

(46)

},

"StandardsSubscriptionArn": "string"

} ] }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

StandardsSubscriptions (p. 12)

The details of the standards subscriptions that were enabled.

Type: Array of StandardsSubscription (p. 889) objects

Errors

BatchImportFindings

Imports security findings generated by a finding provider into Security Hub. This action is requested by the finding provider to import its findings into Security Hub.

BatchImportFindings must be called by one of the following:

• The account that is associated with the findings. The identifier of the associated account is the value of the AwsAccountId attribute for the finding.

• An account that is allow-listed for an oﬃcial Security Hub partner integration.

The maximum allowed size for a ﬁnding is 240 Kb. An error is returned for any ﬁnding larger than 240 Kb.

After a finding is created, BatchImportFindings cannot be used to update the following finding fields and objects, which Security Hub customers use to manage their investigation workflow.

• Note

• UserDefinedFields

• VerificationState

• Workflow

Finding providers also should not use BatchImportFindings to update the following attributes.

• Confidence

• Criticality

• RelatedFindings

• Severity

• Types

Instead, ﬁnding providers use FindingProviderFields to provide values for these attributes.

Request Syntax

POST /findings/import HTTP/1.1 Content-type: application/json { "Findings": [

{

"Action": {

"ActionType": "string", "AwsApiCallAction": { "AffectedResources": { "string" : "string"

},

"Api": "string",

"CallerType": "string", "DomainDetails": { "Domain": "string"

},

"FirstSeen": "string", "LastSeen": "string", "RemoteIpDetails": {

(49)

"City": {

"CityName": "string"

},

"Country": {

"CountryCode": "string", "CountryName": "string"

},

"GeoLocation": { "Lat": number, "Lon": number },

"IpAddressV4": "string", "Organization": { "Asn": number, "AsnOrg": "string", "Isp": "string", "Org": "string"

} },

"ServiceName": "string"

},

"DnsRequestAction": { "Blocked": boolean, "Domain": "string", "Protocol": "string"

},

"NetworkConnectionAction": { "Blocked": boolean,

"ConnectionDirection": "string", "LocalPortDetails": {

"Port": number, "PortName": "string"

},

"Protocol": "string", "RemoteIpDetails": { "City": {

"CityName": "string"

},

"Country": {

"CountryCode": "string", "CountryName": "string"

},

"GeoLocation": { "Lat": number, "Lon": number },

"IpAddressV4": "string", "Organization": { "Asn": number, "AsnOrg": "string", "Isp": "string", "Org": "string"

} },

"RemotePortDetails": { "Port": number, "PortName": "string"

} },

"PortProbeAction": { "Blocked": boolean, "PortProbeDetails": [ {

"LocalIpDetails": { "IpAddressV4": "string"

},

AWS Security Hub

AWS Security Hub

API Reference

API Version 2018-10-26

AWS Security Hub: API Reference

Table of Contents

Welcome

Actions

AcceptAdministratorInvitation

Request Syntax

URI Request Parameters

Request Body

Response Syntax

Response Elements

Errors

See Also

AcceptInvitation

Request Syntax

URI Request Parameters

Request Body

Response Syntax

Response Elements

Errors

See Also

BatchDisableStandards

Request Syntax

URI Request Parameters

Request Body

Response Syntax

Response Elements

Errors

See Also

BatchEnableStandards

Request Syntax

URI Request Parameters

Request Body

Response Syntax

Response Elements

Errors

See Also

BatchImportFindings

Request Syntax