IAM permissions to configure standards and controls
To view information about security controls and enable and disable security controls in
standards, the Amazon Identity and Access Management (IAM) role that you use to access Amazon Security Hub needs permissions to
call the following API actions. Without adding permissions for these actions, you won't be
able to call these APIs. To get the necessary permissions, you can use Security Hub managed policies. Alternatively, you can update custom IAM policies to
include permissions for these actions. Custom policies should also include permissions for
the DescribeStandardsControls
and UpdateStandardsControl
APIs.
-
– Returns information about a batch of security controls for the current account and Amazon Web Services Region.BatchGetSecurityControls
-
– Returns information about security controls that apply to a specified standard.ListSecurityControlDefinitions
-
– Identifies whether a security control is currently enabled in or disabled from each enabled standard in the account.ListStandardsControlAssociations
-
– For a batch of security controls, identifies whether each control is currently enabled in or disabled from a specified standard.BatchGetStandardsControlAssociations
-
– Used to enable a security control in standards that include the control, or to disable a control in standards. This is a batch substitute for the existingBatchUpdateStandardsControlAssociations
UpdateStandardsControl
API if an administrator doesn’t want to allow member accounts to enable or disable controls.
In addition to the preceding APIs, you should add permission to call BatchGetControlEvaluations
to your IAM role. This
permission is necessary to view the enablement and compliance status of a control, the
findings count for a control, and the overall security score for controls on the Security Hub
console. Because only the console calls BatchGetControlEvaluations
, this IAM permission doesn't
directly correspond to publicly documented Security Hub APIs or Amazon CLI commands.
For more information about APIs related to controls and standards, see the Amazon Security Hub API Reference.