View a markdown version of this page

Actions, resources, and condition keys for Amazon Security Hub - Service Authorization Reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Actions, resources, and condition keys for Amazon Security Hub

Amazon Security Hub (service prefix: securityhub) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by Amazon Security Hub

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

AcceptAdministratorInvitation

securityhub:AcceptAdministratorInvitation

Write

AcceptInvitation

securityhub:AcceptInvitation

Write

BatchDeleteAutomationRules

securityhub:BatchDeleteAutomationRules

Write

BatchDisableStandards

securityhub:BatchDisableStandards

Write

BatchEnableStandards

securityhub:BatchEnableStandards

Write

BatchGetAutomationRules

securityhub:BatchGetAutomationRules

Read

BatchGetConfigurationPolicyAssociations

securityhub:BatchGetConfigurationPolicyAssociations

Read

BatchGetSecurityControls

securityhub:BatchGetSecurityControls

Read

securityhub:DescribeStandardsControls

Read

BatchGetStandardsControlAssociations

securityhub:BatchGetStandardsControlAssociations

Read

securityhub:DescribeStandardsControls

Read

BatchImportFindings

securityhub:BatchImportFindings

Write

BatchUpdateAutomationRules

securityhub:BatchUpdateAutomationRules

Write

BatchUpdateFindings

securityhub:BatchUpdateFindings

Write

BatchUpdateFindingsV2

securityhub:BatchUpdateFindings

Write

BatchUpdateStandardsControlAssociations

securityhub:BatchUpdateStandardsControlAssociations

Write

securityhub:UpdateStandardsControl

Write

CreateActionTarget

securityhub:CreateActionTarget

Write

CreateAggregatorV2

securityhub:CreateAggregatorV2

Write

securityhub:TagResource

Tagging, Write

CreateAutomationRule

securityhub:CreateAutomationRule

Write

securityhub:TagResource

Tagging, Write

CreateAutomationRuleV2

securityhub:CreateAutomationRuleV2

Write

securityhub:TagResource

Tagging, Write

CreateConfigurationPolicy

securityhub:CreateConfigurationPolicy

Write

securityhub:TagResource

Tagging, Write

CreateConnector

securityhub:CreateConnector

Write

securityhub:TagResource

Tagging, Write

CreateConnectorV2

securityhub:CreateConnectorV2

Write

securityhub:TagResource

Tagging, Write

CreateFindingAggregator

securityhub:CreateFindingAggregator

Write

CreateInsight

securityhub:CreateInsight

Write

CreateMembers

securityhub:CreateMembers

Write

CreateTicketV2

securityhub:CreateTicketV2

Write

DeclineInvitations

securityhub:DeclineInvitations

Write

DeleteActionTarget

securityhub:DeleteActionTarget

Write

DeleteAggregatorV2

securityhub:DeleteAggregatorV2

Write

DeleteAutomationRuleV2

securityhub:DeleteAutomationRuleV2

Write

DeleteConfigurationPolicy

securityhub:DeleteConfigurationPolicy

Write

DeleteConnector

securityhub:DeleteConnector

Write

DeleteConnectorV2

securityhub:DeleteConnectorV2

Write

DeleteFindingAggregator

securityhub:DeleteFindingAggregator

Write

DeleteInsight

securityhub:DeleteInsight

Write

DeleteInvitations

securityhub:DeleteInvitations

Write

DeleteMembers

securityhub:DeleteMembers

Write

DescribeActionTargets

securityhub:DescribeActionTargets

Read

DescribeHub

securityhub:DescribeHub

Read

DescribeOrganizationConfiguration

securityhub:DescribeOrganizationConfiguration

Read

DescribeProducts

securityhub:DescribeProducts

Read

DescribeProductsV2

securityhub:DescribeProductsV2

Read

DescribeSecurityHubV2

securityhub:DescribeSecurityHubV2

Read

DescribeStandards

securityhub:DescribeStandards

Read

DescribeStandardsControls

securityhub:DescribeStandardsControls

Read

DisableImportFindingsForProduct

securityhub:DisableImportFindingsForProduct

Write

DisableOrganizationAdminAccount

securityhub:DisableOrganizationAdminAccount

Write

DisableSecurityHub

securityhub:DisableSecurityHub

Write

DisableSecurityHubFeatureV2

securityhub:DisableSecurityHubFeatureV2

Write

DisableSecurityHubV2

securityhub:DisableSecurityHubV2

Write

DisassociateFromAdministratorAccount

securityhub:DisassociateFromAdministratorAccount

Write

DisassociateFromMasterAccount

securityhub:DisassociateFromMasterAccount

Write

DisassociateMembers

securityhub:DisassociateMembers

Write

EnableImportFindingsForProduct

securityhub:EnableImportFindingsForProduct

Write

EnableOrganizationAdminAccount

securityhub:EnableOrganizationAdminAccount

Write

EnableSecurityHub

securityhub:EnableSecurityHub

Write

securityhub:TagResource

Tagging, Write

EnableSecurityHubFeatureV2

securityhub:EnableSecurityHubFeatureV2

Write

EnableSecurityHubV2

securityhub:EnableSecurityHubV2

Write

securityhub:TagResource

Tagging, Write

GenerateRecommendedPolicyV2

securityhub:GenerateRecommendedPolicyV2

Write

GetAdministratorAccount

securityhub:GetAdministratorAccount

Read

GetAggregatorV2

securityhub:GetAggregatorV2

Read

GetAutomationRuleV2

securityhub:GetAutomationRuleV2

Read

GetConfigurationPolicy

securityhub:GetConfigurationPolicy

Read

GetConfigurationPolicyAssociation

securityhub:GetConfigurationPolicyAssociation

Read

GetConnector

securityhub:GetConnector

Read

GetConnectorV2

securityhub:GetConnectorV2

Read

GetEnabledStandards

securityhub:GetEnabledStandards

List

GetFindingAggregator

securityhub:GetFindingAggregator

Read

GetFindingHistory

securityhub:GetFindingHistory

Read

GetFindingStatisticsV2

securityhub:GetAdhocInsightResults

Read

GetFindings

securityhub:GetFindings

Read

GetFindingsTrendsV2

securityhub:GetFindingsTrendsV2

Read

GetFindingsV2

securityhub:GetFindings

Read

GetInsightResults

securityhub:GetInsightResults

Read

GetInsights

securityhub:GetInsights

List

GetInvitationsCount

securityhub:GetInvitationsCount

Read

GetMasterAccount

securityhub:GetMasterAccount

Read

GetMembers

securityhub:GetMembers

Read

GetRecommendedPolicyV2

securityhub:GetRecommendedPolicyV2

Read

GetResourcesStatisticsV2

securityhub:GetResourcesStatisticsV2

Read

GetResourcesTrendsV2

securityhub:GetResourcesTrendsV2

Read

GetResourcesV2

securityhub:GetResourcesV2

Read

GetSecurityControlDefinition

securityhub:GetSecurityControlDefinition

Read

InviteMembers

securityhub:InviteMembers

Write

ListAggregatorsV2

securityhub:ListAggregatorsV2

List

ListAutomationRules

securityhub:ListAutomationRules

List

ListAutomationRulesV2

securityhub:ListAutomationRulesV2

List

ListConfigurationPolicies

securityhub:ListConfigurationPolicies

List

ListConfigurationPolicyAssociations

securityhub:ListConfigurationPolicyAssociations

List

ListConnectors

securityhub:ListConnectors

List

ListConnectorsV2

securityhub:ListConnectorsV2

List

ListEnabledProductsForImport

securityhub:ListEnabledProductsForImport

List

ListFindingAggregators

securityhub:ListFindingAggregators

List

ListInvitations

securityhub:ListInvitations

List

ListMembers

securityhub:ListMembers

List

ListOrganizationAdminAccounts

securityhub:ListOrganizationAdminAccounts

List

ListSecurityControlDefinitions

securityhub:ListSecurityControlDefinitions

List

ListStandardsControlAssociations

securityhub:DescribeStandardsControls

Read

securityhub:ListStandardsControlAssociations

List

ListTagsForResource

securityhub:ListTagsForResource

Read

StartConfigurationPolicyAssociation

securityhub:StartConfigurationPolicyAssociation

Write

StartConfigurationPolicyDisassociation

securityhub:StartConfigurationPolicyDisassociation

Write

TagResource

securityhub:TagResource

Tagging, Write

UntagResource

securityhub:UntagResource

Tagging, Write

UpdateActionTarget

securityhub:UpdateActionTarget

Write

UpdateAggregatorV2

securityhub:UpdateAggregatorV2

Write

UpdateAutomationRuleV2

securityhub:UpdateAutomationRuleV2

Write

UpdateConfigurationPolicy

securityhub:UpdateConfigurationPolicy

Write

UpdateConnector

securityhub:UpdateConnector

Write

UpdateConnectorV2

securityhub:UpdateConnectorV2

Write

UpdateFindingAggregator

securityhub:UpdateFindingAggregator

Write

UpdateFindings

securityhub:UpdateFindings

Write

UpdateInsight

securityhub:UpdateInsight

Write

UpdateOrganizationConfiguration

securityhub:UpdateOrganizationConfiguration

Write

UpdateSecurityControl

securityhub:UpdateSecurityControl

Write

securityhub:UpdateStandardsControl

Write

UpdateSecurityHubConfiguration

securityhub:UpdateSecurityHubConfiguration

Write

UpdateStandardsControl

securityhub:UpdateStandardsControl

Write

Actions defined by Amazon Security Hub

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in Amazon. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

AcceptAdministratorInvitation

Grants permission to accept Security Hub invitations to become a member account

hub

aws:ResourceTag/${TagKey}

Write

AcceptInvitation

Grants permission to accept Security Hub invitations to become a member account

hub

aws:ResourceTag/${TagKey}

Write

BatchDeleteAutomationRules

Grants permission to delete one or more automation rules in Security Hub

automation-rule*

aws:ResourceTag/${TagKey}

Write

BatchDisableStandards

Grants permission to disable standards in Security Hub

hub

aws:ResourceTag/${TagKey}

Write

BatchEnableStandards

Grants permission to enable standards in Security Hub

hub

aws:ResourceTag/${TagKey}

Write

BatchGetAutomationRules

Grants permission to retrieve a list of details for automation rules from Security Hub based on rule Amazon Resource Names (ARNs)

automation-rule*

aws:ResourceTag/${TagKey}

Read

BatchGetConfigurationPolicyAssociations

Grants permission to retrieve information about configuration policies associated with a specific list of member accounts and organizational units of the calling account's organization

Read

BatchGetSecurityControls

Grants permission to get details about specific security controls identified by ID or ARN

Read

BatchGetStandardsControlAssociations

Grants permission to get the enablement status of a batch of security controls in standards

Read

BatchImportFindings

Grants permission to import findings into Security Hub from an integrated product

product*

securityhub:TargetAccount

Write

BatchUpdateAutomationRules

Grants permission to update one or more automation rules from Security Hub based on rule Amazon Resource Names (ARNs) and input parameters

automation-rule*

aws:ResourceTag/${TagKey}

Write

BatchUpdateFindings

Grants permission to update customer-controlled fields for a selected set of Security Hub findings

hub

aws:ResourceTag/${TagKey}

securityhub:ASFFSyntaxPath/${ASFFSyntaxPath}

securityhub:OCSFSyntaxPath/${OCSFSyntaxPath}

Write

hubv2

aws:ResourceTag/${TagKey}

securityhub:ASFFSyntaxPath/${ASFFSyntaxPath}

securityhub:OCSFSyntaxPath/${OCSFSyntaxPath}

BatchUpdateStandardsControlAssociations

Grants permission to update the enablement status of a batch of security controls in standards

Write

ConnectorRegistrationsV2

Grants permission to complete the OAuth 2.0 authorization code flow based on input parameters

Write

CreateActionTarget

Grants permission to create custom actions in Security Hub

hub

aws:ResourceTag/${TagKey}

Write

CreateAggregatorV2

Grants permission to create an aggregatorV2, which configures data aggregation across Regions

Write

CreateAutomationRule

Grants permission to create an automation rule based on input parameters

aws:RequestTag/${TagKey}

aws:TagKeys

Write

CreateAutomationRuleV2

Grants permission to create an automation rule V2 based on input parameters

aws:RequestTag/${TagKey}

aws:TagKeys

Write

CreateConfigurationPolicy

Grants permission to create a configuration policy to manage organization member settings in Security Hub

aws:RequestTag/${TagKey}

aws:TagKeys

Write

CreateConnector

Grants permission to create a connector based on input parameters

aws:RequestTag/${TagKey}

aws:TagKeys

Write

CreateConnectorV2

Grants permission to create a connector V2 based on input parameters

aws:RequestTag/${TagKey}

aws:TagKeys

Write

CreateFindingAggregator

Grants permission to create a finding aggregator, which contains the cross-Region finding aggregation configuration

Write

CreateInsight

Grants permission to create insights in Security Hub. Insights are collections of related findings

hub

aws:ResourceTag/${TagKey}

Write

CreateMembers

Grants permission to create member accounts in Security Hub

hub

aws:ResourceTag/${TagKey}

Write

CreateTicketV2

Grants permission to create ticket for a selected OCSF finding

connectorv2

aws:ResourceTag/${TagKey}

Write

DeclineInvitations

Grants permission to decline Security Hub invitations to become a member account

hub

aws:ResourceTag/${TagKey}

Write

DeleteActionTarget

Grants permission to delete custom actions in Security Hub

hub

aws:ResourceTag/${TagKey}

Write

DeleteAggregatorV2

Grants permission to delete an aggregatorV2, which configures data aggregation across Regions

aggregatorv2*

aws:ResourceTag/${TagKey}

Write

DeleteAutomationRuleV2

Grants permission to delete an automation rule V2 in Security Hub

automation-rulev2*

aws:ResourceTag/${TagKey}

Write

DeleteConfigurationPolicy

Grants permission to delete an existing configuration policy

configuration-policy*

aws:ResourceTag/${TagKey}

Write

DeleteConnector

Grants permission to delete a connector in Security Hub CSPM

connector*

aws:ResourceTag/${TagKey}

Write

DeleteConnectorV2

Grants permission to delete a connector V2 in Security Hub

connectorv2*

aws:ResourceTag/${TagKey}

Write

DeleteFindingAggregator

Grants permission to delete a finding aggregator, which disables finding aggregation across Regions

finding-aggregator*

Write

DeleteInsight

Grants permission to delete insights from Security Hub

hub

aws:ResourceTag/${TagKey}

Write

DeleteInvitations

Grants permission to delete Security Hub invitations to become a member account

hub

aws:ResourceTag/${TagKey}

Write

DeleteMembers

Grants permission to delete Security Hub member accounts

hub

aws:ResourceTag/${TagKey}

Write

DescribeActionTargets

Grants permission to retrieve a list of custom actions using the API

hub

aws:ResourceTag/${TagKey}

Read

DescribeHub

Grants permission to retrieve information about the hub resource in your account

hub

aws:ResourceTag/${TagKey}

Read

DescribeOrganizationConfiguration

Grants permission to describe the organization configuration for Security Hub

hub

aws:ResourceTag/${TagKey}

Read

DescribeProducts

Grants permission to retrieve information about the available Security Hub product integrations

hub

aws:ResourceTag/${TagKey}

Read

DescribeProductsV2

Grants permission to retrieve information about the available Security Hub V2 product integrations

hubv2

aws:ResourceTag/${TagKey}

Read

DescribeSecurityHubV2

Grants permission to retrieve information about the hub V2 resource in your account

Read

DescribeStandards

Grants permission to retrieve information about Security Hub standards

hub

aws:ResourceTag/${TagKey}

Read

DescribeStandardsControls

Grants permission to retrieve information about Security Hub standards controls

hub

aws:ResourceTag/${TagKey}

Read

DisableImportFindingsForProduct

Grants permission to disable the findings importing for a Security Hub integrated product

hub

aws:ResourceTag/${TagKey}

Write

DisableOrganizationAdminAccount

Grants permission to remove the Security Hub administrator account for your organization

hub

aws:ResourceTag/${TagKey}

Write

DisableSecurityHub

Grants permission to disable Security Hub

hub

aws:ResourceTag/${TagKey}

Write

DisableSecurityHubFeatureV2

Grants permission to disable a Security Hub V2 feature

hubv2*

aws:ResourceTag/${TagKey}

Write

DisableSecurityHubV2

Grants permission to disable Security Hub V2

Write

DisassociateFromAdministratorAccount

Grants permission to a Security Hub member account to disassociate from the associated administrator account

hub

aws:ResourceTag/${TagKey}

Write

DisassociateFromMasterAccount

Grants permission to a Security Hub member account to disassociate from the associated master account

hub

aws:ResourceTag/${TagKey}

Write

DisassociateMembers

Grants permission to disassociate Security Hub member accounts from the associated administrator account

hub

aws:ResourceTag/${TagKey}

Write

EnableImportFindingsForProduct

Grants permission to enable the findings importing for a Security Hub integrated product

hub

aws:ResourceTag/${TagKey}

Write

EnableOrganizationAdminAccount

Grants permission to designate a Security Hub administrator account for your organization

hub

aws:ResourceTag/${TagKey}

Write

EnableSecurityHub

Grants permission to enable Security Hub

hub

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

EnableSecurityHubFeatureV2

Grants permission to enable a Security Hub V2 feature

hubv2*

aws:ResourceTag/${TagKey}

Write

EnableSecurityHubV2

Grants permission to enable Security Hub V2

aws:RequestTag/${TagKey}

aws:TagKeys

Write

GenerateRecommendedPolicyV2

Grants permission to generate policy recommendations for an OCSF finding

hubv2*

aws:ResourceTag/${TagKey}

Write

GetAdministratorAccount

Grants permission to retrieve details about the Security Hub administrator account

hub

aws:ResourceTag/${TagKey}

Read

GetAggregatorV2

Grants permission to retrieve details for an aggregatorV2, which configures data aggregation across Regions

aggregatorv2*

aws:ResourceTag/${TagKey}

Read

GetAutomationRuleV2

Grants permission to retrieve details for an automation rule V2 from Security Hub based on rule Amazon Resource Name (ARN)

automation-rulev2*

aws:ResourceTag/${TagKey}

Read

GetConfigurationPolicy

Grants permission to get a complete overview of one configuration policy created by the calling account

configuration-policy*

aws:ResourceTag/${TagKey}

Read

GetConfigurationPolicyAssociation

Grants permission to retrieve information about a configuration policy associated with a member account or organizational unit of the calling account's organization

Read

GetConnector

Grants permission to retrieve details for a connector from Security Hub CSPM based on connector id

connector*

aws:ResourceTag/${TagKey}

Read

GetConnectorV2

Grants permission to retrieve details for a connector V2 from Security Hub based on connector id

connectorv2*

aws:ResourceTag/${TagKey}

Read

GetEnabledStandards

Grants permission to retrieve a list of the standards that are enabled in Security Hub

hub

aws:ResourceTag/${TagKey}

List

GetFindingAggregator

Grants permission to retrieve details for a finding aggregator, which configures finding aggregation across Regions

finding-aggregator*

Read

GetFindingHistory

Grants permission to retrieve a list of finding history from Security Hub

hub

aws:ResourceTag/${TagKey}

Read

GetFindings

Grants permission to retrieve a list of findings from Security Hub

hub

aws:ResourceTag/${TagKey}

Read

hubv2

aws:ResourceTag/${TagKey}

GetFindingsTrendsV2

Grants permission to retrieve findings trends

hubv2

aws:ResourceTag/${TagKey}

Read

GetInsightResults

Grants permission to retrieve insight results from Security Hub

hub

aws:ResourceTag/${TagKey}

Read

GetInsights

Grants permission to retrieve Security Hub insights

hub

aws:ResourceTag/${TagKey}

List

GetInvitationsCount

Grants permission to retrieve the count of Security Hub membership invitations sent to the account

hub

aws:ResourceTag/${TagKey}

Read

GetMasterAccount

Grants permission to retrieve details about the Security Hub master account

hub

aws:ResourceTag/${TagKey}

Read

GetMembers

Grants permission to retrieve the details of Security Hub member accounts

hub

aws:ResourceTag/${TagKey}

Read

GetRecommendedPolicyV2

Grants permission to retrieve policy recommendations for an OCSF finding

hubv2*

aws:ResourceTag/${TagKey}

Read

GetResourcesStatisticsV2

Grants permission to retrieve aggregate statistics about resources

hubv2

aws:ResourceTag/${TagKey}

Read

GetResourcesTrendsV2

Grants permission to retrieve resources trends

hubv2

aws:ResourceTag/${TagKey}

Read

GetResourcesV2

Grants permission to retrieve a list of resources

hubv2

aws:ResourceTag/${TagKey}

Read

GetSecurityControlDefinition

Grants permission to get the definition details of a specific security control identified by ID

Read

InviteMembers

Grants permission to invite other Amazon accounts to become Security Hub member accounts

hub

aws:ResourceTag/${TagKey}

Write

ListAggregatorsV2

Grants permission to retrieve a list of aggregatorsV2, which configures data aggregation across Regions

List

ListAutomationRules

Grants permission to retrieve a list of automation rules and their metadata for the calling account from Security Hub

List

ListAutomationRulesV2

Grants permission to retrieve a list of automation rules V2 and their metadata for the calling account from Security Hub

List

ListConfigurationPolicies

Grants permission to list the summaries of all configuration policies created by the calling account

List

ListConfigurationPolicyAssociations

Grants permission to retrieve information about all configuration policies associationed with all member accounts and organizational units of the calling account's organization

List

ListConnectors

Grants permission to retrieve a list of connectors and their metadata for the calling account from Security Hub CSPM

List

ListConnectorsV2

Grants permission to retrieve a list of connectors V2 and their metadata for the calling account from Security Hub

List

ListEnabledProductsForImport

Grants permission to retrieve the Security Hub integrated products that are currently enabled

hub

aws:ResourceTag/${TagKey}

List

ListFindingAggregators

Grants permission to retrieve a list of finding aggregators, which contain the cross-Region finding aggregation configuration

List

ListInvitations

Grants permission to retrieve the Security Hub invitations sent to the account

hub

aws:ResourceTag/${TagKey}

List

ListMembers

Grants permission to retrieve details about Security Hub member accounts associated with the administrator account

hub

aws:ResourceTag/${TagKey}

List

ListOrganizationAdminAccounts

Grants permission to list the Security Hub administrator accounts for your organization

hub

aws:ResourceTag/${TagKey}

List

ListSecurityControlDefinitions

Grants permission to retrieve a list of security control definitions, which contain details for security controls in the current region

List

ListStandardsControlAssociations

Grants permission to list the enablement status of a security control in standards

List

ListTagsForResource

Grants permission to list of tags associated with a resource

automation-rule

aws:ResourceTag/${TagKey}

Read

configuration-policy

aws:ResourceTag/${TagKey}

hub

aws:ResourceTag/${TagKey}

StartConfigurationPolicyAssociation

Grants permission to associate a configuration policy with a member account or organizational unit in the calling account's organization

hub

aws:ResourceTag/${TagKey}

Write

StartConfigurationPolicyDisassociation

Grants permission to remove a configuration policy association from a member account or organizational unit in the calling account's organization

hub

aws:ResourceTag/${TagKey}

Write

TagResource

Grants permission to add tags to a Security Hub resource

aggregatorv2

aws:ResourceTag/${TagKey}

Tagging, Write

automation-rule

aws:ResourceTag/${TagKey}

automation-rulev2

aws:ResourceTag/${TagKey}

configuration-policy

aws:ResourceTag/${TagKey}

connector

aws:ResourceTag/${TagKey}

connectorv2

aws:ResourceTag/${TagKey}

hub

aws:ResourceTag/${TagKey}

hubv2

aws:ResourceTag/${TagKey}

UntagResource

Grants permission to remove tags from a Security Hub resource

aggregatorv2

aws:ResourceTag/${TagKey}

Tagging, Write

automation-rule

aws:ResourceTag/${TagKey}

automation-rulev2

aws:ResourceTag/${TagKey}

configuration-policy

aws:ResourceTag/${TagKey}

connector

aws:ResourceTag/${TagKey}

connectorv2

aws:ResourceTag/${TagKey}

hub

aws:ResourceTag/${TagKey}

hubv2

aws:ResourceTag/${TagKey}

UpdateActionTarget

Grants permission to update custom actions in Security Hub

hub

aws:ResourceTag/${TagKey}

Write

UpdateAggregatorV2

Grants permission to update an aggregatorV2, which configures data aggregation across Regions

aggregatorv2*

aws:ResourceTag/${TagKey}

Write

UpdateAutomationRuleV2

Grants permission to update an automation rule V2 in Security Hub based on rule Amazon Resource Name (ARN) and input parameters

automation-rulev2*

aws:ResourceTag/${TagKey}

Write

UpdateConfigurationPolicy

Grants permission to update an existing configuration policy

configuration-policy*

aws:ResourceTag/${TagKey}

Write

UpdateConnector

Grants permission to update a connector in Security Hub CSPM based on connector id and input parameters

connector*

aws:ResourceTag/${TagKey}

Write

UpdateConnectorV2

Grants permission to update a connector V2 in Security Hub based on connector id and input parameters

connectorv2*

aws:ResourceTag/${TagKey}

Write

UpdateFindingAggregator

Grants permission to update a finding aggregator, which contains the cross-Region finding aggregation configuration

finding-aggregator*

Write

UpdateFindings

Grants permission to update Security Hub findings

hub

aws:ResourceTag/${TagKey}

Write

UpdateInsight

Grants permission to update insights in Security Hub

hub

aws:ResourceTag/${TagKey}

Write

UpdateOrganizationConfiguration

Grants permission to update the organization configuration for Security Hub

hub

aws:ResourceTag/${TagKey}

Write

UpdateSecurityControl

Grants permission to update properties of a specific security control identified by ID or ARN

Write

UpdateSecurityHubConfiguration

Grants permission to update Security Hub configuration

hub

aws:ResourceTag/${TagKey}

Write

UpdateStandardsControl

Grants permission to update Security Hub standards controls

hub

aws:ResourceTag/${TagKey}

Write

Permission-only actions for Amazon Security Hub

The following actions are defined by Amazon Security Hub but are not directly invocable through any API operation. They can only be used in IAM policy statements to grant or deny permissions.

Actions Description Resource types (*required) Condition keys Access level

AllowVendedLogDeliveryForResource

Grants permission to log delivery for resources

hub

aws:ResourceTag/${TagKey}

Permissions management, Write

hubv2

aws:ResourceTag/${TagKey}

BatchGetControlEvaluations

Grants permission to get the enablement and compliance status of controls, the findings count for controls, and the overall security score for controls on the Security Hub console

hub

aws:ResourceTag/${TagKey}

Read

GetAdhocInsightResults

Grants permission to retrieve aggregated statistical data about the findings

hub

aws:ResourceTag/${TagKey}

Read

hubv2

aws:ResourceTag/${TagKey}

GetControlFindingSummary

Grants permission to retrieve a security score and counts of finding and control statuses for a security standard

hub

aws:ResourceTag/${TagKey}

Read

GetFreeTrialEndDate

Grants permission to retrieve the end date for an account's free trial of Security Hub

hub

aws:ResourceTag/${TagKey}

Read

GetFreeTrialUsage

Grants permission to retrieve information about Security Hub usage during the free trial period

hub

aws:ResourceTag/${TagKey}

Read

GetInsightFindingTrend

Grants permission to retrieve an insight finding trend from Security Hub in order to generate a graph

hub

aws:ResourceTag/${TagKey}

Read

GetUsage

Grants permission to retrieve information about Security Hub usage by accounts

hub

aws:ResourceTag/${TagKey}

Read

GetUsageV2

Grants permission to retrieve information about Security Hub usage for an account

hubv2*

aws:ResourceTag/${TagKey}

Read

ListAccountUsageV2

Grants permission to retrieve a list of Security Hub usage for accounts in an organization

hubv2*

aws:ResourceTag/${TagKey}

List

ListControlEvaluationSummaries

Grants permission to retrieve a list of controls for a standard, including the control IDs, statuses and finding counts

hub

aws:ResourceTag/${TagKey}

Read

SendFindingEvents

Grants permission to use a custom action to send Security Hub findings to Amazon EventBridge

hub

aws:ResourceTag/${TagKey}

Read

SendInsightEvents

Grants permission to use a custom action to send Security Hub insights to Amazon EventBridge

hub

aws:ResourceTag/${TagKey}

Read

Resource types defined by Amazon Security Hub

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

aggregatorv2

arn:${Partition}:securityhub:${Region}:${Account}:aggregatorv2/${AggregatorV2Id}

aws:ResourceTag/${TagKey}

automation-rule

arn:${Partition}:securityhub:${Region}:${Account}:automation-rule/${AutomationRuleId}

aws:ResourceTag/${TagKey}

automation-rulev2

arn:${Partition}:securityhub:${Region}:${Account}:automation-rulev2/${AutomationRuleV2Id}

aws:ResourceTag/${TagKey}

configuration-policy

arn:${Partition}:securityhub:${Region}:${Account}:configuration-policy/${ConfigurationPolicyId}

aws:ResourceTag/${TagKey}

connector

arn:${Partition}:securityhub:${Region}:${Account}:connector/${ConnectorId}

aws:ResourceTag/${TagKey}

connectorv2

arn:${Partition}:securityhub:${Region}:${Account}:connectorv2/${ConnectorV2Id}

aws:ResourceTag/${TagKey}

finding-aggregator

arn:${Partition}:securityhub:${Region}:${Account}:finding-aggregator/${FindingAggregatorId}

hub

arn:${Partition}:securityhub:${Region}:${Account}:hub/default

aws:ResourceTag/${TagKey}

hubv2

arn:${Partition}:securityhub:${Region}:${Account}:hubv2/${HubV2Id}

aws:ResourceTag/${TagKey}

product

arn:${Partition}:securityhub:${Region}:${Account}:product/${Company}/${ProductId}

Condition keys for Amazon Security Hub

Amazon Security Hub defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

aws:RequestTag/${TagKey}

Filters access by actions based on the presence of tag key-value pairs in the request

String

aws:ResourceTag/${TagKey}

Filters access by actions based on tag key-value pairs attached to the resource

String

aws:TagKeys

Filters access by actions based on the presence of tag keys in the request

ArrayOfString

securityhub:ASFFSyntaxPath/${ASFFSyntaxPath}

Filters access by the specified fields and values in the request

String

securityhub:OCSFSyntaxPath/${OCSFSyntaxPath}

Filters access by the specified fields and values in the request

String

securityhub:TargetAccount

Filters access by the AwsAccountId field that is specified in the request

String