AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for AWS Security Hub

AWS Security Hub (service prefix: securityhub) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS Security Hub

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AcceptInvitation Accepts the invitation to be monitored by a master Security Hub account. Write
BatchDisableStandards Disables the standards specified by the standards subscription ARNs. Write

standards-subscription*

BatchEnableStandards Enables the standards specified by the standards ARNs. Write

standard*

BatchImportFindings Imports security findings that are generated by the integrated third-party products into Security Hub. Write

securityhub:TargetAccount

CreateInsight Creates an insight, which is a collection of related findings defined by an aggregation statement and optional filters. Write
CreateMembers Creates member Security Hub accounts in the current AWS account (which becomes the master Security Hub account) that has Security Hub enabled. Write
DeclineInvitations Declines invitations that are sent to this AWS account (invitee) by the AWS accounts (inviters) that are specified by the account IDs. Write
DeleteInsight Deletes an insight that is specified by the insight ARN. Write

insight*

DeleteInvitations Deletes invitations that are sent to this AWS account (invitee) by the AWS accounts (inviters) that are specified by their account IDs. Write
DeleteMembers Deletes the Security Hub member accounts that are specified by the account IDs. Write
DisableImportFindingsForProduct Stops you from being able to import findings generated by the integrated third-party providers into Security Hub. Write

product*

DisableSecurityHub Disables the AWS Security Hub Service. Write
DisassociateFromMasterAccount Disassociates the current Security Hub member account from its master account. Write
DisassociateMembers Disassociates the Security Hub member accounts that are specified by the account IDs from their master account. Write
EnableImportFindingsForProduct Enables you to import findings generated by the integrated third-party providers into Security Hub. Write

product*

EnableSecurityHub Enables the AWS Security Hub service. Write
GetEnabledStandards Lists and describes enabled standards. List
GetFindings Lists and describes Security Hub-aggregated findings that are specified by filter attributes. Read
GetInsightResults Lists the results of the Security Hub insight specified by the insight ARN. Read

insight*

GetInsights Lists and describes insights that are specified by insight ARNs. List

insight*

GetInvitationsCount Returns the count of all Security Hub membership invitations that were sent to the current member account, not including the currently accepted invitation. Read
GetMasterAccount Provides the details for the Security Hub master account to the current member account. Read
GetMembers Returns the details on the Security Hub member accounts that are specified by the account IDs. Read
InviteMembers Invites other AWS accounts to enable Security Hub and become Security Hub member accounts. When an account accepts the invitation and becomes a member account, the master account can view and manage the Security Hub findings of the member account. Write
ListEnabledProductsForImport Lists all Security Hub integrated third-party findings providers. List
ListInvitations Lists all Security Hub membership invitations that were sent to the current AWS account. List
ListMembers Lists details about all member accounts for the current Security Hub master account. List
UpdateFindings Updates the AWS Security Hub-aggregated findings specified by the filter attributes. Write
UpdateInsight Updates the AWS Security Hub insight specified by the insight ARN. Write

insight*

Resources Defined by SecurityHub

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
insight arn:${Partition}:securityhub:${Region}:${Account}:insight/${CompanyId}/${ProductId}/${UniqueId}
standard arn:${Partition}:securityhub:::ruleset/${StandardsName}/v/${StandardsVersion}
standards-subscription arn:${Partition}:securityhub:${Region}:${Account}:subscription/${StandardsName}/v/${StandardsVersion}
product-subscription arn:${Partition}:securityhub:${Region}:${Account}:product-subscription/${Company}/${ProductId}
product arn:${Partition}:securityhub:${Region}:${Account}:product/${Company}/${ProductId}

Condition Keys for AWS Security Hub

AWS Security Hub defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
securityhub:TargetAccount The ID of the AWS account into which you want to import findings. In the AWS Security Finding format, this field is called AwsAccountId String