Security Hub examples using Amazon CLI
The following code examples show you how to perform actions and implement common scenarios by using the Amazon Command Line Interface with Security Hub.
Actions are code excerpts from larger programs and must be run in context. While actions show you how to call individual service functions, you can see actions in context in their related scenarios and cross-service examples.
Scenarios are code examples that show you how to accomplish a specific task by calling multiple functions within the same service.
Each example includes a link to GitHub, where you can find instructions on how to set up and run the code in context.
Topics
Actions
The following code example shows how to use accept-administrator-invitation.
- Amazon CLI
-
To accept an invitation from an administrator account
The following
accept-administrator-invitationexample accepts the specified invitation from the specified administrator account.aws securityhub accept-invitation \ --administrator-id123456789012\ --invitation-id7ab938c5d52d7904ad09f9e7c20cc4ebThis command produces no output.
For more information, see Managing administrator and member accounts
in the Amazon Security Hub User Guide. -
For API details, see AcceptAdministratorInvitation
in Amazon CLI Command Reference.
-
The following code example shows how to use accept-invitation.
- Amazon CLI
-
To accept an invitation from an administrator account
The following
accept-invitationexample accepts the specified invitation from the specified administrator account.aws securityhub accept-invitation \ --master-id123456789012\ --invitation-id7ab938c5d52d7904ad09f9e7c20cc4ebThis command produces no output.
For more information, see Managing administrator and member accounts
in the Amazon Security Hub User Guide. -
For API details, see AcceptInvitation
in Amazon CLI Command Reference.
-
The following code example shows how to use batch-delete-automation-rules.
- Amazon CLI
-
To delete automation rules
The following
batch-delete-automation-rulesexample deletes the specified automation rule. You can delete one or more rules with a single command. Only the Security Hub administrator account can run this command.aws securityhub batch-delete-automation-rules \ --automation-rules-arns '["arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"]'Output:
{ "ProcessedAutomationRules": [ "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" ], "UnprocessedAutomationRules": [] }For more information, see Deleting automation rules
in the Amazon Security Hub User Guide. -
For API details, see BatchDeleteAutomationRules
in Amazon CLI Command Reference.
-
The following code example shows how to use batch-disable-standards.
- Amazon CLI
-
To disable a standard
The following
batch-disable-standardsexample disables the standard associated with the specified subscription ARN.aws securityhub batch-disable-standards \ --standards-subscription-arns"arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1"Output:
{ "StandardsSubscriptions": [ { "StandardsArn": "arn:aws:securityhub:eu-central-1::standards/pci-dss/v/3.2.1", "StandardsInput": { }, "StandardsStatus": "DELETING", "StandardsSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1" } ] }For more information, see Disabling or enabling a security standard
in the Amazon Security Hub User Guide. -
For API details, see BatchDisableStandards
in Amazon CLI Command Reference.
-
The following code example shows how to use batch-enable-standards.
- Amazon CLI
-
To enable a standard
The following
batch-enable-standardsexample enables the PCI DSS standard for the requesting account.aws securityhub batch-enable-standards \ --standards-subscription-requests '{"StandardsArn":"arn:aws:securityhub:us-west-1::standards/pci-dss/v/3.2.1"}'Output:
{ "StandardsSubscriptions": [ { "StandardsArn": "arn:aws:securityhub:us-west-1::standards/pci-dss/v/3.2.1", "StandardsInput": { }, "StandardsStatus": "PENDING", "StandardsSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1" } ] }For more information, see Disabling or enabling a security standard
in the Amazon Security Hub User Guide. -
For API details, see BatchEnableStandards
in Amazon CLI Command Reference.
-
The following code example shows how to use batch-get-automation-rules.
- Amazon CLI
-
To get details for automation rules
The following
batch-get-automation-rulesexample gets details for the specified automation rule. You can get details for one or more automation rules with a single command.aws securityhub batch-get-automation-rules \ --automation-rules-arns '["arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"]'Output:
{ "Rules": [ { "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "RuleStatus": "ENABLED", "RuleOrder": 1, "RuleName": "Suppress informational findings", "Description": "Suppress GuardDuty findings with Informational severity", "IsTerminal": false, "Criteria": { "ProductName": [ { "Value": "GuardDuty", "Comparison": "EQUALS" } ], "SeverityLabel": [ { "Value": "INFORMATIONAL", "Comparison": "EQUALS" } ], "WorkflowStatus": [ { "Value": "NEW", "Comparison": "EQUALS" } ], "RecordState": [ { "Value": "ACTIVE", "Comparison": "EQUALS" } ] }, "Actions": [ { "Type": "FINDING_FIELDS_UPDATE", "FindingFieldsUpdate": { "Note": { "Text": "Automatically suppress GuardDuty findings with Informational severity", "UpdatedBy": "sechub-automation" }, "Workflow": { "Status": "SUPPRESSED" } } } ], "CreatedAt": "2023-05-31T17:56:14.837000+00:00", "UpdatedAt": "2023-05-31T17:59:38.466000+00:00", "CreatedBy": "arn:aws:iam::123456789012:role/Admin" } ], "UnprocessedAutomationRules": [] }For more information, see Viewing automation rules
in the Amazon Security Hub User Guide. -
For API details, see BatchGetAutomationRules
in Amazon CLI Command Reference.
-
The following code example shows how to use batch-get-configuration-policy-associations.
- Amazon CLI
-
To get configuration association details for a batch of targets
The following
batch-get-configuration-policy-associationsexample retrieves association details for the specified targets. You can provide account IDs, organizational unit IDs, or the root ID for the target.aws securityhub batch-get-configuration-policy-associations \ --target '{"OrganizationalUnitId": "ou-6hi7-8j91kl2m"}'Output:
{ "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "TargetId": "ou-6hi7-8j91kl2m", "TargetType": "ORGANIZATIONAL_UNIT", "AssociationType": "APPLIED", "UpdatedAt": "2023-09-26T21:13:01.816000+00:00", "AssociationStatus": "SUCCESS", "AssociationStatusMessage": "Association applied successfully on this target." }For more information, see Viewing Security Hub configuration policies
in the Amazon Security Hub User Guide. -
For API details, see BatchGetConfigurationPolicyAssociations
in Amazon CLI Command Reference.
-
The following code example shows how to use batch-get-security-controls.
- Amazon CLI
-
To get security control details
The following
batch-get-security-controlsexample gets details for the security controls ACM.1 and IAM.1 in the current Amazon account and Amazon Region.aws securityhub batch-get-security-controls \ --security-control-ids '["ACM.1", "IAM.1"]'Output:
{ "SecurityControls": [ { "SecurityControlId": "ACM.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/ACM.1", "Title": "Imported and ACM-issued certificates should be renewed after a specified time period", "Description": "This control checks whether an AWS Certificate Manager (ACM) certificate is renewed within the specified time period. It checks both imported certificates and certificates provided by ACM. The control fails if the certificate isn't renewed within the specified time period. Unless you provide a custom parameter value for the renewal period, Security Hub uses a default value of 30 days.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/ACM.1/remediation", "SeverityRating": "MEDIUM", "SecurityControlStatus": "ENABLED" "UpdateStatus": "READY", "Parameters": { "daysToExpiration": { "ValueType": CUSTOM, "Value": { "Integer": 15 } } }, "LastUpdateReason": "Updated control parameter" }, { "SecurityControlId": "IAM.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/IAM.1", "Title": "IAM policies should not allow full \"*\" administrative privileges", "Description": "This AWS control checks whether the default version of AWS Identity and Access Management (IAM) policies (also known as customer managed policies) do not have administrator access with a statement that has \"Effect\": \"Allow\" with \"Action\": \"*\" over \"Resource\": \"*\". It only checks for the Customer Managed Policies that you created, but not inline and AWS Managed Policies.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/IAM.1/remediation", "SeverityRating": "HIGH", "SecurityControlStatus": "ENABLED" "UpdateStatus": "READY", "Parameters": {} } ] }For more information, see Viewing details for a control
in the Amazon Security Hub User Guide. -
For API details, see BatchGetSecurityControls
in Amazon CLI Command Reference.
-
The following code example shows how to use batch-get-standards-control-associations.
- Amazon CLI
-
To get the enablement status of a control
The following
batch-get-standards-control-associationsexample identifies whether the specified controls are enabled in the specified standards.aws securityhub batch-get-standards-control-associations \ --standards-control-association-ids '[{"SecurityControlId": "Config.1","StandardsArn": "arn:aws:securityhub:us-east-1:123456789012:ruleset/cis-aws-foundations-benchmark/v/1.2.0"}, {"SecurityControlId": "IAM.6","StandardsArn": "arn:aws:securityhub:us-east-1:123456789012:standards/aws-foundational-security-best-practices/v/1.0.0"}]'Output:
{ "StandardsControlAssociationDetails": [ { "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "SecurityControlId": "Config.1", "SecurityControlArn": "arn:aws:securityhub:us-east-1:068873283051:security-control/Config.1", "AssociationStatus": "ENABLED", "RelatedRequirements": [ "CIS AWS Foundations 2.5" ], "UpdatedAt": "2022-10-27T16:07:12.960000+00:00", "StandardsControlTitle": "Ensure AWS Config is enabled", "StandardsControlDescription": "AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), and any configuration changes between resources. It is recommended to enable AWS Config in all regions.", "StandardsControlArns": [ "arn:aws:securityhub:us-east-1:068873283051:control/cis-aws-foundations-benchmark/v/1.2.0/2.5" ] }, { "StandardsArn": "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0", "SecurityControlId": "IAM.6", "SecurityControlArn": "arn:aws:securityhub:us-east-1:068873283051:security-control/IAM.6", "AssociationStatus": "DISABLED", "RelatedRequirements": [], "UpdatedAt": "2022-11-22T21:30:35.080000+00:00", "UpdatedReason": "test", "StandardsControlTitle": "Hardware MFA should be enabled for the root user", "StandardsControlDescription": "This AWS control checks whether your AWS account is enabled to use a hardware multi-factor authentication (MFA) device to sign in with root user credentials.", "StandardsControlArns": [ "arn:aws:securityhub:us-east-1:068873283051:control/aws-foundational-security-best-practices/v/1.0.0/IAM.6" ] } ] }For more information, see Enabling and disabling controls in specific standards
in the Amazon Security Hub User Guide. -
For API details, see BatchGetStandardsControlAssociations
in Amazon CLI Command Reference.
-
The following code example shows how to use batch-import-findings.
- Amazon CLI
-
To update a finding
The following
batch-import-findingsexample updates a finding.aws securityhub batch-import-findings \ --findings '[{ "AwsAccountId": "123456789012", "CreatedAt": "2020-05-27T17:05:54.832Z", "Description": "Vulnerability in a CloudTrail trail", "FindingProviderFields": { "Severity": { "Label": "LOW", "Original": "10" }, "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ] }, "GeneratorId": "TestGeneratorId", "Id": "Id1", "ProductArn": "arn:aws:securityhub:us-west-1:123456789012:product/123456789012/default", "Resources": [ { "Id": "arn:aws:cloudtrail:us-west-1:123456789012:trail/TrailName", "Partition": "aws", "Region": "us-west-1", "Type": "AwsCloudTrailTrail" } ], "SchemaVersion": "2018-10-08", "Title": "CloudTrail trail vulnerability", "UpdatedAt": "2020-06-02T16:05:54.832Z" }]'Output:
{ "FailedCount": 0, "SuccessCount": 1, "FailedFindings": [] }For more information, see Using BatchImportFindings to create and update findings
in the Amazon Security Hub User Guide. -
For API details, see BatchImportFindings
in Amazon CLI Command Reference.
-
The following code example shows how to use batch-update-automation-rules.
- Amazon CLI
-
To update automation rules
The following
batch-update-automation-rulesexample updates the specified automation rule. You can update one or more rules with a single command. Only the Security Hub administrator account can run this command.aws securityhub batch-update-automation-rules \ --update-automation-rules-request-items '[ \ { \ "Actions": [{ \ "Type": "FINDING_FIELDS_UPDATE", \ "FindingFieldsUpdate": { \ "Note": { \ "Text": "Known issue that is a risk", \ "UpdatedBy": "sechub-automation" \ }, \ "Workflow": { \ "Status": "NEW" \ } \ } \ }], \ "Criteria": { \ "SeverityLabel": [{ \ "Value": "LOW", \ "Comparison": "EQUALS" \ }] \ }, \ "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", \ "RuleOrder": 1, \ "RuleStatus": "DISABLED" \ } \ ]'Output:
{ "ProcessedAutomationRules": [ "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" ], "UnprocessedAutomationRules": [] }For more information, see Editing automation rules
in the Amazon Security Hub User Guide. -
For API details, see BatchUpdateAutomationRules
in Amazon CLI Command Reference.
-
The following code example shows how to use batch-update-findings.
- Amazon CLI
-
Example 1: To update a finding
The following
batch-update-findingsexample updates two findings to add a note, change the severity label, and resolve it.aws securityhub batch-update-findings \ --finding-identifiers '[{"Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub"}, {"Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub"}]' \ --note '{"Text": "Known issue that is not a risk.", "UpdatedBy": "user1"}' \ --severity '{"Label": "LOW"}' \ --workflow '{"Status": "RESOLVED"}'Output:
{ "ProcessedFindings": [ { "Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub" }, { "Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub" } ], "UnprocessedFindings": [] }For more information, see Using BatchUpdateFindings to update a finding
in the Amazon Security Hub User Guide. Example 2: To update a finding using shorthand syntax
The following
batch-update-findingsexample updates two findings to add a note, change the severity label, and resolve it using shorthand syntax.aws securityhub batch-update-findings \ --finding-identifiers Id="arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",ProductArn="arn:aws:securityhub:us-west-1::product/aws/securityhub" Id="arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",ProductArn="arn:aws:securityhub:us-west-1::product/aws/securityhub" \ --note Text="Known issue that is not a risk.",UpdatedBy="user1" \ --severity Label="LOW" \ --workflow Status="RESOLVED"Output:
{ "ProcessedFindings": [ { "Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub" }, { "Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub" } ], "UnprocessedFindings": [] }For more information, see Using BatchUpdateFindings to update a finding
in the Amazon Security Hub User Guide. -
For API details, see BatchUpdateFindings
in Amazon CLI Command Reference.
-
The following code example shows how to use batch-update-standards-control-associations.
- Amazon CLI
-
To update the enablement status of a control in enabled standards
The following
batch-update-standards-control-associationsexample disables CloudTrail.1 in the specified standards.aws securityhub batch-update-standards-control-associations \ --standards-control-association-updates '[{"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}, {"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws:securityhub:::standards/cis-aws-foundations-benchmark/v/1.4.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}]'This command produces no output when successful.
For more information, see Enabling and disabling controls in specific standards
and Enabling and disabling controls in all standards in the Amazon Security Hub User Guide. -
For API details, see BatchUpdateStandardsControlAssociations
in Amazon CLI Command Reference.
-
The following code example shows how to use create-action-target.
- Amazon CLI
-
To create a custom action
The following
create-action-targetexample creates a custom action. It provides the name, description, and identifier for the action.aws securityhub create-action-target \ --name"Send to remediation"\ --description"Action to send the finding for remediation tracking"\ --id"Remediation"Output:
{ "ActionTargetArn": "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation" }For more information, see Creating a custom action and associating it with a CloudWatch Events rule
in the Amazon Security Hub User Guide. -
For API details, see CreateActionTarget
in Amazon CLI Command Reference.
-
The following code example shows how to use create-automation-rule.
- Amazon CLI
-
To create an automation rule
The following
create-automation-ruleexample creates an automation rule in the current Amazon account and Amazon Region. Security Hub filters your findings based on the specified criteria and applies the actions to matching findings. Only the Security Hub administrator account can run this command.aws securityhub create-automation-rule \ --actions '[{ \ "Type": "FINDING_FIELDS_UPDATE", \ "FindingFieldsUpdate": { \ "Severity": { \ "Label": "HIGH" \ }, \ "Note": { \ "Text": "Known issue that is a risk. Updated by automation rules", \ "UpdatedBy": "sechub-automation" \ } \ } \ }]' \ --criteria '{ \ "SeverityLabel": [{ \ "Value": "INFORMATIONAL", \ "Comparison": "EQUALS" \ }] \ }' \ --description"A sample rule"\ --no-is-terminal \ --rule-name"sample rule"\ --rule-order1\ --rule-status"ENABLED"Output:
{ "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }For more information, see Creating automation rules
in the Amazon Security Hub User Guide. -
For API details, see CreateAutomationRule
in Amazon CLI Command Reference.
-
The following code example shows how to use create-configuration-policy.
- Amazon CLI
-
To create a configuration policy
The following
create-configuration-policyexample creates a configuration policy with the specified settings.aws securityhub create-configuration-policy \ --name"SampleConfigurationPolicy"\ --description"SampleDescription"\ --configuration-policy '{"SecurityHub": {"ServiceEnabled": true, "EnabledStandardIdentifiers": ["arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0","arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"],"SecurityControlsConfiguration":{"DisabledSecurityControlIdentifiers": ["CloudTrail.2"], "SecurityControlCustomParameters": [{"SecurityControlId": "ACM.1", "Parameters": {"daysToExpiration": {"ValueType": "CUSTOM", "Value": {"Integer": 15}}}}]}}}' \ --tags '{"Environment": "Prod"}'Output:
{ "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "SampleConfigurationPolicy", "Description": "SampleDescription", "UpdatedAt": "2023-11-28T20:28:04.494000+00:00", "CreatedAt": "2023-11-28T20:28:04.494000+00:00", "ConfigurationPolicy": { "SecurityHub": { "ServiceEnabled": true, "EnabledStandardIdentifiers": [ "arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0", "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0" ], "SecurityControlsConfiguration": { "DisabledSecurityControlIdentifiers": [ "CloudTrail.2" ], "SecurityControlCustomParameters": [ { "SecurityControlId": "ACM.1", "Parameters": { "daysToExpiration": { "ValueType": "CUSTOM", "Value": { "Integer": 15 } } } } ] } } } }For more information, see Creating and associating Security Hub configuration policies
in the Amazon Security Hub User Guide. -
For API details, see CreateConfigurationPolicy
in Amazon CLI Command Reference.
-
The following code example shows how to use create-finding-aggregator.
- Amazon CLI
-
To enable finding aggregation
The following
create-finding-aggregatorexample configures finding aggregation. It is run from US East (Virginia), which designates US East (Virginia) as the aggregation Region. It indicates to only link specified Regions, and to not automatically link new Regions. It selects US West (N. California) and US West (Oregon) as the linked Regions.aws securityhub create-finding-aggregator \ --regionus-east-1\ --region-linking-modeSPECIFIED_REGIONS\ --regionsus-west-1,us-west-2Output:
{ "FindingAggregatorArn": "arn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000", "FindingAggregationRegion": "us-east-1", "RegionLinkingMode": "SPECIFIED_REGIONS", "Regions": "us-west-1,us-west-2" }For more information, see Enabling finding aggregation
in the Amazon Security Hub User Guide. -
For API details, see CreateFindingAggregator
in Amazon CLI Command Reference.
-
The following code example shows how to use create-insight.
- Amazon CLI
-
To create a custom insight
The following
create-insightexample creates a custom insight named Critical role findings that returns critical findings that are related to Amazon roles.aws securityhub create-insight \ --filters '{"ResourceType": [{ "Comparison": "EQUALS", "Value": "AwsIamRole"}], "SeverityLabel": [{"Comparison": "EQUALS", "Value": "CRITICAL"}]}' \ --group-by-attribute"ResourceId"\ --name"Critical role findings"Output:
{ "InsightArn": "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }For more information, see Managing custom insights
in the Amazon Security Hub User Guide. -
For API details, see CreateInsight
in Amazon CLI Command Reference.
-
The following code example shows how to use create-members.
- Amazon CLI
-
To add accounts as member accounts
The following
create-membersexample adds two accounts as member accounts to the requesting administrator account.aws securityhub create-members \ --account-details '[{"AccountId": "123456789111"}, {"AccountId": "123456789222"}]'Output:
{ "UnprocessedAccounts": [] }For more information, see Managing administrator and member accounts
in the Amazon Security Hub User Guide. -
For API details, see CreateMembers
in Amazon CLI Command Reference.
-
The following code example shows how to use decline-invitations.
- Amazon CLI
-
To decline an invitation to be a member account
The following
decline-invitationsexample declines an invitation to be a member account of the specified administrator account. The member account is the requesting account.aws securityhub decline-invitations \ --account-ids"123456789012"Output:
{ "UnprocessedAccounts": [] }For more information, see Managing administrator and member accounts
in the Amazon Security Hub User Guide. -
For API details, see DeclineInvitations
in Amazon CLI Command Reference.
-
The following code example shows how to use delete-action-target.
- Amazon CLI
-
To delete a custom action
The following
delete-action-targetexample deletes the custom action identified by the specified ARN.aws securityhub delete-action-target \ --action-target-arn"arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation"Output:
{ "ActionTargetArn": "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation" }For more information, see Creating a custom action and associating it with a CloudWatch Events rule
in the Amazon Security Hub User Guide. -
For API details, see DeleteActionTarget
in Amazon CLI Command Reference.
-
The following code example shows how to use delete-configuration-policy.
- Amazon CLI
-
To delete a configuration policy
The following
delete-configuration-policyexample deletes the specified configuration policy.aws securityhub delete-configuration-policy \ --identifier"arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"This command produces no output.
For more information, see Deleting and disassociating Security Hub configuration policies
in the Amazon Security Hub User Guide. -
For API details, see DeleteConfigurationPolicy
in Amazon CLI Command Reference.
-
The following code example shows how to use delete-finding-aggregator.
- Amazon CLI
-
To stop finding aggregation
The following
delete-finding-aggregatorexample stops finding aggregation. It is run from US East (Virginia), which is the aggregation Region.aws securityhub delete-finding-aggregator \ --regionus-east-1\ --finding-aggregator-arnarn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000This command produces no output.
For more information, see Stopping finding aggregation
in the Amazon Security Hub User Guide. -
For API details, see DeleteFindingAggregator
in Amazon CLI Command Reference.
-
The following code example shows how to use delete-insight.
- Amazon CLI
-
To delete a custom insight
The following
delete-insightexample deletes the custom insight with the specified ARN.aws securityhub delete-insight \ --insight-arn"arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"Output:
{ "InsightArn": "arn:aws:securityhub:eu-central-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }For more information, see Managing custom insights
in the Amazon Security Hub User Guide. -
For API details, see DeleteInsight
in Amazon CLI Command Reference.
-
The following code example shows how to use delete-invitations.
- Amazon CLI
-
To delete an invitation to be a member account
The following
delete-invitationsexample deletes an invitation to be a member account for the specified administrator account. The member account is the requesting account.aws securityhub delete-invitations \ --account-ids"123456789012"Output:
{ "UnprocessedAccounts": [] }For more information, see Managing administrator and member accounts
in the Amazon Security Hub User Guide. -
For API details, see DeleteInvitations
in Amazon CLI Command Reference.
-
The following code example shows how to use delete-members.
- Amazon CLI
-
To delete member accounts
The following
delete-membersexample deletes the specified member accounts from the requesting administrator account.aws securityhub delete-members \ --account-ids"123456789111""123456789222"Output:
{ "UnprocessedAccounts": [] }For more information, see Managing administrator and member accounts
in the Amazon Security Hub User Guide. -
For API details, see DeleteMembers
in Amazon CLI Command Reference.
-
The following code example shows how to use describe-action-targets.
- Amazon CLI
-
To retrieve details about custom actions
The following
describe-action-targetsexample retrieves information about the custom action identified by the specified ARN.aws securityhub describe-action-targets \ --action-target-arns"arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation"Output:
{ "ActionTargets": [ { "ActionTargetArn": "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation", "Description": "Action to send the finding for remediation tracking", "Name": "Send to remediation" } ] }For more information, see Creating a custom action and associating it with a CloudWatch Events rule
in the Amazon Security Hub User Guide. -
For API details, see DescribeActionTargets
in Amazon CLI Command Reference.
-
The following code example shows how to use describe-hub.
- Amazon CLI
-
To get information about a hub resource
The following
describe-hubexample returns the subscription date for the specified hub resource. The hub resource is identified by its ARN.aws securityhub describe-hub \ --hub-arn"arn:aws:securityhub:us-west-1:123456789012:hub/default"Output:
{ "HubArn": "arn:aws:securityhub:us-west-1:123456789012:hub/default", "SubscribedAt": "2019-11-19T23:15:10.046Z" }For more information, see Amazon::SecurityHub::Hub
in the Amazon CloudFormation User Guide. -
For API details, see DescribeHub
in Amazon CLI Command Reference.
-
The following code example shows how to use describe-organization-configuration.
- Amazon CLI
-
To view how Security Hub is configured for an organization
The following
describe-organization-configurationexample returns information about the way an organization is configured in Security Hub. In this example, the organization uses central configuration. Only the Security Hub administrator account can run this command.aws securityhub describe-organization-configurationOutput:
{ "AutoEnable": false, "MemberAccountLimitReached": false, "AutoEnableStandards": "NONE", "OrganizationConfiguration": { "ConfigurationType": "LOCAL", "Status": "ENABLED", "StatusMessage": "Central configuration has been enabled successfully" } }For more information, see Managing accounts with Amazon Organizations
in the Amazon Security Hub User Guide. -
For API details, see DescribeOrganizationConfiguration
in Amazon CLI Command Reference.
-
The following code example shows how to use describe-products.
- Amazon CLI
-
To return information about available product integrations
The following
describe-productsexample returns the available product integrations one at a time.aws securityhub describe-products \ --max-results1Output:
{ "NextToken": "U2FsdGVkX18vvPlOqb7RDrWRWVFBJI46MOIAb+nZmRJmR15NoRi2gm13sdQEn3O/pq/78dGs+bKpgA+7HMPHO0qX33/zoRI+uIG/F9yLNhcOrOWzFUdy36JcXLQji3Rpnn/cD1SVkGA98qI3zPOSDg==", "Products": [ { "ProductArn": "arn:aws:securityhub:us-west-1:123456789333:product/crowdstrike/crowdstrike-falcon", "ProductName": "CrowdStrike Falcon", "CompanyName": "CrowdStrike", "Description": "CrowdStrike Falcon's single lightweight sensor unifies next-gen antivirus, endpoint detection and response, and 24/7 managed hunting, via the cloud.", "Categories": [ "Endpoint Detection and Response (EDR)", "AV Scanning and Sandboxing", "Threat Intelligence Feeds and Reports", "Endpoint Forensics", "Network Forensics" ], "IntegrationTypes": [ "SEND_FINDINGS_TO_SECURITY_HUB" ], "MarketplaceUrl": "https://aws.amazon.com/marketplace/seller-profile?id=a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ActivationUrl": "https://falcon.crowdstrike.com/support/documentation", "ProductSubscriptionResourcePolicy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"123456789333\"},\"Action\":[\"securityhub:BatchImportFindings\"],\"Resource\":\"arn:aws:securityhub:us-west-1:123456789012:product-subscription/crowdstrike/crowdstrike-falcon\",\"Condition\":{\"StringEquals\":{\"securityhub:TargetAccount\":\"123456789012\"}}},{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"123456789012\"},\"Action\":[\"securityhub:BatchImportFindings\"],\"Resource\":\"arn:aws:securityhub:us-west-1:123456789333:product/crowdstrike/crowdstrike-falcon\",\"Condition\":{\"StringEquals\":{\"securityhub:TargetAccount\":\"123456789012\"}}}]}" } ] }For more information, see Managing product integrations
in the Amazon Security Hub User Guide. -
For API details, see DescribeProducts
in Amazon CLI Command Reference.
-
The following code example shows how to use describe-standards-controls.
- Amazon CLI
-
To request the list of controls in an enabled standard
The following
describe-standards-controlsexample requests the list of controls in the requestor account's subscription to the PCI DSS standard. The request returns two controls at a time.aws securityhub describe-standards-controls \ --standards-subscription-arn"arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1"\ --max-results2Output:
{ "Controls": [ { "StandardsControlArn": "arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.AutoScaling.1", "ControlStatus": "ENABLED", "ControlStatusUpdatedAt": "2020-05-15T18:49:04.473000+00:00", "ControlId": "PCI.AutoScaling.1", "Title": "Auto scaling groups associated with a load balancer should use health checks", "Description": "This AWS control checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/PCI.AutoScaling.1/remediation", "SeverityRating": "LOW", "RelatedRequirements": [ "PCI DSS 2.2" ] }, { "StandardsControlArn": "arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.CW.1", "ControlStatus": "ENABLED", "ControlStatusUpdatedAt": "2020-05-15T18:49:04.498000+00:00", "ControlId": "PCI.CW.1", "Title": "A log metric filter and alarm should exist for usage of the \"root\" user", "Description": "This control checks for the CloudWatch metric filters using the following pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } It checks that the log group name is configured for use with active multi-region CloudTrail, that there is at least one Event Selector for a Trail with IncludeManagementEvents set to true and ReadWriteType set to All, and that there is at least one active subscriber to an SNS topic associated with the alarm.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/PCI.CW.1/remediation", "SeverityRating": "MEDIUM", "RelatedRequirements": [ "PCI DSS 7.2.1" ] } ], "NextToken": "U2FsdGVkX1+eNkPoZHVl11ip5HUYQPWSWZGmftcmJiHL8JoKEsCDuaKayiPDyLK+LiTkShveoOdvfxXCkOBaGhohIXhsIedN+LSjQV/l7kfCfJcq4PziNC1N9xe9aq2pjlLVZnznTfSImrodT5bRNHe4fELCQq/z+5ka+5Lzmc11axcwTd5lKgQyQqmUVoeriHZhyIiBgWKf7oNYdBVG8OEortVWvSkoUTt+B2ThcnC7l43kI0UNxlkZ6sc64AsW" }For more information, see Viewing details for controls
in the Amazon Security Hub User Guide. -
For API details, see DescribeStandardsControls
in Amazon CLI Command Reference.
-
The following code example shows how to use describe-standards.
- Amazon CLI
-
To return a list of available standards
The following
describe-standardsexample returns the list of available standards.aws securityhub describe-standardsOutput:
{ "Standards": [ { "StandardsArn": "arn:aws:securityhub:us-west-1::standards/aws-foundational-security-best-practices/v/1.0.0", "Name": "AWS Foundational Security Best Practices v1.0.0", "Description": "The AWS Foundational Security Best Practices standard is a set of automated security checks that detect when AWS accounts and deployed resources do not align to security best practices. The standard is defined by AWS security experts. This curated set of controls helps improve your security posture in AWS, and cover AWS's most popular and foundational services.", "EnabledByDefault": true }, { "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "Name": "CIS AWS Foundations Benchmark v1.2.0", "Description": "The Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0 is a set of security configuration best practices for AWS. This Security Hub standard automatically checks for your compliance readiness against a subset of CIS requirements.", "EnabledByDefault": true }, { "StandardsArn": "arn:aws:securityhub:us-west-1::standards/pci-dss/v/3.2.1", "Name": "PCI DSS v3.2.1", "Description": "The Payment Card Industry Data Security Standard (PCI DSS) v3.2.1 is an information security standard for entities that store, process, and/or transmit cardholder data. This Security Hub standard automatically checks for your compliance readiness against a subset of PCI DSS requirements.", "EnabledByDefault": false } ] }For more information, see Security standards in Amazon Security Hub
in the Amazon Security Hub User Guide. -
For API details, see DescribeStandards
in Amazon CLI Command Reference.
-
The following code example shows how to use disable-import-findings-for-product.
- Amazon CLI
-
To stop receiving findings from a product integration
The following
disable-import-findings-for-productexample disables the flow of findings for the specified subscription to a product integration.aws securityhub disable-import-findings-for-product \ --product-subscription-arn"arn:aws:securityhub:us-west-1:123456789012:product-subscription/crowdstrike/crowdstrike-falcon"This command produces no output.
For more information, see Managing product integrations
in the Amazon Security Hub User Guide. -
For API details, see DisableImportFindingsForProduct
in Amazon CLI Command Reference.
-
The following code example shows how to use disable-organization-admin-account.
- Amazon CLI
-
To remove a Security Hub administrator account
The following
disable-organization-admin-accountexample revokes the specified account's assignment as a Security Hub administrator account for Amazon Organizations.aws securityhub disable-organization-admin-account \ --admin-account-id777788889999This command produces no output.
For more information, see Designating a Security Hub administrator account
in the Amazon Security Hub User Guide. -
For API details, see DisableOrganizationAdminAccount
in Amazon CLI Command Reference.
-
The following code example shows how to use disable-security-hub.
- Amazon CLI
-
To disable Amazon Security Hub
The following
disable-security-hubexample disables Amazon Security Hub for the requesting account.aws securityhub disable-security-hubThis command produces no output.
For more information, see Disabling Amazon Security Hub
in the Amazon Security Hub User Guide. -
For API details, see DisableSecurityHub
in Amazon CLI Command Reference.
-
The following code example shows how to use disassociate-from-administrator-account.
- Amazon CLI
-
To disassociate from an administrator account
The following
disassociate-from-administrator-accountexample disassociates the requesting account from its current administrator account.aws securityhub disassociate-from-administrator-accountThis command produces no output.
For more information, see Managing administrator and member accounts
in the Amazon Security Hub User Guide. -
For API details, see DisassociateFromAdministratorAccount
in Amazon CLI Command Reference.
-
The following code example shows how to use disassociate-from-master-account.
- Amazon CLI
-
To disassociate from an administrator account
The following
disassociate-from-master-accountexample disassociates the requesting account from its current administrator account.aws securityhub disassociate-from-master-accountThis command produces no output.
For more information, see Managing administrator and member accounts
in the Amazon Security Hub User Guide. -
For API details, see DisassociateFromMasterAccount
in Amazon CLI Command Reference.
-
The following code example shows how to use disassociate-members.
- Amazon CLI
-
To disassociate member accounts
The following
disassociate-membersexample disassociates the specified member accounts from the requesting administrator account.aws securityhub disassociate-members \ --account-ids"123456789111""123456789222"This command produces no output.
For more information, see Managing administrator and member accounts
in the Amazon Security Hub User Guide. -
For API details, see DisassociateMembers
in Amazon CLI Command Reference.
-
The following code example shows how to use enable-import-findings-for-product.
- Amazon CLI
-
To start receiving findings from a product integration
The following
enable-import-findings-for-productexample enables the flow of findings from the specified product integration.aws securityhub enable-import-findings-for-product \ --product-arn"arn:aws:securityhub:us-east-1:123456789333:product/crowdstrike/crowdstrike-falcon"Output:
{ "ProductSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789012:product-subscription/crowdstrike/crowdstrike-falcon" }For more information, see Managing product integrations
in the Amazon Security Hub User Guide. -
For API details, see EnableImportFindingsForProduct
in Amazon CLI Command Reference.
-
The following code example shows how to use enable-organization-admin-account.
- Amazon CLI
-
To designate an organization account as a Security Hub administrator account
The following
enable-organization-admin-accountexample designates the specified account as a Security Hub administrator account.aws securityhub enable-organization-admin-account \ --admin-account-id777788889999This command produces no output.
For more information, see Designating a Security Hub administrator account
in the Amazon Security Hub User Guide. -
For API details, see EnableOrganizationAdminAccount
in Amazon CLI Command Reference.
-
The following code example shows how to use enable-security-hub.
- Amazon CLI
-
To enable Amazon Security Hub
The following
enable-security-hubexample enables Amazon Security Hub for the requesting account. It configures Security Hub to enable the default standards. For the hub resource, it assigns the valueSecurityto the tagDepartment.aws securityhub enable-security-hub \ --enable-default-standards \ --tags '{"Department": "Security"}'This command produces no output.
For more information, see Enabling Security Hub
in the Amazon Security Hub User Guide. -
For API details, see EnableSecurityHub
in Amazon CLI Command Reference.
-
The following code example shows how to use get-administrator-account.
- Amazon CLI
-
To retrieve information about an administrator account
The following
get-administrator-accountexample retrieves information about the administrator account for the requesting account.aws securityhub get-administrator-accountOutput:
{ "Master": { "AccountId": "123456789012", "InvitationId": "7ab938c5d52d7904ad09f9e7c20cc4eb", "InvitedAt": 2020-06-01T20:21:18.042000+00:00, "MemberStatus": "ASSOCIATED" } }For more information, see Managing administrator and member accounts
in the Amazon Security Hub User Guide. -
For API details, see GetAdministratorAccount
in Amazon CLI Command Reference.
-
The following code example shows how to use get-configuration-policy-association.
- Amazon CLI
-
To get configuration association details for a target
The following
get-configuration-policy-associationexample retrieves association details for the specified target. You can provide an account ID, organizational unit ID, or the root ID for the target.aws securityhub get-configuration-policy-association \ --target '{"OrganizationalUnitId": "ou-6hi7-8j91kl2m"}'Output:
{ "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "TargetId": "ou-6hi7-8j91kl2m", "TargetType": "ORGANIZATIONAL_UNIT", "AssociationType": "APPLIED", "UpdatedAt": "2023-09-26T21:13:01.816000+00:00", "AssociationStatus": "SUCCESS", "AssociationStatusMessage": "Association applied successfully on this target." }For more information, see Viewing Security Hub configuration policies
in the Amazon Security Hub User Guide. -
For API details, see GetConfigurationPolicyAssociation
in Amazon CLI Command Reference.
-
The following code example shows how to use get-configuration-policy.
- Amazon CLI
-
To view configuration policy details
The following
get-configuration-policyexample retrieves details about the specified configuration policy.aws securityhub get-configuration-policy \ --identifier"arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"Output:
{ "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Id": "ce5ed1e7-9639-4e2f-9313-fa87fcef944b", "Name": "SampleConfigurationPolicy", "Description": "SampleDescription", "UpdatedAt": "2023-11-28T20:28:04.494000+00:00", "CreatedAt": "2023-11-28T20:28:04.494000+00:00", "ConfigurationPolicy": { "SecurityHub": { "ServiceEnabled": true, "EnabledStandardIdentifiers": [ "arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0", "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0" ], "SecurityControlsConfiguration": { "DisabledSecurityControlIdentifiers": [ "CloudTrail.2" ], "SecurityControlCustomParameters": [ { "SecurityControlId": "ACM.1", "Parameters": { "daysToExpiration": { "ValueType": "CUSTOM", "Value": { "Integer": 15 } } } } ] } } } }For more information, see Viewing Security Hub configuration policies
in the Amazon Security Hub User Guide. -
For API details, see GetConfigurationPolicy
in Amazon CLI Command Reference.
-
The following code example shows how to use get-enabled-standards.
- Amazon CLI
-
To retrieve information about an enabled standard
The following
get-enabled-standardsexample retrieves information about the PCI DSS standard.aws securityhub get-enabled-standards \ --standards-subscription-arn"arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1"Output:
{ "StandardsSubscriptions": [ { "StandardsArn": "arn:aws:securityhub:us-west-1::standards/pci-dss/v/3.2.1", "StandardsInput": { }, "StandardsStatus": "READY", "StandardsSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1" } ] }For more information, see Security standards in Amazon Security Hub
in the Amazon Security Hub User Guide. -
For API details, see GetEnabledStandards
in Amazon CLI Command Reference.
-
The following code example shows how to use get-finding-aggregator.
- Amazon CLI
-
To retrieve the current finding aggregation configuration
The following
get-finding-aggregatorexample retrieves the current finding aggregation configuration.aws securityhub get-finding-aggregator \ --finding-aggregator-arnarn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000Output:
{ "FindingAggregatorArn": "arn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000", "FindingAggregationRegion": "us-east-1", "RegionLinkingMode": "SPECIFIED_REGIONS", "Regions": "us-west-1,us-west-2" }For more information, see Viewing the current finding aggregation configuration
in the Amazon Security Hub User Guide. -
For API details, see GetFindingAggregator
in Amazon CLI Command Reference.
-
The following code example shows how to use get-finding-history.
- Amazon CLI
-
To get finding history
The following
get-finding-historyexample gets up to the last 90 days of history for the specified finding. In this example, the results are limited to two records of finding history.aws securityhub get-finding-history \ --finding-identifier Id="arn:aws:securityhub:us-east-1:123456789012:security-control/S3.17/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",ProductArn="arn:aws:securityhub:us-east-1::product/aws/securityhub"Output:
{ "Records": [ { "FindingIdentifier": { "Id": "arn:aws:securityhub:us-east-1:123456789012:security-control/S3.17/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub" }, "UpdateTime": "2023-06-02T03:15:25.685000+00:00", "FindingCreated": false, "UpdateSource": { "Type": "BATCH_IMPORT_FINDINGS", "Identity": "arn:aws:securityhub:us-east-1::product/aws/securityhub" }, "Updates": [ { "UpdatedField": "Compliance.RelatedRequirements", "OldValue": "[\"NIST.800-53.r5 SC-12(2)\",\"NIST.800-53.r5 SC-12(3)\",\"NIST.800-53.r5 SC-12(6)\",\"NIST.800-53.r5 CM-3(6)\",\"NIST.800-53.r5 SC-13\",\"NIST.800-53.r5 SC-28\",\"NIST.800-53.r5 SC-28(1)\",\"NIST.800-53.r5 SC-7(10)\"]", "NewValue": "[\"NIST.800-53.r5 SC-12(2)\",\"NIST.800-53.r5 CM-3(6)\",\"NIST.800-53.r5 SC-13\",\"NIST.800-53.r5 SC-28\",\"NIST.800-53.r5 SC-28(1)\",\"NIST.800-53.r5 SC-7(10)\",\"NIST.800-53.r5 CA-9(1)\",\"NIST.800-53.r5 SI-7(6)\",\"NIST.800-53.r5 AU-9\"]" }, { "UpdatedField": "LastObservedAt", "OldValue": "2023-06-01T09:15:38.587Z", "NewValue": "2023-06-02T03:15:22.946Z" }, { "UpdatedField": "UpdatedAt", "OldValue": "2023-06-01T09:15:31.049Z", "NewValue": "2023-06-02T03:15:14.861Z" }, { "UpdatedField": "ProcessedAt", "OldValue": "2023-06-01T09:15:41.058Z", "NewValue": "2023-06-02T03:15:25.685Z" } ] }, { "FindingIdentifier": { "Id": "arn:aws:securityhub:us-east-1:123456789012:security-control/S3.17/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub" }, "UpdateTime": "2023-05-23T02:06:51.518000+00:00", "FindingCreated": "true", "UpdateSource": { "Type": "BATCH_IMPORT_FINDINGS", "Identity": "arn:aws:securityhub:us-east-1::product/aws/securityhub" }, "Updates": [] } ] }For more information, see Finding history
in the Amazon Security Hub User Guide. -
For API details, see GetFindingHistory
in Amazon CLI Command Reference.
-
The following code example shows how to use get-findings.
- Amazon CLI
-
Example 1: To return findings generated for a specific standard
The following
get-findingsexample returns findings for the PCI DSS standard.aws securityhub get-findings \ --filters '{"GeneratorId":[{"Value": "pci-dss","Comparison":"PREFIX"}]}' \ --max-items1Output:
{ "Findings": [ { "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:eu-central-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub", "GeneratorId": "pci-dss/v/3.2.1/PCI.Lambda.2", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS" ], "FindingProviderFields": { "Severity": { "Original": 0, "Label": "INFORMATIONAL" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS" ] }, "FirstObservedAt": "2020-06-02T14:02:49.159Z", "LastObservedAt": "2020-06-02T14:02:52.397Z", "CreatedAt": "2020-06-02T14:02:49.159Z", "UpdatedAt": "2020-06-02T14:02:52.397Z", "Severity": { "Original": 0, "Label": "INFORMATIONAL", "Normalized": 0 }, "Title": "PCI.Lambda.2 Lambda functions should be in a VPC", "Description": "This AWS control checks whether a Lambda function is in a VPC.", "Remediation": { "Recommendation": { "Text": "For directions on how to fix this issue, please consult the AWS Security Hub PCI DSS documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/PCI.Lambda.2/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws:securityhub:::standards/pci-dss/v/3.2.1", "StandardsSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1", "ControlId": "PCI.Lambda.2", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/PCI.Lambda.2/remediation", "RelatedAWSResources:0/name": "securityhub-lambda-inside-vpc-0e904a3b", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.Lambda.2", "aws/securityhub/SeverityLabel": "INFORMATIONAL", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "AWS", "aws/securityhub/FindingId": "arn:aws:securityhub:eu-central-1::product/aws/securityhub/arn:aws:securityhub:eu-central-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsAccount", "Id": "AWS::::Account:123456789012", "Partition": "aws", "Region": "us-west-1" } ], "Compliance": { "Status": "PASSED", "RelatedRequirements": [ "PCI DSS 1.2.1", "PCI DSS 1.3.1", "PCI DSS 1.3.2", "PCI DSS 1.3.4" ] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ARCHIVED" } ], "NextToken": "eyJOZXh0VG9rZW4iOiBudWxsLCAiYm90b190cnVuY2F0ZV9hbW91bnQiOiAxfQ==" }Example 2: To return critical-severity findings that have a workflow status of NOTIFIED
The following
get-findingsexample returns findings that have a severity label value of CRITICAL and a workflow status of NOTIFIED. The results are sorted in descending order by the value of Confidence.aws securityhub get-findings \ --filters '{"SeverityLabel":[{"Value": "CRITICAL","Comparison":"EQUALS"}],"WorkflowStatus": [{"Value":"NOTIFIED","Comparison":"EQUALS"}]}' \ --sort-criteria '{ "Field": "Confidence", "SortOrder": "desc"}' \ --max-items1Output:
{ "Findings": [ { "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:us-west-1: 123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.13/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/securityhub", "GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.13", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "FindingProviderFields" { "Severity": { "Original": 90, "Label": "CRITICAL" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ] }, "FirstObservedAt": "2020-05-21T20:16:34.752Z", "LastObservedAt": "2020-06-09T08:16:37.171Z", "CreatedAt": "2020-05-21T20:16:34.752Z", "UpdatedAt": "2020-06-09T08:16:36.430Z", "Severity": { "Original": 90, "Label": "CRITICAL", "Normalized": 90 }, "Title": "1.13 Ensure MFA is enabled for the \"root\" account", "Description": "The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device.", "Remediation": { "Recommendation": { "Text": "For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.13/remediation" } }, "ProductFields": { "StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "StandardsGuideSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0", "RuleId": "1.13", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/standards-cis-1.13/remediation", "RelatedAWSResources:0/name": "securityhub-root-account-mfa-enabled-5pftha", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "arn:aws:securityhub:us-west-1:123456789012:control/cis-aws-foundations-benchmark/v/1.2.0/1.13", "aws/securityhub/SeverityLabel": "CRITICAL", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "AWS", "aws/securityhub/FindingId": "arn:aws:securityhub:us-west-1::product/aws/securityhub/arn:aws:securityhub:us-west-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.13/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsAccount", "Id": "AWS::::Account:123456789012", "Partition": "aws", "Region": "us-west-1" } ], "Compliance": { "Status": "FAILED" }, "WorkflowState": "NEW", "Workflow": { "Status": "NOTIFIED" }, "RecordState": "ACTIVE" } ] }For more information, see Filtering and grouping findings
in the Amazon Security Hub User Guide. -
For API details, see GetFindings
in Amazon CLI Command Reference.
-
The following code example shows how to use get-insight-results.
- Amazon CLI
-
To retrieve the results for an insight
The following
get-insight-resultsexample returns the list of insight results for the insight with the specified ARN.aws securityhub get-insight-results \ --insight-arn"arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"Output:
{ "InsightResults": { "GroupByAttribute": "ResourceId", "InsightArn": "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ResultValues": [ { "Count": 10, "GroupByAttributeValue": "AWS::::Account:123456789111" }, { "Count": 3, "GroupByAttributeValue": "AWS::::Account:123456789222" } ] } }For more information, see Viewing and taking action on insight results and findings
in the Amazon Security Hub User Guide. -
For API details, see GetInsightResults
in Amazon CLI Command Reference.
-
The following code example shows how to use get-insights.
- Amazon CLI
-
To retrieve details about an insight
The following
get-insightsexample retrieves the configuration details for the insight with the specified ARN.aws securityhub get-insights \ --insight-arns"arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"Output:
{ "Insights": [ { "Filters": { "ResourceType": [ { "Comparison": "EQUALS", "Value": "AwsIamRole" } ], "SeverityLabel": [ { "Comparison": "EQUALS", "Value": "CRITICAL" } ], }, "GroupByAttribute": "ResourceId", "InsightArn": "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "Critical role findings" } ] }For more information, see Insights in Amazon Security Hub
in the Amazon Security Hub User Guide. -
For API details, see GetInsights
in Amazon CLI Command Reference.
-
The following code example shows how to use get-invitations-count.
- Amazon CLI
-
To retrieve the number of invitations that were not accepted
The following
get-invitations-countexample retrieves the number of invitations that the requesting account declined or did not respond to.aws securityhub get-invitations-countOutput:
{ "InvitationsCount": 3 }For more information, see Managing administrator and member accounts
in the Amazon Security Hub User Guide. -
For API details, see GetInvitationsCount
in Amazon CLI Command Reference.
-
The following code example shows how to use get-master-account.
- Amazon CLI
-
To retrieve information about an administrator account
The following
get-master-accountexample retrieves information about the administrator account for the requesting account.aws securityhub get-master-accountOutput:
{ "Master": { "AccountId": "123456789012", "InvitationId": "7ab938c5d52d7904ad09f9e7c20cc4eb", "InvitedAt": 2020-06-01T20:21:18.042000+00:00, "MemberStatus": "ASSOCIATED" } }For more information, see Managing administrator and member accounts
in the Amazon Security Hub User Guide. -
For API details, see GetMasterAccount
in Amazon CLI Command Reference.
-
The following code example shows how to use get-members.
- Amazon CLI
-
To retrieve information about selected member accounts
The following
get-membersexample retrieves information about the specified member accounts.aws securityhub get-members \ --account-ids"444455556666""777788889999"Output:
{ "Members": [ { "AccountId": "123456789111", "AdministratorId": "123456789012", "InvitedAt": 2020-06-01T20:15:15.289000+00:00, "MasterId": "123456789012", "MemberStatus": "ASSOCIATED", "UpdatedAt": 2020-06-01T20:15:15.289000+00:00 }, { "AccountId": "123456789222", "AdministratorId": "123456789012", "InvitedAt": 2020-06-01T20:15:15.289000+00:00, "MasterId": "123456789012", "MemberStatus": "ASSOCIATED", "UpdatedAt": 2020-06-01T20:15:15.289000+00:00 } ], "UnprocessedAccounts": [ ] }For more information, see Managing administrator and member accounts
in the Amazon Security Hub User Guide. -
For API details, see GetMembers
in Amazon CLI Command Reference.
-
The following code example shows how to use get-security-control-definition.
- Amazon CLI
-
To get security control definition details
The following
get-security-control-definitionexample retrieves definition details for a Security Hub security control. Details include the control title, description, Region availability, parameters, and other information.aws securityhub get-security-control-definition \ --security-control-idACM.1Output:
{ "SecurityControlDefinition": { "SecurityControlId": "ACM.1", "Title": "Imported and ACM-issued certificates should be renewed after a specified time period", "Description": "This control checks whether an AWS Certificate Manager (ACM) certificate is renewed within the specified time period. It checks both imported certificates and certificates provided by ACM. The control fails if the certificate isn't renewed within the specified time period. Unless you provide a custom parameter value for the renewal period, Security Hub uses a default value of 30 days.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/ACM.1/remediation", "SeverityRating": "MEDIUM", "CurrentRegionAvailability": "AVAILABLE", "ParameterDefinitions": { "daysToExpiration": { "Description": "Number of days within which the ACM certificate must be renewed", "ConfigurationOptions": { "Integer": { "DefaultValue": 30, "Min": 14, "Max": 365 } } } } } }For more information, see Custom control parameters
in the Amazon Security Hub User Guide. -
For API details, see GetSecurityControlDefinition
in Amazon CLI Command Reference.
-
The following code example shows how to use invite-members.
- Amazon CLI
-
To send invitations to member accounts
The following
invite-membersexample sends invitations to the specified member accounts.aws securityhub invite-members \ --account-ids"123456789111""123456789222"Output:
{ "UnprocessedAccounts": [] }For more information, see Managing administrator and member accounts
in the Amazon Security Hub User Guide. -
For API details, see InviteMembers
in Amazon CLI Command Reference.
-
The following code example shows how to use list-automation-rules.
- Amazon CLI
-
To view a list of automation rules
The following
list-automation-rulesexample lists the automation rules for an Amazon account. Only the Security Hub administrator account can run this command.aws securityhub list-automation-rules \ --max-results3\ --next-tokenNULLOutput:
{ "AutomationRulesMetadata": [ { "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "RuleStatus": "ENABLED", "RuleOrder": 1, "RuleName": "Suppress informational findings", "Description": "Suppress GuardDuty findings with Informational severity", "IsTerminal": false, "CreatedAt": "2023-05-31T17:56:14.837000+00:00", "UpdatedAt": "2023-05-31T17:59:38.466000+00:00", "CreatedBy": "arn:aws:iam::123456789012:role/Admin" }, { "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "RuleStatus": "ENABLED", "RuleOrder": 1, "RuleName": "sample rule", "Description": "A sample rule", "IsTerminal": false, "CreatedAt": "2023-07-15T23:37:20.223000+00:00", "UpdatedAt": "2023-07-15T23:37:20.223000+00:00", "CreatedBy": "arn:aws:iam::123456789012:role/Admin" }, { "RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "RuleStatus": "ENABLED", "RuleOrder": 1, "RuleName": "sample rule", "Description": "A sample rule", "IsTerminal": false, "CreatedAt": "2023-07-15T23:45:25.126000+00:00", "UpdatedAt": "2023-07-15T23:45:25.126000+00:00", "CreatedBy": "arn:aws:iam::123456789012:role/Admin" } ] }For more information, see Viewing automation rules
in the Amazon Security Hub User Guide. -
For API details, see ListAutomationRules
in Amazon CLI Command Reference.
-
The following code example shows how to use list-configuration-policies.
- Amazon CLI
-
To list configuration policy summaries
The following
list-configuration-policiesexample lists a summary of configuration policies for the organization.aws securityhub list-configuration-policies \ --max-items3Output:
{ "ConfigurationPolicySummaries": [ { "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "SampleConfigurationPolicy1", "Description": "SampleDescription1", "UpdatedAt": "2023-09-26T21:08:36.214000+00:00", "ServiceEnabled": true }, { "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "Name": "SampleConfigurationPolicy2", "Description": "SampleDescription2" "UpdatedAt": "2023-11-28T19:26:25.207000+00:00", "ServiceEnabled": true }, { "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "Name": "SampleConfigurationPolicy3", "Description": "SampleDescription3", "UpdatedAt": "2023-11-28T20:28:04.494000+00:00", "ServiceEnabled": true } }For more information, see Viewing Security Hub configuration policies
in the Amazon Security Hub User Guide. -
For API details, see ListConfigurationPolicies
in Amazon CLI Command Reference.
-
The following code example shows how to use list-configuration-policy-associations.
- Amazon CLI
-
To list configuration associations
The following
list-configuration-policy-associationsexample lists a summary of configuration associations for the organization. The response include associations with configuration policies and self-managed behavior.aws securityhub list-configuration-policy-associations \ --association-type"APPLIED"\ --max-items4Output:
{ "ConfigurationPolicyAssociationSummaries": [ { "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "TargetId": "r-1ab2", "TargetType": "ROOT", "AssociationType": "APPLIED", "UpdatedAt": "2023-11-28T19:26:49.417000+00:00", "AssociationStatus": "FAILED", "AssociationStatusMessage": "Policy association failed because 2 organizational units or accounts under this root failed." }, { "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "TargetId": "ou-1ab2-c3de4f5g", "TargetType": "ORGANIZATIONAL_UNIT", "AssociationType": "APPLIED", "UpdatedAt": "2023-09-26T21:14:05.283000+00:00", "AssociationStatus": "FAILED", "AssociationStatusMessage": "One or more children under this target failed association." }, { "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "TargetId": "ou-6hi7-8j91kl2m", "TargetType": "ORGANIZATIONAL_UNIT", "AssociationType": "APPLIED", "UpdatedAt": "2023-09-26T21:13:01.816000+00:00", "AssociationStatus": "SUCCESS", "AssociationStatusMessage": "Association applied successfully on this target." }, { "ConfigurationPolicyId": "SELF_MANAGED_SECURITY_HUB", "TargetId": "111122223333", "TargetType": "ACCOUNT", "AssociationType": "APPLIED", "UpdatedAt": "2023-11-28T22:01:26.409000+00:00", "AssociationStatus": "SUCCESS" } }For more information, see Viewing Security Hub configuration policies
in the Amazon Security Hub User Guide. -
For API details, see ListConfigurationPolicyAssociations
in Amazon CLI Command Reference.
-
The following code example shows how to use list-enabled-products-for-import.
- Amazon CLI
-
To return the list of enabled product integrations
The following
list-enabled-products-for-importexample returns the list of subscription ARNS for the currently enabled product integrations.aws securityhub list-enabled-products-for-importOutput:
{ "ProductSubscriptions": [ "arn:aws:securityhub:us-west-1:123456789012:product-subscription/crowdstrike/crowdstrike-falcon", "arn:aws:securityhub:us-west-1:123456789012:product-subscription/aws/securityhub" ] }For more information, see Managing product integrations
in the Amazon Security Hub User Guide. -
For API details, see ListEnabledProductsForImport
in Amazon CLI Command Reference.
-
The following code example shows how to use list-finding-aggregators.
- Amazon CLI
-
To list the available widgets
The following
list-finding-aggregatorsexample returns the ARN of the finding aggregation configuration.aws securityhub list-finding-aggregatorsOutput:
{ "FindingAggregatorArn": "arn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000" }For more information, see Viewing the current finding aggregation configuration
in the Amazon Security Hub User Guide. -
For API details, see ListFindingAggregators
in Amazon CLI Command Reference.
-
The following code example shows how to use list-invitations.
- Amazon CLI
-
To display a list of invitations
The following
list-invitationsexample retrieves the list of invitations sent to the requesting account.aws securityhub list-invitationsOutput:
{ "Invitations": [ { "AccountId": "123456789012", "InvitationId": "7ab938c5d52d7904ad09f9e7c20cc4eb", "InvitedAt": 2020-06-01T20:21:18.042000+00:00, "MemberStatus": "ASSOCIATED" } ], }For more information, see Managing administrator and member accounts
in the Amazon Security Hub User Guide. -
For API details, see ListInvitations
in Amazon CLI Command Reference.
-
The following code example shows how to use list-members.
- Amazon CLI
-
To retrieve a list of member accounts
The following
list-membersexample returns the list of member accounts for the requesting administrator account.aws securityhub list-membersOutput:
{ "Members": [ { "AccountId": "123456789111", "AdministratorId": "123456789012", "InvitedAt": 2020-06-01T20:15:15.289000+00:00, "MasterId": "123456789012", "MemberStatus": "ASSOCIATED", "UpdatedAt": 2020-06-01T20:15:15.289000+00:00 }, { "AccountId": "123456789222", "AdministratorId": "123456789012", "InvitedAt": 2020-06-01T20:15:15.289000+00:00, "MasterId": "123456789012", "MemberStatus": "ASSOCIATED", "UpdatedAt": 2020-06-01T20:15:15.289000+00:00 } ], }For more information, see Managing administrator and member accounts
in the Amazon Security Hub User Guide. -
For API details, see ListMembers
in Amazon CLI Command Reference.
-
The following code example shows how to use list-organization-admin-accounts.
- Amazon CLI
-
To list the designated Security Hub administrator accounts
The following
list-organization-admin-accountsexample lists the Security Hub administrator accounts for an organization.aws securityhub list-organization-admin-accountsOutput:
{ AdminAccounts": [ { "AccountId": "777788889999" }, { "Status": "ENABLED" } ] }For more information, see Designating a Security Hub administrator account
in the Amazon Security Hub User Guide. -
For API details, see ListOrganizationAdminAccounts
in Amazon CLI Command Reference.
-
The following code example shows how to use list-security-control-definitions.
- Amazon CLI
-
Example 1: To list all available security controls
The following
list-security-control-definitionsexample lists the available security controls across all Security Hub standards. This example limits the results to three controls.aws securityhub list-security-control-definitions \ --max-items3Output:
{ "SecurityControlDefinitions": [ { "SecurityControlId": "ACM.1", "Title": "Imported and ACM-issued certificates should be renewed after a specified time period", "Description": "This control checks whether an AWS Certificate Manager (ACM) certificate is renewed within the specified time period. It checks both imported certificates and certificates provided by ACM. The control fails if the certificate isn't renewed within the specified time period. Unless you provide a custom parameter value for the renewal period, Security Hub uses a default value of 30 days.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/ACM.1/remediation", "SeverityRating": "MEDIUM", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [ "Parameters" ] }, { "SecurityControlId": "ACM.2", "Title": "RSA certificates managed by ACM should use a key length of at least 2,048 bits", "Description": "This control checks whether RSA certificates managed by AWS Certificate Manager use a key length of at least 2,048 bits. The control fails if the key length is smaller than 2,048 bits.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/ACM.2/remediation", "SeverityRating": "HIGH", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [] }, { "SecurityControlId": "APIGateway.1", "Title": "API Gateway REST and WebSocket API execution logging should be enabled", "Description": "This control checks whether all stages of an Amazon API Gateway REST or WebSocket API have logging enabled. The control fails if the 'loggingLevel' isn't 'ERROR' or 'INFO' for all stages of the API. Unless you provide custom parameter values to indicate that a specific log type should be enabled, Security Hub produces a passed finding if the logging level is either 'ERROR' or 'INFO'.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/APIGateway.1/remediation", "SeverityRating": "MEDIUM", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [ "Parameters" ] } ], "NextToken": "U2FsdGVkX1/UprCPzxVbkDeHikDXbDxfgJZ1w2RG1XWsFPTMTIQPVE0m/FduIGxS7ObRtAbaUt/8/RCQcg2PU0YXI20hH/GrhoOTgv+TSm0qvQVFhkJepWmqh+NYawjocVBeos6xzn/8qnbF9IuwGg==" }For more information, see Viewing details for a standard
in the Amazon Security Hub User Guide. Example 2: To list available security controls for a specific standard
The following
list-security-control-definitionsexample lists the available security controls for the CIS Amazon Foundations Benchmark v1.4.0. This example limits the results to three controls.aws securityhub list-security-control-definitions \ --standards-arn"arn:aws:securityhub:us-east-1::standards/cis-aws-foundations-benchmark/v/1.4.0"\ --max-items3Output:
{ "SecurityControlDefinitions": [ { "SecurityControlId": "CloudTrail.1", "Title": "CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events", "Description": "This AWS control checks that there is at least one multi-region AWS CloudTrail trail includes read and write management events.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.1/remediation", "SeverityRating": "HIGH", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [] }, { "SecurityControlId": "CloudTrail.2", "Title": "CloudTrail should have encryption at-rest enabled", "Description": "This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation", "SeverityRating": "MEDIUM", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [] }, { "SecurityControlId": "CloudTrail.4", "Title": "CloudTrail log file validation should be enabled", "Description": "This AWS control checks whether CloudTrail log file validation is enabled.", "RemediationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.4/remediation", "SeverityRating": "MEDIUM", "CurrentRegionAvailability": "AVAILABLE", "CustomizableProperties": [] } ], "NextToken": "eyJOZXh0VG9rZW4iOiBudWxsLCAiYm90b190cnVuY2F0ZV9hbW91bnQiOiAzfQ==" }For more information, see Viewing details for a standard
in the Amazon Security Hub User Guide. -
For API details, see ListSecurityControlDefinitions
in Amazon CLI Command Reference.
-
The following code example shows how to use list-standards-control-associations.
- Amazon CLI
-
To get the enablement status of a control in each enabled standard
The following
list-standards-control-associationsexample lists the enablement status of CloudTrail.1 in each enabled standard.aws securityhub list-standards-control-associations \ --security-control-idCloudTrail.1Output:
{ "StandardsControlAssociationSummaries": [ { "StandardsArn": "arn:aws:securityhub:us-east-2::standards/nist-800-53/v/5.0.0", "SecurityControlId": "CloudTrail.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/CloudTrail.1", "AssociationStatus": "ENABLED", "RelatedRequirements": [ "NIST.800-53.r5 AC-2(4)", "NIST.800-53.r5 AC-4(26)", "NIST.800-53.r5 AC-6(9)", "NIST.800-53.r5 AU-10", "NIST.800-53.r5 AU-12", "NIST.800-53.r5 AU-2", "NIST.800-53.r5 AU-3", "NIST.800-53.r5 AU-6(3)", "NIST.800-53.r5 AU-6(4)", "NIST.800-53.r5 AU-14(1)", "NIST.800-53.r5 CA-7", "NIST.800-53.r5 SC-7(9)", "NIST.800-53.r5 SI-3(8)", "NIST.800-53.r5 SI-4(20)", "NIST.800-53.r5 SI-7(8)", "NIST.800-53.r5 SA-8(22)" ], "UpdatedAt": "2023-05-15T17:52:21.304000+00:00", "StandardsControlTitle": "CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events", "StandardsControlDescription": "This AWS control checks that there is at least one multi-region AWS CloudTrail trail includes read and write management events." }, { "StandardsArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "SecurityControlId": "CloudTrail.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/CloudTrail.1", "AssociationStatus": "ENABLED", "RelatedRequirements": [ "CIS AWS Foundations 2.1" ], "UpdatedAt": "2020-02-10T21:22:53.998000+00:00", "StandardsControlTitle": "Ensure CloudTrail is enabled in all regions", "StandardsControlDescription": "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service." }, { "StandardsArn": "arn:aws:securityhub:us-east-2::standards/aws-foundational-security-best-practices/v/1.0.0", "SecurityControlId": "CloudTrail.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/CloudTrail.1", "AssociationStatus": "DISABLED", "RelatedRequirements": [], "UpdatedAt": "2023-05-15T19:31:52.671000+00:00", "UpdatedReason": "Alternative compensating controls are in place", "StandardsControlTitle": "CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events", "StandardsControlDescription": "This AWS control checks that there is at least one multi-region AWS CloudTrail trail includes read and write management events." }, { "StandardsArn": "arn:aws:securityhub:us-east-2::standards/cis-aws-foundations-benchmark/v/1.4.0", "SecurityControlId": "CloudTrail.1", "SecurityControlArn": "arn:aws:securityhub:us-east-2:123456789012:security-control/CloudTrail.1", "AssociationStatus": "ENABLED", "RelatedRequirements": [ "CIS AWS Foundations Benchmark v1.4.0/3.1" ], "UpdatedAt": "2022-11-10T15:40:36.021000+00:00", "StandardsControlTitle": "Ensure CloudTrail is enabled in all regions", "StandardsControlDescription": "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation)." } ] }For more information, see Enabling and disabling controls in specific standards
in the Amazon Security Hub User Guide. -
For API details, see ListStandardsControlAssociations
in Amazon CLI Command Reference.
-
The following code example shows how to use list-tags-for-resource.
- Amazon CLI
-
To retrieve the tags assigned to a resource
The following
list-tags-for-resourceexample returns the tags assigned to the specified hub resource.aws securityhub list-tags-for-resource \ --resource-arn"arn:aws:securityhub:us-west-1:123456789012:hub/default"Output:
{ "Tags": { "Department" : "Operations", "Area" : "USMidwest" } }For more information, see Amazon::SecurityHub::Hub
in the Amazon CloudFormation User Guide. -
For API details, see ListTagsForResource
in Amazon CLI Command Reference.
-
The following code example shows how to use start-configuration-policy-association.
- Amazon CLI
-
Example 1: To associate a configuration policy
The following
start-configuration-policy-associationexample associates the specified configuration policy with the specified organizational unit. A configuration may be associated with a target account, organizational unit, or the root.aws securityhub start-configuration-policy-association \ --configuration-policy-identifier"arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333"\ --target '{"OrganizationalUnitId": "ou-6hi7-8j91kl2m"}'Output:
{ "ConfigurationPolicyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "TargetId": "ou-6hi7-8j91kl2m", "TargetType": "ORGANIZATIONAL_UNIT", "AssociationType": "APPLIED", "UpdatedAt": "2023-11-29T17:40:52.468000+00:00", "AssociationStatus": "PENDING" }For more information, see Creating and associating Security Hub configuration policies
in the Amazon Security Hub User Guide. Example 2: To associate a self-managed configuration
The following
start-configuration-policy-associationexample associates a self-managed configuration with the specified account.aws securityhub start-configuration-policy-association \ --configuration-policy-identifier"SELF_MANAGED_SECURITY_HUB"\ --target '{"OrganizationalUnitId": "123456789012"}'Output:
{ "ConfigurationPolicyId": "SELF_MANAGED_SECURITY_HUB", "TargetId": "123456789012", "TargetType": "ACCOUNT", "AssociationType": "APPLIED", "UpdatedAt": "2023-11-29T17:40:52.468000+00:00", "AssociationStatus": "PENDING" }For more information, see Creating and associating Security Hub configuration policies
in the Amazon Security Hub User Guide. -
For API details, see StartConfigurationPolicyAssociation
in Amazon CLI Command Reference.
-
The following code example shows how to use start-configuration-policy-disassociation.
- Amazon CLI
-
Example 1: To disassociate a configuration policy
The following
start-configuration-policy-disassociationexample disassociates a configuration policy from the specified organizational unit. A configuration may be disassociated from a target account, organizational unit, or the root.aws securityhub start-configuration-policy-disassociation \ --configuration-policy-identifier"arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333"\ --target '{"OrganizationalUnitId": "ou-6hi7-8j91kl2m"}'This command produces no output.
For more information, see Disassociating a configuration from accounts and OUs
in the Amazon Security Hub User Guide. Example 2: To disassociate a self-managed configuration
The following
start-configuration-policy-disassociationexample disassociates a self-managed configuration from the specified account.aws securityhub start-configuration-policy-disassociation \ --configuration-policy-identifier"SELF_MANAGED_SECURITY_HUB"\ --target '{"AccountId": "123456789012"}'This command produces no output.
For more information, see Disassociating a configuration from accounts and OUs
in the Amazon Security Hub User Guide. -
For API details, see StartConfigurationPolicyDisassociation
in Amazon CLI Command Reference.
-
The following code example shows how to use tag-resource.
- Amazon CLI
-
To assign a tag to a resource
The following
tag-resourceexample assigns values for the Department and Area tags to the specified hub resource.aws securityhub tag-resource \ --resource-arn"arn:aws:securityhub:us-west-1:123456789012:hub/default"\ --tags '{"Department":"Operations", "Area":"USMidwest"}'This command produces no output.
For more information, see Amazon::SecurityHub::Hub
in the Amazon CloudFormation User Guide. -
For API details, see TagResource
in Amazon CLI Command Reference.
-
The following code example shows how to use untag-resource.
- Amazon CLI
-
To remove a tag value from a resource
The following
untag-resourceexample removes the Department tag from the specified hub resource.aws securityhub untag-resource \ --resource-arn"arn:aws:securityhub:us-west-1:123456789012:hub/default"\ --tag-keys"Department"This command produces no output.
For more information, see Amazon::SecurityHub::Hub
in the Amazon CloudFormation User Guide. -
For API details, see UntagResource
in Amazon CLI Command Reference.
-
The following code example shows how to use update-action-target.
- Amazon CLI
-
To update a custom action
The following
update-action-targetexample updates the name of the custom action identified by the specified ARN.aws securityhub update-action-target \ --action-target-arn"arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation"\ --name"Send to remediation"This command produces no output.
For more information, see Creating a custom action and associating it with a CloudWatch Events rule
in the Amazon Security Hub User Guide. -
For API details, see UpdateActionTarget
in Amazon CLI Command Reference.
-
The following code example shows how to use update-configuration-policy.
- Amazon CLI
-
To update a configuration policy
The following
update-configuration-policyexample updates an existing configuration policy to use the specified settings.aws securityhub update-configuration-policy \ --identifier"arn:aws:securityhub:eu-central-1:508236694226:configuration-policy/09f37766-57d8-4ede-9d33-5d8b0fecf70e"\ --name"SampleConfigurationPolicyUpdated"\ --description"SampleDescriptionUpdated"\ --configuration-policy '{"SecurityHub": {"ServiceEnabled": true, "EnabledStandardIdentifiers": ["arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0","arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"],"SecurityControlsConfiguration":{"DisabledSecurityControlIdentifiers": ["CloudWatch.1"], "SecurityControlCustomParameters": [{"SecurityControlId": "ACM.1", "Parameters": {"daysToExpiration": {"ValueType": "CUSTOM", "Value": {"Integer": 21}}}}]}}}' \ --updated-reason"Disabling CloudWatch.1 and changing parameter value"Output:
{ "Arn": "arn:aws:securityhub:eu-central-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "SampleConfigurationPolicyUpdated", "Description": "SampleDescriptionUpdated", "UpdatedAt": "2023-11-28T20:28:04.494000+00:00", "CreatedAt": "2023-11-28T20:28:04.494000+00:00", "ConfigurationPolicy": { "SecurityHub": { "ServiceEnabled": true, "EnabledStandardIdentifiers": [ "arn:aws:securityhub:eu-central-1::standards/aws-foundational-security-best-practices/v/1.0.0", "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0" ], "SecurityControlsConfiguration": { "DisabledSecurityControlIdentifiers": [ "CloudWatch.1" ], "SecurityControlCustomParameters": [ { "SecurityControlId": "ACM.1", "Parameters": { "daysToExpiration": { "ValueType": "CUSTOM", "Value": { "Integer": 21 } } } } ] } } } }For more information, see Updating Security Hub configuration policies
in the Amazon Security Hub User Guide. -
For API details, see UpdateConfigurationPolicy
in Amazon CLI Command Reference.
-
The following code example shows how to use update-finding-aggregator.
- Amazon CLI
-
To update the current finding aggregation configuration
The following
update-finding-aggregatorexample changes the finding aggregation configuration to link from selected Regions. It is run from US East (Virginia), which is the aggregation Region. It selects US West (N. California) and US West (Oregon) as the linked Regions.aws securityhub update-finding-aggregator \ --regionus-east-1\ --finding-aggregator-arnarn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000\ --region-linking-modeSPECIFIED_REGIONS\ --regionsus-west-1,us-west-2This command produces no output.
For more information, see Updating the finding aggregation configuration
in the Amazon Security Hub User Guide. -
For API details, see UpdateFindingAggregator
in Amazon CLI Command Reference.
-
The following code example shows how to use update-insight.
- Amazon CLI
-
Example 1: To change the filter for a custom insight
The following
update-insightexample changes the filters for a custom insight. The updated insight looks for findings with a high severity that are related to Amazon roles.aws securityhub update-insight \ --insight-arn"arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"\ --filters '{"ResourceType": [{ "Comparison": "EQUALS", "Value": "AwsIamRole"}], "SeverityLabel": [{"Comparison": "EQUALS", "Value": "HIGH"}]}' \ --name"High severity role findings"Example 2: To change the grouping attribute for a custom insight
The following
update-insightexample changes the grouping attribute for the custom insight with the specified ARN. The new grouping attribute is the resource ID.aws securityhub update-insight \ --insight-arn"arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"\ --group-by-attribute"ResourceId"\ --name"Critical role findings"Output:
{ "Insights": [ { "InsightArn": "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "Critical role findings", "Filters": { "SeverityLabel": [ { "Value": "CRITICAL", "Comparison": "EQUALS" } ], "ResourceType": [ { "Value": "AwsIamRole", "Comparison": "EQUALS" } ] }, "GroupByAttribute": "ResourceId" } ] }For more information, see Managing custom insights
in the Amazon Security Hub User Guide. -
For API details, see UpdateInsight
in Amazon CLI Command Reference.
-
The following code example shows how to use update-organization-configuration.
- Amazon CLI
-
To update how Security Hub is configured for an organization
The following
update-organization-configurationexample specifies that Security Hub should use central configuration to configure an organization. After running this command, the delegated Security Hub administrator can create and manage configuration policies to configure the organization. The delegated administrator can also use this command to switch from central to local configuration. If local configuration is the configuration type, the delegated administrator can choose whether to automatically enable Security Hub and default security standards in new organization accounts.aws securityhub update-organization-configuration \ --no-auto-enable \ --organization-configuration '{"ConfigurationType": "CENTRAL"}'This command produces no output.
For more information, see Managing accounts with Amazon Organizations
in the Amazon Security Hub User Guide. -
For API details, see UpdateOrganizationConfiguration
in Amazon CLI Command Reference.
-
The following code example shows how to use update-security-control.
- Amazon CLI
-
To update security control properties
The following
update-security-controlexample specifies custom values for a Security Hub security control parameter.aws securityhub update-security-control \ --security-control-idACM.1\ --parameters '{"daysToExpiration": {"ValueType": "CUSTOM", "Value": {"Integer": 15}}}' \ --last-update-reason"Internal compliance requirement"This command produces no output.
For more information, see Custom control parameters
in the Amazon Security Hub User Guide. -
For API details, see UpdateSecurityControl
in Amazon CLI Command Reference.
-
The following code example shows how to use update-security-hub-configuration.
- Amazon CLI
-
To update Security Hub configuration
The following
update-security-hub-configurationexample configures Security Hub to automatically enable new controls for enabled standards.aws securityhub update-security-hub-configuration \ --auto-enable-controlsThis command produces no output.
For more information, see Enabling new controls automatically
in the Amazon Security Hub User Guide. -
For API details, see UpdateSecurityHubConfiguration
in Amazon CLI Command Reference.
-
The following code example shows how to use update-standards-control.
- Amazon CLI
-
Example 1: To disable a control
The following
update-standards-controlexample disables the PCI.AutoScaling.1 control.aws securityhub update-standards-control \ --standards-control-arn"arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.AutoScaling.1"\ --control-status"DISABLED"\ --disabled-reason"Not applicable for my service"This command produces no output.
Example 2: To enable a control
The following
update-standards-controlexample enables the PCI.AutoScaling.1 control.aws securityhub update-standards-control \ --standards-control-arn"arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.AutoScaling.1"\ --control-status"ENABLED"This command produces no output.
For more information, see Disabling and enabling individual controls
in the Amazon Security Hub User Guide. -
For API details, see UpdateStandardsControl
in Amazon CLI Command Reference.
-