Learn R Programming

paws.security.identity (version 0.7.0)

securityhub: AWS SecurityHub

Description

Security Hub provides you with a comprehensive view of your security state in Amazon Web Services and helps you assess your Amazon Web Services environment against security industry standards and best practices.

Security Hub collects security data across Amazon Web Services accounts, Amazon Web Servicesservices, and supported third-party products and helps you analyze your security trends and identify the highest priority security issues.

To help you manage the security state of your organization, Security Hub supports multiple security standards. These include the Amazon Web Services Foundational Security Best Practices (FSBP) standard developed by Amazon Web Services, and external compliance frameworks such as the Center for Internet Security (CIS), the Payment Card Industry Data Security Standard (PCI DSS), and the National Institute of Standards and Technology (NIST). Each standard includes several security controls, each of which represents a security best practice. Security Hub runs checks against security controls and generates control findings to help you assess your compliance against security best practices.

In addition to generating control findings, Security Hub also receives findings from other Amazon Web Servicesservices, such as Amazon GuardDuty and Amazon Inspector, and supported third-party products. This gives you a single pane of glass into a variety of security-related issues. You can also send Security Hub findings to other Amazon Web Servicesservices and supported third-party products.

Security Hub offers automation features that help you triage and remediate security issues. For example, you can use automation rules to automatically update critical findings when a security check fails. You can also leverage the integration with Amazon EventBridge to trigger automatic responses to specific findings.

This guide, the Security Hub API Reference, provides information about the Security Hub API. This includes supported resources, HTTP methods, parameters, and schemas. If you're new to Security Hub, you might find it helpful to also review the Security Hub User Guide . The user guide explains key concepts and provides procedures that demonstrate how to use Security Hub features. It also provides information about topics such as integrating Security Hub with other Amazon Web Servicesservices.

In addition to interacting with Security Hub by making calls to the Security Hub API, you can use a current version of an Amazon Web Services command line tool or SDK. Amazon Web Services provides tools and SDKs that consist of libraries and sample code for various languages and platforms, such as PowerShell, Java, Go, Python, C++, and .NET. These tools and SDKs provide convenient, programmatic access to Security Hub and other Amazon Web Servicesservices . They also handle tasks such as signing requests, managing errors, and retrying requests automatically. For information about installing and using the Amazon Web Services tools and SDKs, see Tools to Build on Amazon Web Services.

With the exception of operations that are related to central configuration, Security Hub API requests are executed only in the Amazon Web Services Region that is currently active or in the specific Amazon Web Services Region that you specify in your request. Any configuration or settings change that results from the operation is applied only to that Region. To make the same change in other Regions, call the same API operation in each Region in which you want to apply the change. When you use central configuration, API requests for enabling Security Hub, standards, and controls are executed in the home Region and all linked Regions. For a list of central configuration operations, see the Central configuration terms and concepts section of the Security Hub User Guide.

The following throttling limits apply to Security Hub API operations.

  • batch_enable_standards - RateLimit of 1 request per second. BurstLimit of 1 request per second.

  • get_findings - RateLimit of 3 requests per second. BurstLimit of 6 requests per second.

  • batch_import_findings - RateLimit of 10 requests per second. BurstLimit of 30 requests per second.

  • batch_update_findings - RateLimit of 10 requests per second. BurstLimit of 30 requests per second.

  • update_standards_control - RateLimit of 1 request per second. BurstLimit of 5 requests per second.

  • All other operations - RateLimit of 10 requests per second. BurstLimit of 30 requests per second.

Usage

securityhub(
  config = list(),
  credentials = list(),
  endpoint = NULL,
  region = NULL
)

Value

A client for the service. You can call the service's operations using syntax like svc$operation(...), where svc is the name you've assigned to the client. The available operations are listed in the Operations section.

Arguments

config

Optional configuration of credentials, endpoint, and/or region.

  • credentials:

    • creds:

      • access_key_id: AWS access key ID

      • secret_access_key: AWS secret access key

      • session_token: AWS temporary session token

    • profile: The name of a profile to use. If not given, then the default profile is used.

    • anonymous: Set anonymous credentials.

  • endpoint: The complete URL to use for the constructed client.

  • region: The AWS Region used in instantiating the client.

  • close_connection: Immediately close all HTTP connections.

  • timeout: The time in seconds till a timeout exception is thrown when attempting to make a connection. The default is 60 seconds.

  • s3_force_path_style: Set this to true to force the request to use path-style addressing, i.e. http://s3.amazonaws.com/BUCKET/KEY.

  • sts_regional_endpoint: Set sts regional endpoint resolver to regional or legacy https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

credentials

Optional credentials shorthand for the config parameter

  • creds:

    • access_key_id: AWS access key ID

    • secret_access_key: AWS secret access key

    • session_token: AWS temporary session token

  • profile: The name of a profile to use. If not given, then the default profile is used.

  • anonymous: Set anonymous credentials.

endpoint

Optional shorthand for complete URL to use for the constructed client.

region

Optional shorthand for AWS Region used in instantiating the client.

Service syntax

svc <- securityhub(
  config = list(
    credentials = list(
      creds = list(
        access_key_id = "string",
        secret_access_key = "string",
        session_token = "string"
      ),
      profile = "string",
      anonymous = "logical"
    ),
    endpoint = "string",
    region = "string",
    close_connection = "logical",
    timeout = "numeric",
    s3_force_path_style = "logical",
    sts_regional_endpoint = "string"
  ),
  credentials = list(
    creds = list(
      access_key_id = "string",
      secret_access_key = "string",
      session_token = "string"
    ),
    profile = "string",
    anonymous = "logical"
  ),
  endpoint = "string",
  region = "string"
)

Operations

accept_administrator_invitationAccepts the invitation to be a member account and be monitored by the Security Hub administrator account that the invitation was sent from
accept_invitationThis method is deprecated
batch_delete_automation_rulesDeletes one or more automation rules
batch_disable_standardsDisables the standards specified by the provided StandardsSubscriptionArns
batch_enable_standardsEnables the standards specified by the provided StandardsArn
batch_get_automation_rulesRetrieves a list of details for automation rules based on rule Amazon Resource Names (ARNs)
batch_get_configuration_policy_associationsReturns associations between an Security Hub configuration and a batch of target accounts, organizational units, or the root
batch_get_security_controlsProvides details about a batch of security controls for the current Amazon Web Services account and Amazon Web Services Region
batch_get_standards_control_associationsFor a batch of security controls and standards, identifies whether each control is currently enabled or disabled in a standard
batch_import_findingsImports security findings generated by a finding provider into Security Hub
batch_update_automation_rulesUpdates one or more automation rules based on rule Amazon Resource Names (ARNs) and input parameters
batch_update_findingsUsed by Security Hub customers to update information about their investigation into a finding
batch_update_standards_control_associationsFor a batch of security controls and standards, this operation updates the enablement status of a control in a standard
create_action_targetCreates a custom action target in Security Hub
create_automation_ruleCreates an automation rule based on input parameters
create_configuration_policyCreates a configuration policy with the defined configuration
create_finding_aggregatorUsed to enable finding aggregation
create_insightCreates a custom insight in Security Hub
create_membersCreates a member association in Security Hub between the specified accounts and the account used to make the request, which is the administrator account
decline_invitationsDeclines invitations to become a member account
delete_action_targetDeletes a custom action target from Security Hub
delete_configuration_policyDeletes a configuration policy
delete_finding_aggregatorDeletes a finding aggregator
delete_insightDeletes the insight specified by the InsightArn
delete_invitationsDeletes invitations received by the Amazon Web Services account to become a member account
delete_membersDeletes the specified member accounts from Security Hub
describe_action_targetsReturns a list of the custom action targets in Security Hub in your account
describe_hubReturns details about the Hub resource in your account, including the HubArn and the time when you enabled Security Hub
describe_organization_configurationReturns information about the way your organization is configured in Security Hub
describe_productsReturns information about product integrations in Security Hub
describe_standardsReturns a list of the available standards in Security Hub
describe_standards_controlsReturns a list of security standards controls
disable_import_findings_for_productDisables the integration of the specified product with Security Hub
disable_organization_admin_accountDisables a Security Hub administrator account
disable_security_hubDisables Security Hub in your account only in the current Amazon Web Services Region
disassociate_from_administrator_accountDisassociates the current Security Hub member account from the associated administrator account
disassociate_from_master_accountThis method is deprecated
disassociate_membersDisassociates the specified member accounts from the associated administrator account
enable_import_findings_for_productEnables the integration of a partner product with Security Hub
enable_organization_admin_accountDesignates the Security Hub administrator account for an organization
enable_security_hubEnables Security Hub for your account in the current Region or the Region you specify in the request
get_administrator_accountProvides the details for the Security Hub administrator account for the current member account
get_configuration_policyProvides information about a configuration policy
get_configuration_policy_associationReturns the association between a configuration and a target account, organizational unit, or the root
get_enabled_standardsReturns a list of the standards that are currently enabled
get_finding_aggregatorReturns the current finding aggregation configuration
get_finding_historyReturns history for a Security Hub finding in the last 90 days
get_findingsReturns a list of findings that match the specified criteria
get_insight_resultsLists the results of the Security Hub insight specified by the insight ARN
get_insightsLists and describes insights for the specified insight ARNs
get_invitations_countReturns the count of all Security Hub membership invitations that were sent to the current member account, not including the currently accepted invitation
get_master_accountThis method is deprecated
get_membersReturns the details for the Security Hub member accounts for the specified account IDs
get_security_control_definitionRetrieves the definition of a security control
invite_membersInvites other Amazon Web Services accounts to become member accounts for the Security Hub administrator account that the invitation is sent from
list_automation_rulesA list of automation rules and their metadata for the calling account
list_configuration_policiesLists the configuration policies that the Security Hub delegated administrator has created for your organization
list_configuration_policy_associationsProvides information about the associations for your configuration policies and self-managed behavior
list_enabled_products_for_importLists all findings-generating solutions (products) that you are subscribed to receive findings from in Security Hub
list_finding_aggregatorsIf finding aggregation is enabled, then ListFindingAggregators returns the ARN of the finding aggregator
list_invitationsLists all Security Hub membership invitations that were sent to the current Amazon Web Services account
list_membersLists details about all member accounts for the current Security Hub administrator account
list_organization_admin_accountsLists the Security Hub administrator accounts
list_security_control_definitionsLists all of the security controls that apply to a specified standard
list_standards_control_associationsSpecifies whether a control is currently enabled or disabled in each enabled standard in the calling account
list_tags_for_resourceReturns a list of tags associated with a resource
start_configuration_policy_associationAssociates a target account, organizational unit, or the root with a specified configuration
start_configuration_policy_disassociationDisassociates a target account, organizational unit, or the root from a specified configuration
tag_resourceAdds one or more tags to a resource
untag_resourceRemoves one or more tags from a resource
update_action_targetUpdates the name and description of a custom action target in Security Hub
update_configuration_policyUpdates a configuration policy
update_finding_aggregatorUpdates the finding aggregation configuration
update_findingsUpdateFindings is a deprecated operation
update_insightUpdates the Security Hub insight identified by the specified insight ARN
update_organization_configurationUpdates the configuration of your organization in Security Hub
update_security_controlUpdates the properties of a security control
update_security_hub_configurationUpdates configuration options for Security Hub
update_standards_controlUsed to control whether an individual security standard control is enabled or disabled

Examples

Run this code
if (FALSE) {
svc <- securityhub()
# The following example demonstrates how an account can accept an
# invitation from the Security Hub administrator account to be a member
# account. This operation is applicable only to member accounts that are
# not added through AWS Organizations.
svc$accept_administrator_invitation(
  AdministratorId = "123456789012",
  InvitationId = "7ab938c5d52d7904ad09f9e7c20cc4eb"
)
}

Run the code above in your browser using DataLab