Class: Aws::SecurityHub::Client

Inherits:
Seahorse::Client::Base show all
Includes:
ClientStubs
Defined in:
gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb

Overview

An API client for SecurityHub. To construct a client, you need to configure a :region and :credentials.

client = Aws::SecurityHub::Client.new(
  region: region_name,
  credentials: credentials,
  # ...
)

For details on configuring region and credentials see the developer guide.

See #initialize for a full list of supported configuration options.

Instance Attribute Summary

Attributes inherited from Seahorse::Client::Base

#config, #handlers

API Operations collapse

Instance Method Summary collapse

Methods included from ClientStubs

#api_requests, #stub_data, #stub_responses

Methods inherited from Seahorse::Client::Base

add_plugin, api, clear_plugins, define, new, #operation_names, plugins, remove_plugin, set_api, set_plugins

Methods included from Seahorse::Client::HandlerBuilder

#handle, #handle_request, #handle_response

Constructor Details

#initialize(options) ⇒ Client

Returns a new instance of Client.

Parameters:

  • options (Hash)

Options Hash (options):

  • :plugins (Array<Seahorse::Client::Plugin>) — default: []]

    A list of plugins to apply to the client. Each plugin is either a class name or an instance of a plugin class.

  • :credentials (required, Aws::CredentialProvider)

    Your AWS credentials. This can be an instance of any one of the following classes:

    • Aws::Credentials - Used for configuring static, non-refreshing credentials.

    • Aws::SharedCredentials - Used for loading static credentials from a shared file, such as ~/.aws/config.

    • Aws::AssumeRoleCredentials - Used when you need to assume a role.

    • Aws::AssumeRoleWebIdentityCredentials - Used when you need to assume a role after providing credentials via the web.

    • Aws::SSOCredentials - Used for loading credentials from AWS SSO using an access token generated from aws login.

    • Aws::ProcessCredentials - Used for loading credentials from a process that outputs to stdout.

    • Aws::InstanceProfileCredentials - Used for loading credentials from an EC2 IMDS on an EC2 instance.

    • Aws::ECSCredentials - Used for loading credentials from instances running in ECS.

    • Aws::CognitoIdentityCredentials - Used for loading credentials from the Cognito Identity service.

    When :credentials are not configured directly, the following locations will be searched for credentials:

    • Aws.config[:credentials]
    • The :access_key_id, :secret_access_key, :session_token, and :account_id options.
    • ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY'], ENV['AWS_SESSION_TOKEN'], and ENV['AWS_ACCOUNT_ID']
    • ~/.aws/credentials
    • ~/.aws/config
    • EC2/ECS IMDS instance profile - When used by default, the timeouts are very aggressive. Construct and pass an instance of Aws::InstanceProfileCredentials or Aws::ECSCredentials to enable retries and extended timeouts. Instance profile credential fetching can be disabled by setting ENV['AWS_EC2_METADATA_DISABLED'] to true.
  • :region (required, String)

    The AWS region to connect to. The configured :region is used to determine the service :endpoint. When not passed, a default :region is searched for in the following locations:

    • Aws.config[:region]
    • ENV['AWS_REGION']
    • ENV['AMAZON_REGION']
    • ENV['AWS_DEFAULT_REGION']
    • ~/.aws/credentials
    • ~/.aws/config
  • :access_key_id (String)
  • :account_id (String)
  • :active_endpoint_cache (Boolean) — default: false

    When set to true, a thread polling for endpoints will be running in the background every 60 secs (default). Defaults to false.

  • :adaptive_retry_wait_to_fill (Boolean) — default: true

    Used only in adaptive retry mode. When true, the request will sleep until there is sufficent client side capacity to retry the request. When false, the request will raise a RetryCapacityNotAvailableError and will not retry instead of sleeping.

  • :client_side_monitoring (Boolean) — default: false

    When true, client-side metrics will be collected for all API requests from this client.

  • :client_side_monitoring_client_id (String) — default: ""

    Allows you to provide an identifier for this client which will be attached to all generated client side metrics. Defaults to an empty string.

  • :client_side_monitoring_host (String) — default: "127.0.0.1"

    Allows you to specify the DNS hostname or IPv4 or IPv6 address that the client side monitoring agent is running on, where client metrics will be published via UDP.

  • :client_side_monitoring_port (Integer) — default: 31000

    Required for publishing client metrics. The port that the client side monitoring agent is running on, where client metrics will be published via UDP.

  • :client_side_monitoring_publisher (Aws::ClientSideMonitoring::Publisher) — default: Aws::ClientSideMonitoring::Publisher

    Allows you to provide a custom client-side monitoring publisher class. By default, will use the Client Side Monitoring Agent Publisher.

  • :convert_params (Boolean) — default: true

    When true, an attempt is made to coerce request parameters into the required types.

  • :correct_clock_skew (Boolean) — default: true

    Used only in standard and adaptive retry modes. Specifies whether to apply a clock skew correction and retry requests with skewed client clocks.

  • :defaults_mode (String) — default: "legacy"

    See DefaultsModeConfiguration for a list of the accepted modes and the configuration defaults that are included.

  • :disable_host_prefix_injection (Boolean) — default: false

    Set to true to disable SDK automatically adding host prefix to default service endpoint when available.

  • :disable_request_compression (Boolean) — default: false

    When set to 'true' the request body will not be compressed for supported operations.

  • :endpoint (String, URI::HTTPS, URI::HTTP)

    Normally you should not configure the :endpoint option directly. This is normally constructed from the :region option. Configuring :endpoint is normally reserved for connecting to test or custom endpoints. The endpoint should be a URI formatted like:

    'http://example.com'
    'https://example.com'
    'http://example.com:123'
    
  • :endpoint_cache_max_entries (Integer) — default: 1000

    Used for the maximum size limit of the LRU cache storing endpoints data for endpoint discovery enabled operations. Defaults to 1000.

  • :endpoint_cache_max_threads (Integer) — default: 10

    Used for the maximum threads in use for polling endpoints to be cached, defaults to 10.

  • :endpoint_cache_poll_interval (Integer) — default: 60

    When :endpoint_discovery and :active_endpoint_cache is enabled, Use this option to config the time interval in seconds for making requests fetching endpoints information. Defaults to 60 sec.

  • :endpoint_discovery (Boolean) — default: false

    When set to true, endpoint discovery will be enabled for operations when available.

  • :ignore_configured_endpoint_urls (Boolean)

    Setting to true disables use of endpoint URLs provided via environment variables and the shared configuration file.

  • :log_formatter (Aws::Log::Formatter) — default: Aws::Log::Formatter.default

    The log formatter.

  • :log_level (Symbol) — default: :info

    The log level to send messages to the :logger at.

  • :logger (Logger)

    The Logger instance to send log messages to. If this option is not set, logging will be disabled.

  • :max_attempts (Integer) — default: 3

    An integer representing the maximum number attempts that will be made for a single request, including the initial attempt. For example, setting this value to 5 will result in a request being retried up to 4 times. Used in standard and adaptive retry modes.

  • :profile (String) — default: "default"

    Used when loading credentials from the shared credentials file at HOME/.aws/credentials. When not specified, 'default' is used.

  • :request_min_compression_size_bytes (Integer) — default: 10240

    The minimum size in bytes that triggers compression for request bodies. The value must be non-negative integer value between 0 and 10485780 bytes inclusive.

  • :retry_backoff (Proc)

    A proc or lambda used for backoff. Defaults to 2**retries * retry_base_delay. This option is only used in the legacy retry mode.

  • :retry_base_delay (Float) — default: 0.3

    The base delay in seconds used by the default backoff function. This option is only used in the legacy retry mode.

  • :retry_jitter (Symbol) — default: :none

    A delay randomiser function used by the default backoff function. Some predefined functions can be referenced by name - :none, :equal, :full, otherwise a Proc that takes and returns a number. This option is only used in the legacy retry mode.

    @see https://www.awsarchitectureblog.com/2015/03/backoff.html

  • :retry_limit (Integer) — default: 3

    The maximum number of times to retry failed requests. Only ~ 500 level server errors and certain ~ 400 level client errors are retried. Generally, these are throttling errors, data checksum errors, networking errors, timeout errors, auth errors, endpoint discovery, and errors from expired credentials. This option is only used in the legacy retry mode.

  • :retry_max_delay (Integer) — default: 0

    The maximum number of seconds to delay between retries (0 for no limit) used by the default backoff function. This option is only used in the legacy retry mode.

  • :retry_mode (String) — default: "legacy"

    Specifies which retry algorithm to use. Values are:

    • legacy - The pre-existing retry behavior. This is default value if no retry mode is provided.

    • standard - A standardized set of retry rules across the AWS SDKs. This includes support for retry quotas, which limit the number of unsuccessful retries a client can make.

    • adaptive - An experimental retry mode that includes all the functionality of standard mode along with automatic client side throttling. This is a provisional mode that may change behavior in the future.

  • :sdk_ua_app_id (String)

    A unique and opaque application ID that is appended to the User-Agent header as app/sdk_ua_app_id. It should have a maximum length of 50. This variable is sourced from environment variable AWS_SDK_UA_APP_ID or the shared config profile attribute sdk_ua_app_id.

  • :secret_access_key (String)
  • :session_token (String)
  • :sigv4a_signing_region_set (Array)

    A list of regions that should be signed with SigV4a signing. When not passed, a default :sigv4a_signing_region_set is searched for in the following locations:

    • Aws.config[:sigv4a_signing_region_set]
    • ENV['AWS_SIGV4A_SIGNING_REGION_SET']
    • ~/.aws/config
  • :stub_responses (Boolean) — default: false

    Causes the client to return stubbed responses. By default fake responses are generated and returned. You can specify the response data to return or errors to raise by calling ClientStubs#stub_responses. See ClientStubs for more information.

    Please note When response stubbing is enabled, no HTTP requests are made, and retries are disabled.

  • :telemetry_provider (Aws::Telemetry::TelemetryProviderBase) — default: Aws::Telemetry::NoOpTelemetryProvider

    Allows you to provide a telemetry provider, which is used to emit telemetry data. By default, uses NoOpTelemetryProvider which will not record or emit any telemetry data. The SDK supports the following telemetry providers:

    • OpenTelemetry (OTel) - To use the OTel provider, install and require the opentelemetry-sdk gem and then, pass in an instance of a Aws::Telemetry::OTelProvider for telemetry provider.
  • :token_provider (Aws::TokenProvider)

    A Bearer Token Provider. This can be an instance of any one of the following classes:

    • Aws::StaticTokenProvider - Used for configuring static, non-refreshing tokens.

    • Aws::SSOTokenProvider - Used for loading tokens from AWS SSO using an access token generated from aws login.

    When :token_provider is not configured directly, the Aws::TokenProviderChain will be used to search for tokens configured for your profile in shared configuration files.

  • :use_dualstack_endpoint (Boolean)

    When set to true, dualstack enabled endpoints (with .aws TLD) will be used if available.

  • :use_fips_endpoint (Boolean)

    When set to true, fips compatible endpoints will be used if available. When a fips region is used, the region is normalized and this config is set to true.

  • :validate_params (Boolean) — default: true

    When true, request parameters are validated before sending the request.

  • :endpoint_provider (Aws::SecurityHub::EndpointProvider)

    The endpoint provider used to resolve endpoints. Any object that responds to #resolve_endpoint(parameters) where parameters is a Struct similar to Aws::SecurityHub::EndpointParameters.

  • :http_continue_timeout (Float) — default: 1

    The number of seconds to wait for a 100-continue response before sending the request body. This option has no effect unless the request has "Expect" header set to "100-continue". Defaults to nil which disables this behaviour. This value can safely be set per request on the session.

  • :http_idle_timeout (Float) — default: 5

    The number of seconds a connection is allowed to sit idle before it is considered stale. Stale connections are closed and removed from the pool before making a request.

  • :http_open_timeout (Float) — default: 15

    The default number of seconds to wait for response data. This value can safely be set per-request on the session.

  • :http_proxy (URI::HTTP, String)

    A proxy to send requests through. Formatted like 'http://proxy.com:123'.

  • :http_read_timeout (Float) — default: 60

    The default number of seconds to wait for response data. This value can safely be set per-request on the session.

  • :http_wire_trace (Boolean) — default: false

    When true, HTTP debug output will be sent to the :logger.

  • :on_chunk_received (Proc)

    When a Proc object is provided, it will be used as callback when each chunk of the response body is received. It provides three arguments: the chunk, the number of bytes received, and the total number of bytes in the response (or nil if the server did not send a content-length).

  • :on_chunk_sent (Proc)

    When a Proc object is provided, it will be used as callback when each chunk of the request body is sent. It provides three arguments: the chunk, the number of bytes read from the body, and the total number of bytes in the body.

  • :raise_response_errors (Boolean) — default: true

    When true, response errors are raised.

  • :ssl_ca_bundle (String)

    Full path to the SSL certificate authority bundle file that should be used when verifying peer certificates. If you do not pass :ssl_ca_bundle or :ssl_ca_directory the the system default will be used if available.

  • :ssl_ca_directory (String)

    Full path of the directory that contains the unbundled SSL certificate authority files for verifying peer certificates. If you do not pass :ssl_ca_bundle or :ssl_ca_directory the the system default will be used if available.

  • :ssl_ca_store (String)

    Sets the X509::Store to verify peer certificate.

  • :ssl_cert (OpenSSL::X509::Certificate)

    Sets a client certificate when creating http connections.

  • :ssl_key (OpenSSL::PKey)

    Sets a client key when creating http connections.

  • :ssl_timeout (Float)

    Sets the SSL timeout in seconds

  • :ssl_verify_peer (Boolean) — default: true

    When true, SSL peer certificates are verified when establishing a connection.



444
445
446
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 444

def initialize(*args)
  super
end

Instance Method Details

#accept_administrator_invitation(params = {}) ⇒ Struct

We recommend using Organizations instead of Security Hub invitations to manage your member accounts. For information, see Managing Security Hub administrator and member accounts with Organizations in the Security Hub User Guide.

Accepts the invitation to be a member account and be monitored by the Security Hub administrator account that the invitation was sent from.

This operation is only used by member accounts that are not added through Organizations.

When the member account accepts the invitation, permission is granted to the administrator account to view findings generated in the member account.

Examples:

Example: To accept an invitation be a member account


# The following example demonstrates how an account can accept an invitation from the Security Hub administrator account
# to be a member account. This operation is applicable only to member accounts that are not added through AWS
# Organizations.

resp = client.accept_administrator_invitation({
  administrator_id: "123456789012", 
  invitation_id: "7ab938c5d52d7904ad09f9e7c20cc4eb", 
})

Request syntax with placeholder values


resp = client.accept_administrator_invitation({
  administrator_id: "NonEmptyString", # required
  invitation_id: "NonEmptyString", # required
})

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :administrator_id (required, String)

    The account ID of the Security Hub administrator account that sent the invitation.

  • :invitation_id (required, String)

    The identifier of the invitation sent from the Security Hub administrator account.

Returns:

  • (Struct)

    Returns an empty response.

See Also:



504
505
506
507
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 504

def accept_administrator_invitation(params = {}, options = {})
  req = build_request(:accept_administrator_invitation, params)
  req.send_request(options)
end

#accept_invitation(params = {}) ⇒ Struct

This method is deprecated. Instead, use AcceptAdministratorInvitation.

The Security Hub console continues to use AcceptInvitation. It will eventually change to use AcceptAdministratorInvitation. Any IAM policies that specifically control access to this function must continue to use AcceptInvitation. You should also add AcceptAdministratorInvitation to your policies to ensure that the correct permissions are in place after the console begins to use AcceptAdministratorInvitation.

Accepts the invitation to be a member account and be monitored by the Security Hub administrator account that the invitation was sent from.

This operation is only used by member accounts that are not added through Organizations.

When the member account accepts the invitation, permission is granted to the administrator account to view findings generated in the member account.

Examples:

Request syntax with placeholder values


resp = client.accept_invitation({
  master_id: "NonEmptyString", # required
  invitation_id: "NonEmptyString", # required
})

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :master_id (required, String)

    The account ID of the Security Hub administrator account that sent the invitation.

  • :invitation_id (required, String)

    The identifier of the invitation sent from the Security Hub administrator account.

Returns:

  • (Struct)

    Returns an empty response.

See Also:



551
552
553
554
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 551

def accept_invitation(params = {}, options = {})
  req = build_request(:accept_invitation, params)
  req.send_request(options)
end

#batch_delete_automation_rules(params = {}) ⇒ Types::BatchDeleteAutomationRulesResponse

Deletes one or more automation rules.

Examples:

Example: To delete one or more automation rules


# The following example deletes the specified automation rules.

resp = client.batch_delete_automation_rules({
  automation_rules_arns: [
    "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
    "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", 
  ], 
})

resp.to_h outputs the following:
{
  processed_automation_rules: [
    "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
  ], 
  unprocessed_automation_rules: [
    {
      error_code: 500, 
      error_message: "InternalException", 
      rule_arn: "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", 
    }, 
  ], 
}

Request syntax with placeholder values


resp = client.batch_delete_automation_rules({
  automation_rules_arns: ["NonEmptyString"], # required
})

Response structure


resp.processed_automation_rules #=> Array
resp.processed_automation_rules[0] #=> String
resp.unprocessed_automation_rules #=> Array
resp.unprocessed_automation_rules[0].rule_arn #=> String
resp.unprocessed_automation_rules[0].error_code #=> Integer
resp.unprocessed_automation_rules[0].error_message #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :automation_rules_arns (required, Array<String>)

    A list of Amazon Resource Names (ARNs) for the rules that are to be deleted.

Returns:

See Also:



612
613
614
615
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 612

def batch_delete_automation_rules(params = {}, options = {})
  req = build_request(:batch_delete_automation_rules, params)
  req.send_request(options)
end

#batch_disable_standards(params = {}) ⇒ Types::BatchDisableStandardsResponse

Disables the standards specified by the provided StandardsSubscriptionArns.

For more information, see Security Standards section of the Security Hub User Guide.

Examples:

Example: To disable one or more security standards


# The following example disables a security standard in Security Hub.

resp = client.batch_disable_standards({
  standards_subscription_arns: [
    "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1", 
  ], 
})

resp.to_h outputs the following:
{
  standards_subscriptions: [
    {
      standards_arn: "arn:aws:securityhub:eu-central-1::standards/pci-dss/v/3.2.1", 
      standards_input: {
      }, 
      standards_status: "DELETING", 
      standards_subscription_arn: "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1", 
    }, 
  ], 
}

Request syntax with placeholder values


resp = client.batch_disable_standards({
  standards_subscription_arns: ["NonEmptyString"], # required
})

Response structure


resp.standards_subscriptions #=> Array
resp.standards_subscriptions[0].standards_subscription_arn #=> String
resp.standards_subscriptions[0].standards_arn #=> String
resp.standards_subscriptions[0].standards_input #=> Hash
resp.standards_subscriptions[0].standards_input["NonEmptyString"] #=> String
resp.standards_subscriptions[0].standards_status #=> String, one of "PENDING", "READY", "FAILED", "DELETING", "INCOMPLETE"
resp.standards_subscriptions[0].standards_status_reason.status_reason_code #=> String, one of "NO_AVAILABLE_CONFIGURATION_RECORDER", "INTERNAL_ERROR"

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :standards_subscription_arns (required, Array<String>)

    The ARNs of the standards subscriptions to disable.

Returns:

See Also:



678
679
680
681
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 678

def batch_disable_standards(params = {}, options = {})
  req = build_request(:batch_disable_standards, params)
  req.send_request(options)
end

#batch_enable_standards(params = {}) ⇒ Types::BatchEnableStandardsResponse

Enables the standards specified by the provided StandardsArn. To obtain the ARN for a standard, use the DescribeStandards operation.

For more information, see the Security Standards section of the Security Hub User Guide.

Examples:

Example: To enable security standards


# The following example enables the security standard specified by the StandardArn. You can use this operation to enable
# one or more Security Hub standards.

resp = client.batch_enable_standards({
  standards_subscription_requests: [
    {
      standards_arn: "arn:aws:securityhub:us-west-1::standards/pci-dss/v/3.2.1", 
    }, 
  ], 
})

resp.to_h outputs the following:
{
  standards_subscriptions: [
    {
      standards_arn: "arn:aws:securityhub:us-west-1::standards/pci-dss/v/3.2.1", 
      standards_input: {
      }, 
      standards_status: "PENDING", 
      standards_subscription_arn: "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1", 
    }, 
  ], 
}

Request syntax with placeholder values


resp = client.batch_enable_standards({
  standards_subscription_requests: [ # required
    {
      standards_arn: "NonEmptyString", # required
      standards_input: {
        "NonEmptyString" => "NonEmptyString",
      },
    },
  ],
})

Response structure


resp.standards_subscriptions #=> Array
resp.standards_subscriptions[0].standards_subscription_arn #=> String
resp.standards_subscriptions[0].standards_arn #=> String
resp.standards_subscriptions[0].standards_input #=> Hash
resp.standards_subscriptions[0].standards_input["NonEmptyString"] #=> String
resp.standards_subscriptions[0].standards_status #=> String, one of "PENDING", "READY", "FAILED", "DELETING", "INCOMPLETE"
resp.standards_subscriptions[0].standards_status_reason.status_reason_code #=> String, one of "NO_AVAILABLE_CONFIGURATION_RECORDER", "INTERNAL_ERROR"

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

Returns:

See Also:



754
755
756
757
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 754

def batch_enable_standards(params = {}, options = {})
  req = build_request(:batch_enable_standards, params)
  req.send_request(options)
end

#batch_get_automation_rules(params = {}) ⇒ Types::BatchGetAutomationRulesResponse

Retrieves a list of details for automation rules based on rule Amazon Resource Names (ARNs).

Examples:

Example: To update one ore more automation rules


# The following example updates the specified automation rules.

resp = client.batch_get_automation_rules({
  automation_rules_arns: [
    "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
    "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", 
  ], 
})

resp.to_h outputs the following:
{
  rules: [
    {
      actions: [
        {
          finding_fields_update: {
            workflow: {
              status: "RESOLVED", 
            }, 
          }, 
          type: "FINDING_FIELDS_UPDATE", 
        }, 
      ], 
      created_at: Time.parse("2022-08-31T01:52:33.250Z"), 
      created_by: "AROAJURBUYQQNL5OL2TIM:TEST-16MJ75L9VBK14", 
      criteria: {
        aws_account_id: [
          {
            comparison: "EQUALS", 
            value: "111122223333", 
          }, 
        ], 
        first_observed_at: [
          {
            date_range: {
              unit: "DAYS", 
              value: 5, 
            }, 
          }, 
        ], 
        type: [
          {
            comparison: "EQUALS", 
            value: "Software and Configuration Checks/Industry and Regulatory Standards", 
          }, 
        ], 
      }, 
      description: "sample rule description 1", 
      rule_arn: "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
      rule_name: "sample-rule-name-1", 
      rule_order: 1, 
      rule_status: "ENABLED", 
      updated_at: Time.parse("2022-08-31T01:52:33.250Z"), 
    }, 
    {
      actions: [
        {
          finding_fields_update: {
            workflow: {
              status: "RESOLVED", 
            }, 
          }, 
          type: "FINDING_FIELDS_UPDATE", 
        }, 
      ], 
      created_at: Time.parse("2022-08-31T01:52:33.250Z"), 
      created_by: "AROAJURBUYQQNL5OL2TIM:TEST-16MJ75L9VBK14", 
      criteria: {
        resource_type: [
          {
            comparison: "EQUALS", 
            value: "Ec2Instance", 
          }, 
        ], 
        severity_label: [
          {
            comparison: "EQUALS", 
            value: "INFORMATIONAL", 
          }, 
        ], 
      }, 
      description: "Sample rule description 2", 
      rule_arn: "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", 
      rule_name: "sample-rule-name-2", 
      rule_order: 2, 
      rule_status: "ENABLED", 
      updated_at: Time.parse("2022-08-31T01:52:33.250Z"), 
    }, 
  ], 
}

Request syntax with placeholder values


resp = client.batch_get_automation_rules({
  automation_rules_arns: ["NonEmptyString"], # required
})

Response structure


resp.rules #=> Array
resp.rules[0].rule_arn #=> String
resp.rules[0].rule_status #=> String, one of "ENABLED", "DISABLED"
resp.rules[0].rule_order #=> Integer
resp.rules[0].rule_name #=> String
resp.rules[0].description #=> String
resp.rules[0].is_terminal #=> Boolean
resp.rules[0].criteria.product_arn #=> Array
resp.rules[0].criteria.product_arn[0].value #=> String
resp.rules[0].criteria.product_arn[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
resp.rules[0].criteria. #=> Array
resp.rules[0].criteria.[0].value #=> String
resp.rules[0].criteria.[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
resp.rules[0].criteria.id #=> Array
resp.rules[0].criteria.id[0].value #=> String
resp.rules[0].criteria.id[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
resp.rules[0].criteria.generator_id #=> Array
resp.rules[0].criteria.generator_id[0].value #=> String
resp.rules[0].criteria.generator_id[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
resp.rules[0].criteria.type #=> Array
resp.rules[0].criteria.type[0].value #=> String
resp.rules[0].criteria.type[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
resp.rules[0].criteria.first_observed_at #=> Array
resp.rules[0].criteria.first_observed_at[0].start #=> String
resp.rules[0].criteria.first_observed_at[0].end #=> String
resp.rules[0].criteria.first_observed_at[0].date_range.value #=> Integer
resp.rules[0].criteria.first_observed_at[0].date_range.unit #=> String, one of "DAYS"
resp.rules[0].criteria.last_observed_at #=> Array
resp.rules[0].criteria.last_observed_at[0].start #=> String
resp.rules[0].criteria.last_observed_at[0].end #=> String
resp.rules[0].criteria.last_observed_at[0].date_range.value #=> Integer
resp.rules[0].criteria.last_observed_at[0].date_range.unit #=> String, one of "DAYS"
resp.rules[0].criteria.created_at #=> Array
resp.rules[0].criteria.created_at[0].start #=> String
resp.rules[0].criteria.created_at[0].end #=> String
resp.rules[0].criteria.created_at[0].date_range.value #=> Integer
resp.rules[0].criteria.created_at[0].date_range.unit #=> String, one of "DAYS"
resp.rules[0].criteria.updated_at #=> Array
resp.rules[0].criteria.updated_at[0].start #=> String
resp.rules[0].criteria.updated_at[0].end #=> String
resp.rules[0].criteria.updated_at[0].date_range.value #=> Integer
resp.rules[0].criteria.updated_at[0].date_range.unit #=> String, one of "DAYS"
resp.rules[0].criteria.confidence #=> Array
resp.rules[0].criteria.confidence[0].gte #=> Float
resp.rules[0].criteria.confidence[0].lte #=> Float
resp.rules[0].criteria.confidence[0].eq #=> Float
resp.rules[0].criteria.confidence[0].gt #=> Float
resp.rules[0].criteria.confidence[0].lt #=> Float
resp.rules[0].criteria.criticality #=> Array
resp.rules[0].criteria.criticality[0].gte #=> Float
resp.rules[0].criteria.criticality[0].lte #=> Float
resp.rules[0].criteria.criticality[0].eq #=> Float
resp.rules[0].criteria.criticality[0].gt #=> Float
resp.rules[0].criteria.criticality[0].lt #=> Float
resp.rules[0].criteria.title #=> Array
resp.rules[0].criteria.title[0].value #=> String
resp.rules[0].criteria.title[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
resp.rules[0].criteria.description #=> Array
resp.rules[0].criteria.description[0].value #=> String
resp.rules[0].criteria.description[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
resp.rules[0].criteria.source_url #=> Array
resp.rules[0].criteria.source_url[0].value #=> String
resp.rules[0].criteria.source_url[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
resp.rules[0].criteria.product_name #=> Array
resp.rules[0].criteria.product_name[0].value #=> String
resp.rules[0].criteria.product_name[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
resp.rules[0].criteria.company_name #=> Array
resp.rules[0].criteria.company_name[0].value #=> String
resp.rules[0].criteria.company_name[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
resp.rules[0].criteria.severity_label #=> Array
resp.rules[0].criteria.severity_label[0].value #=> String
resp.rules[0].criteria.severity_label[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
resp.rules[0].criteria.resource_type #=> Array
resp.rules[0].criteria.resource_type[0].value #=> String
resp.rules[0].criteria.resource_type[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
resp.rules[0].criteria.resource_id #=> Array
resp.rules[0].criteria.resource_id[0].value #=> String
resp.rules[0].criteria.resource_id[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
resp.rules[0].criteria.resource_partition #=> Array
resp.rules[0].criteria.resource_partition[0].value #=> String
resp.rules[0].criteria.resource_partition[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
resp.rules[0].criteria.resource_region #=> Array
resp.rules[0].criteria.resource_region[0].value #=> String
resp.rules[0].criteria.resource_region[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
resp.rules[0].criteria.resource_tags #=> Array
resp.rules[0].criteria.resource_tags[0].key #=> String
resp.rules[0].criteria.resource_tags[0].value #=> String
resp.rules[0].criteria.resource_tags[0].comparison #=> String, one of "EQUALS", "NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
resp.rules[0].criteria.resource_details_other #=> Array
resp.rules[0].criteria.resource_details_other[0].key #=> String
resp.rules[0].criteria.resource_details_other[0].value #=> String
resp.rules[0].criteria.resource_details_other[0].comparison #=> String, one of "EQUALS", "NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
resp.rules[0].criteria.compliance_status #=> Array
resp.rules[0].criteria.compliance_status[0].value #=> String
resp.rules[0].criteria.compliance_status[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
resp.rules[0].criteria.compliance_security_control_id #=> Array
resp.rules[0].criteria.compliance_security_control_id[0].value #=> String
resp.rules[0].criteria.compliance_security_control_id[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
resp.rules[0].criteria.compliance_associated_standards_id #=> Array
resp.rules[0].criteria.compliance_associated_standards_id[0].value #=> String
resp.rules[0].criteria.compliance_associated_standards_id[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
resp.rules[0].criteria.verification_state #=> Array
resp.rules[0].criteria.verification_state[0].value #=> String
resp.rules[0].criteria.verification_state[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
resp.rules[0].criteria.workflow_status #=> Array
resp.rules[0].criteria.workflow_status[0].value #=> String
resp.rules[0].criteria.workflow_status[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
resp.rules[0].criteria.record_state #=> Array
resp.rules[0].criteria.record_state[0].value #=> String
resp.rules[0].criteria.record_state[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
resp.rules[0].criteria.related_findings_product_arn #=> Array
resp.rules[0].criteria.related_findings_product_arn[0].value #=> String
resp.rules[0].criteria.related_findings_product_arn[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
resp.rules[0].criteria.related_findings_id #=> Array
resp.rules[0].criteria.related_findings_id[0].value #=> String
resp.rules[0].criteria.related_findings_id[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
resp.rules[0].criteria.note_text #=> Array
resp.rules[0].criteria.note_text[0].value #=> String
resp.rules[0].criteria.note_text[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
resp.rules[0].criteria.note_updated_at #=> Array
resp.rules[0].criteria.note_updated_at[0].start #=> String
resp.rules[0].criteria.note_updated_at[0].end #=> String
resp.rules[0].criteria.note_updated_at[0].date_range.value #=> Integer
resp.rules[0].criteria.note_updated_at[0].date_range.unit #=> String, one of "DAYS"
resp.rules[0].criteria.note_updated_by #=> Array
resp.rules[0].criteria.note_updated_by[0].value #=> String
resp.rules[0].criteria.note_updated_by[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
resp.rules[0].criteria.user_defined_fields #=> Array
resp.rules[0].criteria.user_defined_fields[0].key #=> String
resp.rules[0].criteria.user_defined_fields[0].value #=> String
resp.rules[0].criteria.user_defined_fields[0].comparison #=> String, one of "EQUALS", "NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
resp.rules[0].criteria.resource_application_arn #=> Array
resp.rules[0].criteria.resource_application_arn[0].value #=> String
resp.rules[0].criteria.resource_application_arn[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
resp.rules[0].criteria.resource_application_name #=> Array
resp.rules[0].criteria.resource_application_name[0].value #=> String
resp.rules[0].criteria.resource_application_name[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
resp.rules[0].criteria. #=> Array
resp.rules[0].criteria.[0].value #=> String
resp.rules[0].criteria.[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
resp.rules[0].actions #=> Array
resp.rules[0].actions[0].type #=> String, one of "FINDING_FIELDS_UPDATE"
resp.rules[0].actions[0].finding_fields_update.note.text #=> String
resp.rules[0].actions[0].finding_fields_update.note.updated_by #=> String
resp.rules[0].actions[0].finding_fields_update.severity.normalized #=> Integer
resp.rules[0].actions[0].finding_fields_update.severity.product #=> Float
resp.rules[0].actions[0].finding_fields_update.severity.label #=> String, one of "INFORMATIONAL", "LOW", "MEDIUM", "HIGH", "CRITICAL"
resp.rules[0].actions[0].finding_fields_update.verification_state #=> String, one of "UNKNOWN", "TRUE_POSITIVE", "FALSE_POSITIVE", "BENIGN_POSITIVE"
resp.rules[0].actions[0].finding_fields_update.confidence #=> Integer
resp.rules[0].actions[0].finding_fields_update.criticality #=> Integer
resp.rules[0].actions[0].finding_fields_update.types #=> Array
resp.rules[0].actions[0].finding_fields_update.types[0] #=> String
resp.rules[0].actions[0].finding_fields_update.user_defined_fields #=> Hash
resp.rules[0].actions[0].finding_fields_update.user_defined_fields["NonEmptyString"] #=> String
resp.rules[0].actions[0].finding_fields_update.workflow.status #=> String, one of "NEW", "NOTIFIED", "RESOLVED", "SUPPRESSED"
resp.rules[0].actions[0].finding_fields_update.related_findings #=> Array
resp.rules[0].actions[0].finding_fields_update.related_findings[0].product_arn #=> String
resp.rules[0].actions[0].finding_fields_update.related_findings[0].id #=> String
resp.rules[0].created_at #=> Time
resp.rules[0].updated_at #=> Time
resp.rules[0].created_by #=> String
resp.unprocessed_automation_rules #=> Array
resp.unprocessed_automation_rules[0].rule_arn #=> String
resp.unprocessed_automation_rules[0].error_code #=> Integer
resp.unprocessed_automation_rules[0].error_message #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :automation_rules_arns (required, Array<String>)

    A list of rule ARNs to get details for.

Returns:

See Also:



1042
1043
1044
1045
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 1042

def batch_get_automation_rules(params = {}, options = {})
  req = build_request(:batch_get_automation_rules, params)
  req.send_request(options)
end

#batch_get_configuration_policy_associations(params = {}) ⇒ Types::BatchGetConfigurationPolicyAssociationsResponse

Returns associations between an Security Hub configuration and a batch of target accounts, organizational units, or the root. Only the Security Hub delegated administrator can invoke this operation from the home Region. A configuration can refer to a configuration policy or to a self-managed configuration.

Examples:

Example: To get configuration associations for a batch of targets


# This operation provides details about configuration associations for a batch of target accounts, organizational units,
# or the root.

resp = client.batch_get_configuration_policy_associations({
  configuration_policy_association_identifiers: [
    {
      target: {
        account_id: "111122223333", 
      }, 
    }, 
    {
      target: {
        root_id: "r-f6g7h8i9j0example", 
      }, 
    }, 
  ], 
})

resp.to_h outputs the following:
{
  configuration_policy_associations: [
    {
      association_status: "SUCCESS", 
      association_status_message: "This field is only populated for a failed association", 
      association_type: "INHERITED", 
      configuration_policy_id: "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
      target_id: "111122223333", 
      target_type: "ACCOUNT", 
      updated_at: Time.parse("2023-01-11T06:17:17.154Z"), 
    }, 
  ], 
  unprocessed_configuration_policy_associations: [
    {
      configuration_policy_association_identifiers: {
        target: {
          root_id: "r-f6g7h8i9j0example", 
        }, 
      }, 
      error_code: "400", 
      error_reason: "You do not have sufficient access to perform this action.", 
    }, 
  ], 
}

Request syntax with placeholder values


resp = client.batch_get_configuration_policy_associations({
  configuration_policy_association_identifiers: [ # required
    {
      target: {
        account_id: "NonEmptyString",
        organizational_unit_id: "NonEmptyString",
        root_id: "NonEmptyString",
      },
    },
  ],
})

Response structure


resp.configuration_policy_associations #=> Array
resp.configuration_policy_associations[0].configuration_policy_id #=> String
resp.configuration_policy_associations[0].target_id #=> String
resp.configuration_policy_associations[0].target_type #=> String, one of "ACCOUNT", "ORGANIZATIONAL_UNIT", "ROOT"
resp.configuration_policy_associations[0].association_type #=> String, one of "INHERITED", "APPLIED"
resp.configuration_policy_associations[0].updated_at #=> Time
resp.configuration_policy_associations[0].association_status #=> String, one of "PENDING", "SUCCESS", "FAILED"
resp.configuration_policy_associations[0].association_status_message #=> String
resp.unprocessed_configuration_policy_associations #=> Array
resp.unprocessed_configuration_policy_associations[0].configuration_policy_association_identifiers.target. #=> String
resp.unprocessed_configuration_policy_associations[0].configuration_policy_association_identifiers.target.organizational_unit_id #=> String
resp.unprocessed_configuration_policy_associations[0].configuration_policy_association_identifiers.target.root_id #=> String
resp.unprocessed_configuration_policy_associations[0].error_code #=> String
resp.unprocessed_configuration_policy_associations[0].error_reason #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :configuration_policy_association_identifiers (required, Array<Types::ConfigurationPolicyAssociation>)

    Specifies one or more target account IDs, organizational unit (OU) IDs, or the root ID to retrieve associations for.

Returns:

See Also:



1144
1145
1146
1147
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 1144

def batch_get_configuration_policy_associations(params = {}, options = {})
  req = build_request(:batch_get_configuration_policy_associations, params)
  req.send_request(options)
end

#batch_get_security_controls(params = {}) ⇒ Types::BatchGetSecurityControlsResponse

Provides details about a batch of security controls for the current Amazon Web Services account and Amazon Web Services Region.

Examples:

Example: To get security control details


# The following example gets details for the specified controls in the current AWS account and AWS Region.

resp = client.batch_get_security_controls({
  security_control_ids: [
    "ACM.1", 
    "APIGateway.1", 
  ], 
})

resp.to_h outputs the following:
{
  security_controls: [
    {
      description: "This AWS control checks whether ACM Certificates in your account are marked for expiration within a specified time period. Certificates provided by ACM are automatically renewed. ACM does not automatically renew certificates that you import.", 
      last_update_reason: "Stayed with default value", 
      parameters: {
        "daysToExpiration" => {
          value: {
            integer: 30, 
          }, 
          value_type: "DEFAULT", 
        }, 
      }, 
      remediation_url: "https://docs.aws.amazon.com/console/securityhub/ACM.1/remediation", 
      security_control_arn: "arn:aws:securityhub:us-west-2:123456789012:security-control/ACM.1", 
      security_control_id: "ACM.1", 
      security_control_status: "ENABLED", 
      severity_rating: "MEDIUM", 
      title: "Imported and ACM-issued certificates should be renewed after a specified time period", 
      update_status: "UPDATING", 
    }, 
    {
      description: "This control checks whether all stages of Amazon API Gateway REST and WebSocket APIs have logging enabled. The control fails if logging is not enabled for all methods of a stage or if loggingLevel is neither ERROR nor INFO.", 
      last_update_reason: "Updated control parameters to comply with internal requirements", 
      parameters: {
        "loggingLevel" => {
          value: {
            enum: "ERROR", 
          }, 
          value_type: "CUSTOM", 
        }, 
      }, 
      remediation_url: "https://docs.aws.amazon.com/console/securityhub/APIGateway.1/remediation", 
      security_control_arn: "arn:aws:securityhub:us-west-2:123456789012:security-control/APIGateway.1", 
      security_control_id: "APIGateway.1", 
      security_control_status: "ENABLED", 
      severity_rating: "MEDIUM", 
      title: "API Gateway REST and WebSocket API execution logging should be enabled", 
      update_status: "UPDATING", 
    }, 
  ], 
}

Request syntax with placeholder values


resp = client.batch_get_security_controls({
  security_control_ids: ["NonEmptyString"], # required
})

Response structure


resp.security_controls #=> Array
resp.security_controls[0].security_control_id #=> String
resp.security_controls[0].security_control_arn #=> String
resp.security_controls[0].title #=> String
resp.security_controls[0].description #=> String
resp.security_controls[0].remediation_url #=> String
resp.security_controls[0].severity_rating #=> String, one of "LOW", "MEDIUM", "HIGH", "CRITICAL"
resp.security_controls[0].security_control_status #=> String, one of "ENABLED", "DISABLED"
resp.security_controls[0].update_status #=> String, one of "READY", "UPDATING"
resp.security_controls[0].parameters #=> Hash
resp.security_controls[0].parameters["NonEmptyString"].value_type #=> String, one of "DEFAULT", "CUSTOM"
resp.security_controls[0].parameters["NonEmptyString"].value.integer #=> Integer
resp.security_controls[0].parameters["NonEmptyString"].value.integer_list #=> Array
resp.security_controls[0].parameters["NonEmptyString"].value.integer_list[0] #=> Integer
resp.security_controls[0].parameters["NonEmptyString"].value.double #=> Float
resp.security_controls[0].parameters["NonEmptyString"].value.string #=> String
resp.security_controls[0].parameters["NonEmptyString"].value.string_list #=> Array
resp.security_controls[0].parameters["NonEmptyString"].value.string_list[0] #=> String
resp.security_controls[0].parameters["NonEmptyString"].value.boolean #=> Boolean
resp.security_controls[0].parameters["NonEmptyString"].value.enum #=> String
resp.security_controls[0].parameters["NonEmptyString"].value.enum_list #=> Array
resp.security_controls[0].parameters["NonEmptyString"].value.enum_list[0] #=> String
resp.security_controls[0].last_update_reason #=> String
resp.unprocessed_ids #=> Array
resp.unprocessed_ids[0].security_control_id #=> String
resp.unprocessed_ids[0].error_code #=> String, one of "INVALID_INPUT", "ACCESS_DENIED", "NOT_FOUND", "LIMIT_EXCEEDED"
resp.unprocessed_ids[0].error_reason #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :security_control_ids (required, Array<String>)

    A list of security controls (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters). The security control ID or Amazon Resource Name (ARN) is the same across standards.

Returns:

See Also:



1258
1259
1260
1261
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 1258

def batch_get_security_controls(params = {}, options = {})
  req = build_request(:batch_get_security_controls, params)
  req.send_request(options)
end

#batch_get_standards_control_associations(params = {}) ⇒ Types::BatchGetStandardsControlAssociationsResponse

For a batch of security controls and standards, identifies whether each control is currently enabled or disabled in a standard.

Examples:

Example: To get enablement status of a batch of controls


# The following example retrieves the enablement status of the specified controls in the specified standards.

resp = client.batch_get_standards_control_associations({
  standards_control_association_ids: [
    {
      security_control_id: "CloudTrail.1", 
      standards_arn: "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", 
    }, 
    {
      security_control_id: "CloudWatch.12", 
      standards_arn: "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", 
    }, 
  ], 
})

resp.to_h outputs the following:
{
  standards_control_association_details: [
    {
      association_status: "ENABLED", 
      related_requirements: [
        "CIS AWS Foundations 2.1", 
      ], 
      security_control_arn: "arn:aws:securityhub:us-west-2:110479873537:security-control/CloudTrail.1", 
      security_control_id: "CloudTrail.1", 
      standards_arn: "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", 
      standards_control_description: "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.", 
      standards_control_title: "Ensure CloudTrail is enabled in all regions", 
      updated_at: Time.parse("2022-01-13T18:52:29.539000+00:00"), 
    }, 
    {
      association_status: "ENABLED", 
      related_requirements: [
        "CIS AWS Foundations 3.12", 
      ], 
      security_control_arn: "arn:aws:securityhub:us-west-2:110479873537:security-control/CloudWatch.12", 
      security_control_id: "CloudWatch.12", 
      standards_arn: "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", 
      standards_control_description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways.", 
      standards_control_title: "Ensure a log metric filter and alarm exist for changes to network gateways", 
      updated_at: Time.parse("2022-01-13T18:52:29.686000+00:00"), 
    }, 
  ], 
}

Request syntax with placeholder values


resp = client.batch_get_standards_control_associations({
  standards_control_association_ids: [ # required
    {
      security_control_id: "NonEmptyString", # required
      standards_arn: "NonEmptyString", # required
    },
  ],
})

Response structure


resp.standards_control_association_details #=> Array
resp.standards_control_association_details[0].standards_arn #=> String
resp.standards_control_association_details[0].security_control_id #=> String
resp.standards_control_association_details[0].security_control_arn #=> String
resp.standards_control_association_details[0].association_status #=> String, one of "ENABLED", "DISABLED"
resp.standards_control_association_details[0].related_requirements #=> Array
resp.standards_control_association_details[0].related_requirements[0] #=> String
resp.standards_control_association_details[0].updated_at #=> Time
resp.standards_control_association_details[0].updated_reason #=> String
resp.standards_control_association_details[0].standards_control_title #=> String
resp.standards_control_association_details[0].standards_control_description #=> String
resp.standards_control_association_details[0].standards_control_arns #=> Array
resp.standards_control_association_details[0].standards_control_arns[0] #=> String
resp.unprocessed_associations #=> Array
resp.unprocessed_associations[0].standards_control_association_id.security_control_id #=> String
resp.unprocessed_associations[0].standards_control_association_id.standards_arn #=> String
resp.unprocessed_associations[0].error_code #=> String, one of "INVALID_INPUT", "ACCESS_DENIED", "NOT_FOUND", "LIMIT_EXCEEDED"
resp.unprocessed_associations[0].error_reason #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :standards_control_association_ids (required, Array<Types::StandardsControlAssociationId>)

    An array with one or more objects that includes a security control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) and the Amazon Resource Name (ARN) of a standard. This field is used to query the enablement status of a control in a specified standard. The security control ID or ARN is the same across standards.

Returns:

See Also:



1363
1364
1365
1366
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 1363

def batch_get_standards_control_associations(params = {}, options = {})
  req = build_request(:batch_get_standards_control_associations, params)
  req.send_request(options)
end

#batch_import_findings(params = {}) ⇒ Types::BatchImportFindingsResponse

Imports security findings generated by a finding provider into Security Hub. This action is requested by the finding provider to import its findings into Security Hub.

BatchImportFindings must be called by one of the following:

  • The Amazon Web Services account that is associated with a finding if you are using the default product ARN or are a partner sending findings from within a customer's Amazon Web Services account. In these cases, the identifier of the account that you are calling BatchImportFindings from needs to be the same as the AwsAccountId attribute for the finding.

  • An Amazon Web Services account that Security Hub has allow-listed for an official partner integration. In this case, you can call BatchImportFindings from the allow-listed account and send findings from different customer accounts in the same batch.

The maximum allowed size for a finding is 240 Kb. An error is returned for any finding larger than 240 Kb.

After a finding is created, BatchImportFindings cannot be used to update the following finding fields and objects, which Security Hub customers use to manage their investigation workflow.

  • Note

  • UserDefinedFields

  • VerificationState

  • Workflow

Finding providers also should not use BatchImportFindings to update the following attributes.

  • Confidence

  • Criticality

  • RelatedFindings

  • Severity

  • Types

Instead, finding providers use FindingProviderFields to provide values for these attributes.

Examples:

Example: To import security findings from a third party provider to Security Hub


# The following example imports findings from a third party provider to Security Hub.

resp = client.batch_import_findings({
  findings: [
    {
      aws_account_id: "123456789012", 
      created_at: "2020-05-27T17:05:54.832Z", 
      description: "Vulnerability in a CloudTrail trail", 
      finding_provider_fields: {
        severity: {
          label: "LOW", 
          original: "10", 
        }, 
        types: [
          "Software and Configuration Checks/Vulnerabilities/CVE", 
        ], 
      }, 
      generator_id: "TestGeneratorId", 
      id: "Id1", 
      product_arn: "arn:aws:securityhub:us-west-1:123456789012:product/123456789012/default", 
      resources: [
        {
          id: "arn:aws:cloudtrail:us-west-1:123456789012:trail/TrailName", 
          partition: "aws", 
          region: "us-west-1", 
          type: "AwsCloudTrailTrail", 
        }, 
      ], 
      schema_version: "2018-10-08", 
      title: "CloudTrail trail vulnerability", 
      updated_at: "2020-06-02T16:05:54.832Z", 
    }, 
  ], 
})

resp.to_h outputs the following:
{
  failed_count: 123, 
  failed_findings: [
  ], 
  success_count: 123, 
}

Response structure


resp.failed_count #=> Integer
resp.success_count #=> Integer
resp.failed_findings #=> Array
resp.failed_findings[0].id #=> String
resp.failed_findings[0].error_code #=> String
resp.failed_findings[0].error_message #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

Returns:

See Also:



1495
1496
1497
1498
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 1495

def batch_import_findings(params = {}, options = {})
  req = build_request(:batch_import_findings, params)
  req.send_request(options)
end

#batch_update_automation_rules(params = {}) ⇒ Types::BatchUpdateAutomationRulesResponse

Updates one or more automation rules based on rule Amazon Resource Names (ARNs) and input parameters.

Examples:

Example: To update one ore more automation rules


# The following example updates the specified automation rules.

resp = client.batch_update_automation_rules({
  update_automation_rules_request_items: [
    {
      rule_arn: "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
      rule_order: 15, 
      rule_status: "ENABLED", 
    }, 
    {
      rule_arn: "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", 
      rule_status: "DISABLED", 
    }, 
  ], 
})

resp.to_h outputs the following:
{
  processed_automation_rules: [
    "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
    "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", 
  ], 
}

Request syntax with placeholder values


resp = client.batch_update_automation_rules({
  update_automation_rules_request_items: [ # required
    {
      rule_arn: "NonEmptyString", # required
      rule_status: "ENABLED", # accepts ENABLED, DISABLED
      rule_order: 1,
      description: "NonEmptyString",
      rule_name: "NonEmptyString",
      is_terminal: false,
      criteria: {
        product_arn: [
          {
            value: "NonEmptyString",
            comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
          },
        ],
        aws_account_id: [
          {
            value: "NonEmptyString",
            comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
          },
        ],
        id: [
          {
            value: "NonEmptyString",
            comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
          },
        ],
        generator_id: [
          {
            value: "NonEmptyString",
            comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
          },
        ],
        type: [
          {
            value: "NonEmptyString",
            comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
          },
        ],
        first_observed_at: [
          {
            start: "NonEmptyString",
            end: "NonEmptyString",
            date_range: {
              value: 1,
              unit: "DAYS", # accepts DAYS
            },
          },
        ],
        last_observed_at: [
          {
            start: "NonEmptyString",
            end: "NonEmptyString",
            date_range: {
              value: 1,
              unit: "DAYS", # accepts DAYS
            },
          },
        ],
        created_at: [
          {
            start: "NonEmptyString",
            end: "NonEmptyString",
            date_range: {
              value: 1,
              unit: "DAYS", # accepts DAYS
            },
          },
        ],
        updated_at: [
          {
            start: "NonEmptyString",
            end: "NonEmptyString",
            date_range: {
              value: 1,
              unit: "DAYS", # accepts DAYS
            },
          },
        ],
        confidence: [
          {
            gte: 1.0,
            lte: 1.0,
            eq: 1.0,
            gt: 1.0,
            lt: 1.0,
          },
        ],
        criticality: [
          {
            gte: 1.0,
            lte: 1.0,
            eq: 1.0,
            gt: 1.0,
            lt: 1.0,
          },
        ],
        title: [
          {
            value: "NonEmptyString",
            comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
          },
        ],
        description: [
          {
            value: "NonEmptyString",
            comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
          },
        ],
        source_url: [
          {
            value: "NonEmptyString",
            comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
          },
        ],
        product_name: [
          {
            value: "NonEmptyString",
            comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
          },
        ],
        company_name: [
          {
            value: "NonEmptyString",
            comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
          },
        ],
        severity_label: [
          {
            value: "NonEmptyString",
            comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
          },
        ],
        resource_type: [
          {
            value: "NonEmptyString",
            comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
          },
        ],
        resource_id: [
          {
            value: "NonEmptyString",
            comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
          },
        ],
        resource_partition: [
          {
            value: "NonEmptyString",
            comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
          },
        ],
        resource_region: [
          {
            value: "NonEmptyString",
            comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
          },
        ],
        resource_tags: [
          {
            key: "NonEmptyString",
            value: "NonEmptyString",
            comparison: "EQUALS", # accepts EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS
          },
        ],
        resource_details_other: [
          {
            key: "NonEmptyString",
            value: "NonEmptyString",
            comparison: "EQUALS", # accepts EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS
          },
        ],
        compliance_status: [
          {
            value: "NonEmptyString",
            comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
          },
        ],
        compliance_security_control_id: [
          {
            value: "NonEmptyString",
            comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
          },
        ],
        compliance_associated_standards_id: [
          {
            value: "NonEmptyString",
            comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
          },
        ],
        verification_state: [
          {
            value: "NonEmptyString",
            comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
          },
        ],
        workflow_status: [
          {
            value: "NonEmptyString",
            comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
          },
        ],
        record_state: [
          {
            value: "NonEmptyString",
            comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
          },
        ],
        related_findings_product_arn: [
          {
            value: "NonEmptyString",
            comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
          },
        ],
        related_findings_id: [
          {
            value: "NonEmptyString",
            comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
          },
        ],
        note_text: [
          {
            value: "NonEmptyString",
            comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
          },
        ],
        note_updated_at: [
          {
            start: "NonEmptyString",
            end: "NonEmptyString",
            date_range: {
              value: 1,
              unit: "DAYS", # accepts DAYS
            },
          },
        ],
        note_updated_by: [
          {
            value: "NonEmptyString",
            comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
          },
        ],
        user_defined_fields: [
          {
            key: "NonEmptyString",
            value: "NonEmptyString",
            comparison: "EQUALS", # accepts EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS
          },
        ],
        resource_application_arn: [
          {
            value: "NonEmptyString",
            comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
          },
        ],
        resource_application_name: [
          {
            value: "NonEmptyString",
            comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
          },
        ],
        aws_account_name: [
          {
            value: "NonEmptyString",
            comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
          },
        ],
      },
      actions: [
        {
          type: "FINDING_FIELDS_UPDATE", # accepts FINDING_FIELDS_UPDATE
          finding_fields_update: {
            note: {
              text: "NonEmptyString", # required
              updated_by: "NonEmptyString", # required
            },
            severity: {
              normalized: 1,
              product: 1.0,
              label: "INFORMATIONAL", # accepts INFORMATIONAL, LOW, MEDIUM, HIGH, CRITICAL
            },
            verification_state: "UNKNOWN", # accepts UNKNOWN, TRUE_POSITIVE, FALSE_POSITIVE, BENIGN_POSITIVE
            confidence: 1,
            criticality: 1,
            types: ["NonEmptyString"],
            user_defined_fields: {
              "NonEmptyString" => "NonEmptyString",
            },
            workflow: {
              status: "NEW", # accepts NEW, NOTIFIED, RESOLVED, SUPPRESSED
            },
            related_findings: [
              {
                product_arn: "NonEmptyString", # required
                id: "NonEmptyString", # required
              },
            ],
          },
        },
      ],
    },
  ],
})

Response structure


resp.processed_automation_rules #=> Array
resp.processed_automation_rules[0] #=> String
resp.unprocessed_automation_rules #=> Array
resp.unprocessed_automation_rules[0].rule_arn #=> String
resp.unprocessed_automation_rules[0].error_code #=> Integer
resp.unprocessed_automation_rules[0].error_message #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :update_automation_rules_request_items (required, Array<Types::UpdateAutomationRulesRequestItem>)

    An array of ARNs for the rules that are to be updated. Optionally, you can also include RuleStatus and RuleOrder.

Returns:

See Also:



1858
1859
1860
1861
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 1858

def batch_update_automation_rules(params = {}, options = {})
  req = build_request(:batch_update_automation_rules, params)
  req.send_request(options)
end

#batch_update_findings(params = {}) ⇒ Types::BatchUpdateFindingsResponse

Used by Security Hub customers to update information about their investigation into a finding. Requested by administrator accounts or member accounts. Administrator accounts can update findings for their account and their member accounts. Member accounts can update findings for their account.

Updates from BatchUpdateFindings don't affect the value of UpdatedAt for a finding.

Administrator and member accounts can use BatchUpdateFindings to update the following finding fields and objects.

  • Confidence

  • Criticality

  • Note

  • RelatedFindings

  • Severity

  • Types

  • UserDefinedFields

  • VerificationState

  • Workflow

You can configure IAM policies to restrict access to fields and field values. For example, you might not want member accounts to be able to suppress findings or change the finding severity. See Configuring access to BatchUpdateFindings in the Security Hub User Guide.

Examples:

Example: To update Security Hub findings


# The following example updates Security Hub findings. The finding identifier parameter specifies which findings to
# update. Only specific finding fields can be updated with this operation.

resp = client.batch_update_findings({
  confidence: 80, 
  criticality: 80, 
  finding_identifiers: [
    {
      id: "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
      product_arn: "arn:aws:securityhub:us-west-1::product/aws/securityhub", 
    }, 
    {
      id: "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", 
      product_arn: "arn:aws:securityhub:us-west-1::product/aws/securityhub", 
    }, 
  ], 
  note: {
    text: "Known issue that is not a risk.", 
    updated_by: "user1", 
  }, 
  related_findings: [
    {
      id: "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", 
      product_arn: "arn:aws:securityhub:us-west-1::product/aws/securityhub", 
    }, 
  ], 
  severity: {
    label: "LOW", 
  }, 
  types: [
    "Software and Configuration Checks/Vulnerabilities/CVE", 
  ], 
  user_defined_fields: {
    "reviewedByCio" => "true", 
  }, 
  verification_state: "TRUE_POSITIVE", 
  workflow: {
    status: "RESOLVED", 
  }, 
})

resp.to_h outputs the following:
{
  processed_findings: [
    {
      id: "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
      product_arn: "arn:aws:securityhub:us-west-1::product/aws/securityhub", 
    }, 
    {
      id: "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", 
      product_arn: "arn:aws:securityhub:us-west-1::product/aws/securityhub", 
    }, 
  ], 
  unprocessed_findings: [
  ], 
}

Request syntax with placeholder values


resp = client.batch_update_findings({
  finding_identifiers: [ # required
    {
      id: "NonEmptyString", # required
      product_arn: "NonEmptyString", # required
    },
  ],
  note: {
    text: "NonEmptyString", # required
    updated_by: "NonEmptyString", # required
  },
  severity: {
    normalized: 1,
    product: 1.0,
    label: "INFORMATIONAL", # accepts INFORMATIONAL, LOW, MEDIUM, HIGH, CRITICAL
  },
  verification_state: "UNKNOWN", # accepts UNKNOWN, TRUE_POSITIVE, FALSE_POSITIVE, BENIGN_POSITIVE
  confidence: 1,
  criticality: 1,
  types: ["NonEmptyString"],
  user_defined_fields: {
    "NonEmptyString" => "NonEmptyString",
  },
  workflow: {
    status: "NEW", # accepts NEW, NOTIFIED, RESOLVED, SUPPRESSED
  },
  related_findings: [
    {
      product_arn: "NonEmptyString", # required
      id: "NonEmptyString", # required
    },
  ],
})

Response structure


resp.processed_findings #=> Array
resp.processed_findings[0].id #=> String
resp.processed_findings[0].product_arn #=> String
resp.unprocessed_findings #=> Array
resp.unprocessed_findings[0].finding_identifier.id #=> String
resp.unprocessed_findings[0].finding_identifier.product_arn #=> String
resp.unprocessed_findings[0].error_code #=> String
resp.unprocessed_findings[0].error_message #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :finding_identifiers (required, Array<Types::AwsSecurityFindingIdentifier>)

    The list of findings to update. BatchUpdateFindings can be used to update up to 100 findings at a time.

    For each finding, the list provides the finding identifier and the ARN of the finding provider.

  • :note (Types::NoteUpdate)

    The updated note.

  • :severity (Types::SeverityUpdate)

    Used to update the finding severity.

  • :verification_state (String)

    Indicates the veracity of a finding.

    The available values for VerificationState are as follows.

    • UNKNOWN – The default disposition of a security finding

    • TRUE_POSITIVE – The security finding is confirmed

    • FALSE_POSITIVE – The security finding was determined to be a false alarm

    • BENIGN_POSITIVE – A special case of TRUE_POSITIVE where the finding doesn't pose any threat, is expected, or both

  • :confidence (Integer)

    The updated value for the finding confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify.

    Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.

  • :criticality (Integer)

    The updated value for the level of importance assigned to the resources associated with the findings.

    A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.

  • :types (Array<String>)

    One or more finding types in the format of namespace/category/classifier that classify a finding.

    Valid namespace values are as follows.

    • Software and Configuration Checks

    • TTPs

    • Effects

    • Unusual Behaviors

    • Sensitive Data Identifications

  • :user_defined_fields (Hash<String,String>)

    A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.

  • :workflow (Types::WorkflowUpdate)

    Used to update the workflow status of a finding.

    The workflow status indicates the progress of the investigation into the finding.

  • :related_findings (Array<Types::RelatedFinding>)

    A list of findings that are related to the updated findings.

Returns:

See Also:



2090
2091
2092
2093
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 2090

def batch_update_findings(params = {}, options = {})
  req = build_request(:batch_update_findings, params)
  req.send_request(options)
end

#batch_update_standards_control_associations(params = {}) ⇒ Types::BatchUpdateStandardsControlAssociationsResponse

For a batch of security controls and standards, this operation updates the enablement status of a control in a standard.

Examples:

Example: To update enablement status of a batch of controls


# The following example disables CloudWatch.12 in CIS AWS Foundations Benchmark v1.2.0. The example returns an error for
# CloudTrail.1 because an invalid standard ARN is provided.

resp = client.batch_update_standards_control_associations({
  standards_control_association_updates: [
    {
      association_status: "DISABLED", 
      security_control_id: "CloudTrail.1", 
      standards_arn: "arn:aws:securityhub:::ruleset/sample-standard/v/1.1.0", 
      updated_reason: "Not relevant to environment", 
    }, 
    {
      association_status: "DISABLED", 
      security_control_id: "CloudWatch.12", 
      standards_arn: "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", 
      updated_reason: "Not relevant to environment", 
    }, 
  ], 
})

resp.to_h outputs the following:
{
  unprocessed_association_updates: [
    {
      error_code: "INVALID_INPUT", 
      error_reason: "Invalid Standards Arn: 'arn:aws:securityhub:::ruleset/sample-standard/v/1.1.0'", 
      standards_control_association_update: {
        association_status: "DISABLED", 
        security_control_id: "CloudTrail.1", 
        standards_arn: "arn:aws:securityhub:::ruleset/sample-standard/v/1.1.0", 
        updated_reason: "Test Reason", 
      }, 
    }, 
  ], 
}

Request syntax with placeholder values


resp = client.batch_update_standards_control_associations({
  standards_control_association_updates: [ # required
    {
      standards_arn: "NonEmptyString", # required
      security_control_id: "NonEmptyString", # required
      association_status: "ENABLED", # required, accepts ENABLED, DISABLED
      updated_reason: "NonEmptyString",
    },
  ],
})

Response structure


resp.unprocessed_association_updates #=> Array
resp.unprocessed_association_updates[0].standards_control_association_update.standards_arn #=> String
resp.unprocessed_association_updates[0].standards_control_association_update.security_control_id #=> String
resp.unprocessed_association_updates[0].standards_control_association_update.association_status #=> String, one of "ENABLED", "DISABLED"
resp.unprocessed_association_updates[0].standards_control_association_update.updated_reason #=> String
resp.unprocessed_association_updates[0].error_code #=> String, one of "INVALID_INPUT", "ACCESS_DENIED", "NOT_FOUND", "LIMIT_EXCEEDED"
resp.unprocessed_association_updates[0].error_reason #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

Returns:

See Also:



2172
2173
2174
2175
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 2172

def batch_update_standards_control_associations(params = {}, options = {})
  req = build_request(:batch_update_standards_control_associations, params)
  req.send_request(options)
end

#create_action_target(params = {}) ⇒ Types::CreateActionTargetResponse

Creates a custom action target in Security Hub.

You can use custom actions on findings and insights in Security Hub to trigger target actions in Amazon CloudWatch Events.

Examples:

Example: To create a custom action target


# The following example creates a custom action target in Security Hub. Custom actions on findings and insights
# automatically trigger actions in Amazon CloudWatch Events.

resp = client.create_action_target({
  description: "Action to send the finding for remediation tracking", 
  id: "Remediation", 
  name: "Send to remediation", 
})

resp.to_h outputs the following:
{
  action_target_arn: "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation", 
}

Request syntax with placeholder values


resp = client.create_action_target({
  name: "NonEmptyString", # required
  description: "NonEmptyString", # required
  id: "NonEmptyString", # required
})

Response structure


resp.action_target_arn #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :name (required, String)

    The name of the custom action target. Can contain up to 20 characters.

  • :description (required, String)

    The description for the custom action target.

  • :id (required, String)

    The ID for the custom action target. Can contain up to 20 alphanumeric characters.

Returns:

See Also:



2229
2230
2231
2232
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 2229

def create_action_target(params = {}, options = {})
  req = build_request(:create_action_target, params)
  req.send_request(options)
end

#create_automation_rule(params = {}) ⇒ Types::CreateAutomationRuleResponse

Creates an automation rule based on input parameters.

Examples:

Example: To create an automation rule


# The following example creates an automation rule.

resp = client.create_automation_rule({
  actions: [
    {
      finding_fields_update: {
        note: {
          text: "This is a critical S3 bucket, please look into this ASAP", 
          updated_by: "test-user", 
        }, 
        severity: {
          label: "CRITICAL", 
        }, 
      }, 
      type: "FINDING_FIELDS_UPDATE", 
    }, 
  ], 
  criteria: {
    compliance_status: [
      {
        comparison: "EQUALS", 
        value: "FAILED", 
      }, 
    ], 
    product_name: [
      {
        comparison: "EQUALS", 
        value: "Security Hub", 
      }, 
    ], 
    record_state: [
      {
        comparison: "EQUALS", 
        value: "ACTIVE", 
      }, 
    ], 
    resource_id: [
      {
        comparison: "EQUALS", 
        value: "arn:aws:s3:::examplebucket/developers/design_info.doc", 
      }, 
    ], 
    workflow_status: [
      {
        comparison: "EQUALS", 
        value: "NEW", 
      }, 
    ], 
  }, 
  description: "Elevate finding severity to Critical for important resources", 
  is_terminal: false, 
  rule_name: "Elevate severity for important resources", 
  rule_order: 1, 
  rule_status: "ENABLED", 
  tags: {
    "important-resources-rule" => "s3-bucket", 
  }, 
})

resp.to_h outputs the following:
{
  rule_arn: "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
}

Request syntax with placeholder values


resp = client.create_automation_rule({
  tags: {
    "TagKey" => "TagValue",
  },
  rule_status: "ENABLED", # accepts ENABLED, DISABLED
  rule_order: 1, # required
  rule_name: "NonEmptyString", # required
  description: "NonEmptyString", # required
  is_terminal: false,
  criteria: { # required
    product_arn: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    aws_account_id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    generator_id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    type: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    first_observed_at: [
      {
        start: "NonEmptyString",
        end: "NonEmptyString",
        date_range: {
          value: 1,
          unit: "DAYS", # accepts DAYS
        },
      },
    ],
    last_observed_at: [
      {
        start: "NonEmptyString",
        end: "NonEmptyString",
        date_range: {
          value: 1,
          unit: "DAYS", # accepts DAYS
        },
      },
    ],
    created_at: [
      {
        start: "NonEmptyString",
        end: "NonEmptyString",
        date_range: {
          value: 1,
          unit: "DAYS", # accepts DAYS
        },
      },
    ],
    updated_at: [
      {
        start: "NonEmptyString",
        end: "NonEmptyString",
        date_range: {
          value: 1,
          unit: "DAYS", # accepts DAYS
        },
      },
    ],
    confidence: [
      {
        gte: 1.0,
        lte: 1.0,
        eq: 1.0,
        gt: 1.0,
        lt: 1.0,
      },
    ],
    criticality: [
      {
        gte: 1.0,
        lte: 1.0,
        eq: 1.0,
        gt: 1.0,
        lt: 1.0,
      },
    ],
    title: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    description: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    source_url: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    product_name: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    company_name: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    severity_label: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_type: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_partition: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_region: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_tags: [
      {
        key: "NonEmptyString",
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_details_other: [
      {
        key: "NonEmptyString",
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    compliance_status: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    compliance_security_control_id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    compliance_associated_standards_id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    verification_state: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    workflow_status: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    record_state: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    related_findings_product_arn: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    related_findings_id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    note_text: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    note_updated_at: [
      {
        start: "NonEmptyString",
        end: "NonEmptyString",
        date_range: {
          value: 1,
          unit: "DAYS", # accepts DAYS
        },
      },
    ],
    note_updated_by: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    user_defined_fields: [
      {
        key: "NonEmptyString",
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_application_arn: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_application_name: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    aws_account_name: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
  },
  actions: [ # required
    {
      type: "FINDING_FIELDS_UPDATE", # accepts FINDING_FIELDS_UPDATE
      finding_fields_update: {
        note: {
          text: "NonEmptyString", # required
          updated_by: "NonEmptyString", # required
        },
        severity: {
          normalized: 1,
          product: 1.0,
          label: "INFORMATIONAL", # accepts INFORMATIONAL, LOW, MEDIUM, HIGH, CRITICAL
        },
        verification_state: "UNKNOWN", # accepts UNKNOWN, TRUE_POSITIVE, FALSE_POSITIVE, BENIGN_POSITIVE
        confidence: 1,
        criticality: 1,
        types: ["NonEmptyString"],
        user_defined_fields: {
          "NonEmptyString" => "NonEmptyString",
        },
        workflow: {
          status: "NEW", # accepts NEW, NOTIFIED, RESOLVED, SUPPRESSED
        },
        related_findings: [
          {
            product_arn: "NonEmptyString", # required
            id: "NonEmptyString", # required
          },
        ],
      },
    },
  ],
})

Response structure


resp.rule_arn #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :tags (Hash<String,String>)

    User-defined tags associated with an automation rule.

  • :rule_status (String)

    Whether the rule is active after it is created. If this parameter is equal to ENABLED, Security Hub starts applying the rule to findings and finding updates after the rule is created. To change the value of this parameter after creating a rule, use BatchUpdateAutomationRules .

  • :rule_order (required, Integer)

    An integer ranging from 1 to 1000 that represents the order in which the rule action is applied to findings. Security Hub applies rules with lower values for this parameter first.

  • :rule_name (required, String)

    The name of the rule.

  • :description (required, String)

    A description of the rule.

  • :is_terminal (Boolean)

    Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If a rule is terminal, Security Hub applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. By default, a rule isn't terminal.

  • :criteria (required, Types::AutomationRulesFindingFilters)

    A set of ASFF finding field attributes and corresponding expected values that Security Hub uses to filter findings. If a rule is enabled and a finding matches the conditions specified in this parameter, Security Hub applies the rule action to the finding.

  • :actions (required, Array<Types::AutomationRulesAction>)

    One or more actions to update finding fields if a finding matches the conditions specified in Criteria.

Returns:

See Also:



2662
2663
2664
2665
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 2662

def create_automation_rule(params = {}, options = {})
  req = build_request(:create_automation_rule, params)
  req.send_request(options)
end

#create_configuration_policy(params = {}) ⇒ Types::CreateConfigurationPolicyResponse

Creates a configuration policy with the defined configuration. Only the Security Hub delegated administrator can invoke this operation from the home Region.

Examples:

Example: To create a configuration policy


# This operation creates a configuration policy in Security Hub.

resp = client.create_configuration_policy({
  configuration_policy: {
    security_hub: {
      enabled_standard_identifiers: [
        "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0", 
        "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", 
      ], 
      security_controls_configuration: {
        disabled_security_control_identifiers: [
          "CloudWatch.1", 
        ], 
        security_control_custom_parameters: [
          {
            parameters: {
              "daysToExpiration" => {
                value: {
                  integer: 14, 
                }, 
                value_type: "CUSTOM", 
              }, 
            }, 
            security_control_id: "ACM.1", 
          }, 
        ], 
      }, 
      service_enabled: true, 
    }, 
  }, 
  description: "Configuration policy for testing FSBP and CIS", 
  name: "TestConfigurationPolicy", 
})

resp.to_h outputs the following:
{
  arn: "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
  configuration_policy: {
    security_hub: {
      enabled_standard_identifiers: [
        "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0", 
        "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", 
      ], 
      security_controls_configuration: {
        disabled_security_control_identifiers: [
          "CloudWatch.1", 
        ], 
        security_control_custom_parameters: [
          {
            parameters: {
              "daysToExpiration" => {
                value: {
                  integer: 14, 
                }, 
                value_type: "CUSTOM", 
              }, 
            }, 
            security_control_id: "ACM.1", 
          }, 
        ], 
      }, 
      service_enabled: true, 
    }, 
  }, 
  created_at: Time.parse("2023-01-11T06:17:17.154Z"), 
  description: "Configuration policy for testing FSBP and CIS", 
  id: "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
  name: "TestConfigurationPolicy", 
  updated_at: Time.parse("2023-01-11T06:17:17.154Z"), 
}

Request syntax with placeholder values


resp = client.create_configuration_policy({
  name: "NonEmptyString", # required
  description: "NonEmptyString",
  configuration_policy: { # required
    security_hub: {
      service_enabled: false,
      enabled_standard_identifiers: ["NonEmptyString"],
      security_controls_configuration: {
        enabled_security_control_identifiers: ["NonEmptyString"],
        disabled_security_control_identifiers: ["NonEmptyString"],
        security_control_custom_parameters: [
          {
            security_control_id: "NonEmptyString",
            parameters: {
              "NonEmptyString" => {
                value_type: "DEFAULT", # required, accepts DEFAULT, CUSTOM
                value: {
                  integer: 1,
                  integer_list: [1],
                  double: 1.0,
                  string: "NonEmptyString",
                  string_list: ["NonEmptyString"],
                  boolean: false,
                  enum: "NonEmptyString",
                  enum_list: ["NonEmptyString"],
                },
              },
            },
          },
        ],
      },
    },
  },
  tags: {
    "TagKey" => "TagValue",
  },
})

Response structure


resp.arn #=> String
resp.id #=> String
resp.name #=> String
resp.description #=> String
resp.updated_at #=> Time
resp.created_at #=> Time
resp.configuration_policy.security_hub.service_enabled #=> Boolean
resp.configuration_policy.security_hub.enabled_standard_identifiers #=> Array
resp.configuration_policy.security_hub.enabled_standard_identifiers[0] #=> String
resp.configuration_policy.security_hub.security_controls_configuration.enabled_security_control_identifiers #=> Array
resp.configuration_policy.security_hub.security_controls_configuration.enabled_security_control_identifiers[0] #=> String
resp.configuration_policy.security_hub.security_controls_configuration.disabled_security_control_identifiers #=> Array
resp.configuration_policy.security_hub.security_controls_configuration.disabled_security_control_identifiers[0] #=> String
resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters #=> Array
resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].security_control_id #=> String
resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters #=> Hash
resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value_type #=> String, one of "DEFAULT", "CUSTOM"
resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.integer #=> Integer
resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.integer_list #=> Array
resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.integer_list[0] #=> Integer
resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.double #=> Float
resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.string #=> String
resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.string_list #=> Array
resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.string_list[0] #=> String
resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.boolean #=> Boolean
resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.enum #=> String
resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.enum_list #=> Array
resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.enum_list[0] #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :name (required, String)

    The name of the configuration policy. Alphanumeric characters and the following ASCII characters are permitted: -, ., !, *, /.

  • :description (String)

    The description of the configuration policy.

  • :configuration_policy (required, Types::Policy)

    An object that defines how Security Hub is configured. It includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If you provide a list of security controls that are enabled in the configuration policy, Security Hub disables all other controls (including newly released controls). If you provide a list of security controls that are disabled in the configuration policy, Security Hub enables all other controls (including newly released controls).

  • :tags (Hash<String,String>)

    User-defined tags associated with a configuration policy. For more information, see Tagging Security Hub resources in the Security Hub user guide.

Returns:

See Also:



2857
2858
2859
2860
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 2857

def create_configuration_policy(params = {}, options = {})
  req = build_request(:create_configuration_policy, params)
  req.send_request(options)
end

#create_finding_aggregator(params = {}) ⇒ Types::CreateFindingAggregatorResponse

The aggregation Region is now called the home Region.

Used to enable cross-Region aggregation. This operation can be invoked from the home Region only.

For information about how cross-Region aggregation works, see Understanding cross-Region aggregation in Security Hub in the Security Hub User Guide.

Examples:

Example: To enable cross-Region aggregation


# The following example creates a finding aggregator. This is required to enable cross-Region aggregation.

resp = client.create_finding_aggregator({
  region_linking_mode: "SPECIFIED_REGIONS", 
  regions: [
    "us-west-1", 
    "us-west-2", 
  ], 
})

resp.to_h outputs the following:
{
  finding_aggregation_region: "us-east-1", 
  finding_aggregator_arn: "arn:aws:securityhub:us-east-1:222222222222:finding-aggregator/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
  region_linking_mode: "SPECIFIED_REGIONS", 
  regions: [
    "us-west-1", 
    "us-west-2", 
  ], 
}

Request syntax with placeholder values


resp = client.create_finding_aggregator({
  region_linking_mode: "NonEmptyString", # required
  regions: ["NonEmptyString"],
})

Response structure


resp.finding_aggregator_arn #=> String
resp.finding_aggregation_region #=> String
resp.region_linking_mode #=> String
resp.regions #=> Array
resp.regions[0] #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :region_linking_mode (required, String)

    Indicates whether to aggregate findings from all of the available Regions in the current partition. Also determines whether to automatically aggregate findings from new Regions as Security Hub supports them and you opt into them.

    The selected option also determines how to use the Regions provided in the Regions list.

    The options are as follows:

    • ALL_REGIONS - Aggregates findings from all of the Regions where Security Hub is enabled. When you choose this option, Security Hub also automatically aggregates findings from new Regions as Security Hub supports them and you opt into them.

    • ALL_REGIONS_EXCEPT_SPECIFIED - Aggregates findings from all of the Regions where Security Hub is enabled, except for the Regions listed in the Regions parameter. When you choose this option, Security Hub also automatically aggregates findings from new Regions as Security Hub supports them and you opt into them.

    • SPECIFIED_REGIONS - Aggregates findings only from the Regions listed in the Regions parameter. Security Hub does not automatically aggregate findings from new Regions.

    • NO_REGIONS - Aggregates no data because no Regions are selected as linked Regions.

  • :regions (Array<String>)

    If RegionLinkingMode is ALL_REGIONS_EXCEPT_SPECIFIED, then this is a space-separated list of Regions that don't replicate and send findings to the home Region.

    If RegionLinkingMode is SPECIFIED_REGIONS, then this is a space-separated list of Regions that do replicate and send findings to the home Region.

    An InvalidInputException error results if you populate this field while RegionLinkingMode is NO_REGIONS.

Returns:

See Also:



2968
2969
2970
2971
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 2968

def create_finding_aggregator(params = {}, options = {})
  req = build_request(:create_finding_aggregator, params)
  req.send_request(options)
end

#create_insight(params = {}) ⇒ Types::CreateInsightResponse

Creates a custom insight in Security Hub. An insight is a consolidation of findings that relate to a security issue that requires attention or remediation.

To group the related findings in the insight, use the GroupByAttribute.

Examples:

Example: To create a custom insight


# The following example creates a custom insight in Security Hub. An insight is a collection of findings that relate to a
# security issue.

resp = client.create_insight({
  filters: {
    resource_type: [
      {
        comparison: "EQUALS", 
        value: "AwsIamRole", 
      }, 
    ], 
    severity_label: [
      {
        comparison: "EQUALS", 
        value: "CRITICAL", 
      }, 
    ], 
  }, 
  group_by_attribute: "ResourceId", 
  name: "Critical role findings", 
})

resp.to_h outputs the following:
{
  insight_arn: "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
}

Request syntax with placeholder values


resp = client.create_insight({
  name: "NonEmptyString", # required
  filters: { # required
    product_arn: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    aws_account_id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    generator_id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    region: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    type: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    first_observed_at: [
      {
        start: "NonEmptyString",
        end: "NonEmptyString",
        date_range: {
          value: 1,
          unit: "DAYS", # accepts DAYS
        },
      },
    ],
    last_observed_at: [
      {
        start: "NonEmptyString",
        end: "NonEmptyString",
        date_range: {
          value: 1,
          unit: "DAYS", # accepts DAYS
        },
      },
    ],
    created_at: [
      {
        start: "NonEmptyString",
        end: "NonEmptyString",
        date_range: {
          value: 1,
          unit: "DAYS", # accepts DAYS
        },
      },
    ],
    updated_at: [
      {
        start: "NonEmptyString",
        end: "NonEmptyString",
        date_range: {
          value: 1,
          unit: "DAYS", # accepts DAYS
        },
      },
    ],
    severity_product: [
      {
        gte: 1.0,
        lte: 1.0,
        eq: 1.0,
        gt: 1.0,
        lt: 1.0,
      },
    ],
    severity_normalized: [
      {
        gte: 1.0,
        lte: 1.0,
        eq: 1.0,
        gt: 1.0,
        lt: 1.0,
      },
    ],
    severity_label: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    confidence: [
      {
        gte: 1.0,
        lte: 1.0,
        eq: 1.0,
        gt: 1.0,
        lt: 1.0,
      },
    ],
    criticality: [
      {
        gte: 1.0,
        lte: 1.0,
        eq: 1.0,
        gt: 1.0,
        lt: 1.0,
      },
    ],
    title: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    description: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    recommendation_text: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    source_url: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    product_fields: [
      {
        key: "NonEmptyString",
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    product_name: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    company_name: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    user_defined_fields: [
      {
        key: "NonEmptyString",
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    malware_name: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    malware_type: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    malware_path: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    malware_state: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    network_direction: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    network_protocol: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    network_source_ip_v4: [
      {
        cidr: "NonEmptyString",
      },
    ],
    network_source_ip_v6: [
      {
        cidr: "NonEmptyString",
      },
    ],
    network_source_port: [
      {
        gte: 1.0,
        lte: 1.0,
        eq: 1.0,
        gt: 1.0,
        lt: 1.0,
      },
    ],
    network_source_domain: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    network_source_mac: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    network_destination_ip_v4: [
      {
        cidr: "NonEmptyString",
      },
    ],
    network_destination_ip_v6: [
      {
        cidr: "NonEmptyString",
      },
    ],
    network_destination_port: [
      {
        gte: 1.0,
        lte: 1.0,
        eq: 1.0,
        gt: 1.0,
        lt: 1.0,
      },
    ],
    network_destination_domain: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    process_name: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    process_path: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    process_pid: [
      {
        gte: 1.0,
        lte: 1.0,
        eq: 1.0,
        gt: 1.0,
        lt: 1.0,
      },
    ],
    process_parent_pid: [
      {
        gte: 1.0,
        lte: 1.0,
        eq: 1.0,
        gt: 1.0,
        lt: 1.0,
      },
    ],
    process_launched_at: [
      {
        start: "NonEmptyString",
        end: "NonEmptyString",
        date_range: {
          value: 1,
          unit: "DAYS", # accepts DAYS
        },
      },
    ],
    process_terminated_at: [
      {
        start: "NonEmptyString",
        end: "NonEmptyString",
        date_range: {
          value: 1,
          unit: "DAYS", # accepts DAYS
        },
      },
    ],
    threat_intel_indicator_type: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    threat_intel_indicator_value: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    threat_intel_indicator_category: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    threat_intel_indicator_last_observed_at: [
      {
        start: "NonEmptyString",
        end: "NonEmptyString",
        date_range: {
          value: 1,
          unit: "DAYS", # accepts DAYS
        },
      },
    ],
    threat_intel_indicator_source: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    threat_intel_indicator_source_url: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_type: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_partition: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_region: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_tags: [
      {
        key: "NonEmptyString",
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_aws_ec2_instance_type: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_aws_ec2_instance_image_id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_aws_ec2_instance_ip_v4_addresses: [
      {
        cidr: "NonEmptyString",
      },
    ],
    resource_aws_ec2_instance_ip_v6_addresses: [
      {
        cidr: "NonEmptyString",
      },
    ],
    resource_aws_ec2_instance_key_name: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_aws_ec2_instance_iam_instance_profile_arn: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_aws_ec2_instance_vpc_id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_aws_ec2_instance_subnet_id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_aws_ec2_instance_launched_at: [
      {
        start: "NonEmptyString",
        end: "NonEmptyString",
        date_range: {
          value: 1,
          unit: "DAYS", # accepts DAYS
        },
      },
    ],
    resource_aws_s3_bucket_owner_id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_aws_s3_bucket_owner_name: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_aws_iam_access_key_user_name: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_aws_iam_access_key_principal_name: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_aws_iam_access_key_status: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_aws_iam_access_key_created_at: [
      {
        start: "NonEmptyString",
        end: "NonEmptyString",
        date_range: {
          value: 1,
          unit: "DAYS", # accepts DAYS
        },
      },
    ],
    resource_aws_iam_user_user_name: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_container_name: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_container_image_id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_container_image_name: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_container_launched_at: [
      {
        start: "NonEmptyString",
        end: "NonEmptyString",
        date_range: {
          value: 1,
          unit: "DAYS", # accepts DAYS
        },
      },
    ],
    resource_details_other: [
      {
        key: "NonEmptyString",
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    compliance_status: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    verification_state: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    workflow_state: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    workflow_status: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    record_state: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    related_findings_product_arn: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    related_findings_id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    note_text: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    note_updated_at: [
      {
        start: "NonEmptyString",
        end: "NonEmptyString",
        date_range: {
          value: 1,
          unit: "DAYS", # accepts DAYS
        },
      },
    ],
    note_updated_by: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    keyword: [
      {
        value: "NonEmptyString",
      },
    ],
    finding_provider_fields_confidence: [
      {
        gte: 1.0,
        lte: 1.0,
        eq: 1.0,
        gt: 1.0,
        lt: 1.0,
      },
    ],
    finding_provider_fields_criticality: [
      {
        gte: 1.0,
        lte: 1.0,
        eq: 1.0,
        gt: 1.0,
        lt: 1.0,
      },
    ],
    finding_provider_fields_related_findings_id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    finding_provider_fields_related_findings_product_arn: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    finding_provider_fields_severity_label: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    finding_provider_fields_severity_original: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    finding_provider_fields_types: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    sample: [
      {
        value: false,
      },
    ],
    compliance_security_control_id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    compliance_associated_standards_id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    vulnerabilities_exploit_available: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    vulnerabilities_fix_available: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    compliance_security_control_parameters_name: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    compliance_security_control_parameters_value: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    aws_account_name: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_application_name: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_application_arn: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
  },
  group_by_attribute: "NonEmptyString", # required
})

Response structure


resp.insight_arn #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :name (required, String)

    The name of the custom insight to create.

  • :filters (required, Types::AwsSecurityFindingFilters)

    One or more attributes used to filter the findings included in the insight. The insight only includes findings that match the criteria defined in the filters.

  • :group_by_attribute (required, String)

    The attribute used to group the findings for the insight. The grouping attribute identifies the type of item that the insight applies to. For example, if an insight is grouped by resource identifier, then the insight produces a list of resource identifiers.

Returns:

See Also:



3739
3740
3741
3742
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 3739

def create_insight(params = {}, options = {})
  req = build_request(:create_insight, params)
  req.send_request(options)
end

#create_members(params = {}) ⇒ Types::CreateMembersResponse

Creates a member association in Security Hub between the specified accounts and the account used to make the request, which is the administrator account. If you are integrated with Organizations, then the administrator account is designated by the organization management account.

CreateMembers is always used to add accounts that are not organization members.

For accounts that are managed using Organizations, CreateMembers is only used in the following cases:

  • Security Hub is not configured to automatically add new organization accounts.

  • The account was disassociated or deleted in Security Hub.

This action can only be used by an account that has Security Hub enabled. To enable Security Hub, you can use the EnableSecurityHub operation.

For accounts that are not organization members, you create the account association and then send an invitation to the member account. To send the invitation, you use the InviteMembers operation. If the account owner accepts the invitation, the account becomes a member account in Security Hub.

Accounts that are managed using Organizations don't receive an invitation. They automatically become a member account in Security Hub.

  • If the organization account does not have Security Hub enabled, then Security Hub and the default standards are automatically enabled. Note that Security Hub cannot be enabled automatically for the organization management account. The organization management account must enable Security Hub before the administrator account enables it as a member account.

  • For organization accounts that already have Security Hub enabled, Security Hub does not make any other changes to those accounts. It does not change their enabled standards or controls.

A permissions policy is added that permits the administrator account to view the findings generated in the member account.

To remove the association between the administrator and member accounts, use the DisassociateFromMasterAccount or DisassociateMembers operation.

Examples:

Example: To add a member account


# The following example creates a member association between the specified accounts and the administrator account (the
# account that makes the request). This operation is used to add accounts that aren't part of an organization.

resp = client.create_members({
  account_details: [
    {
      account_id: "123456789012", 
    }, 
    {
      account_id: "111122223333", 
    }, 
  ], 
})

resp.to_h outputs the following:
{
  unprocessed_accounts: [
  ], 
}

Request syntax with placeholder values


resp = client.create_members({
  account_details: [ # required
    {
      account_id: "AccountId", # required
      email: "NonEmptyString",
    },
  ],
})

Response structure


resp.unprocessed_accounts #=> Array
resp.unprocessed_accounts[0]. #=> String
resp.unprocessed_accounts[0].processing_result #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :account_details (required, Array<Types::AccountDetails>)

    The list of accounts to associate with the Security Hub administrator account. For each account, the list includes the account ID and optionally the email address.

Returns:

See Also:



3846
3847
3848
3849
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 3846

def create_members(params = {}, options = {})
  req = build_request(:create_members, params)
  req.send_request(options)
end

#decline_invitations(params = {}) ⇒ Types::DeclineInvitationsResponse

We recommend using Organizations instead of Security Hub invitations to manage your member accounts. For information, see Managing Security Hub administrator and member accounts with Organizations in the Security Hub User Guide.

Declines invitations to become a Security Hub member account.

A prospective member account uses this operation to decline an invitation to become a member.

Only member accounts that aren't part of an Amazon Web Services organization should use this operation. Organization accounts don't receive invitations.

Examples:

Example: To decline invitation to become a member account


# The following example declines an invitation from the Security Hub administrator account to become a member account. The
# invited account makes the request.

resp = client.decline_invitations({
  account_ids: [
    "123456789012", 
    "111122223333", 
  ], 
})

resp.to_h outputs the following:
{
  unprocessed_accounts: [
  ], 
}

Request syntax with placeholder values


resp = client.decline_invitations({
  account_ids: ["NonEmptyString"], # required
})

Response structure


resp.unprocessed_accounts #=> Array
resp.unprocessed_accounts[0]. #=> String
resp.unprocessed_accounts[0].processing_result #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :account_ids (required, Array<String>)

    The list of prospective member account IDs for which to decline an invitation.

Returns:

See Also:



3914
3915
3916
3917
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 3914

def decline_invitations(params = {}, options = {})
  req = build_request(:decline_invitations, params)
  req.send_request(options)
end

#delete_action_target(params = {}) ⇒ Types::DeleteActionTargetResponse

Deletes a custom action target from Security Hub.

Deleting a custom action target does not affect any findings or insights that were already sent to Amazon CloudWatch Events using the custom action.

Examples:

Example: To delete a custom action target


# The following example deletes a custom action target that triggers target actions in Amazon CloudWatch Events. Deleting
# a custom action target doesn't affect findings or insights that were already sent to CloudWatch Events based on the
# custom action.

resp = client.delete_action_target({
  action_target_arn: "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation", 
})

resp.to_h outputs the following:
{
  action_target_arn: "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation", 
}

Request syntax with placeholder values


resp = client.delete_action_target({
  action_target_arn: "NonEmptyString", # required
})

Response structure


resp.action_target_arn #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :action_target_arn (required, String)

    The Amazon Resource Name (ARN) of the custom action target to delete.

Returns:

See Also:



3962
3963
3964
3965
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 3962

def delete_action_target(params = {}, options = {})
  req = build_request(:delete_action_target, params)
  req.send_request(options)
end

#delete_configuration_policy(params = {}) ⇒ Struct

Deletes a configuration policy. Only the Security Hub delegated administrator can invoke this operation from the home Region. For the deletion to succeed, you must first disassociate a configuration policy from target accounts, organizational units, or the root by invoking the StartConfigurationPolicyDisassociation operation.

Examples:

Example: To delete a configuration policy


# This operation deletes the specified configuration policy.

resp = client.delete_configuration_policy({
  identifier: "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
})

Request syntax with placeholder values


resp = client.delete_configuration_policy({
  identifier: "NonEmptyString", # required
})

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :identifier (required, String)

    The Amazon Resource Name (ARN) or universally unique identifier (UUID) of the configuration policy.

Returns:

  • (Struct)

    Returns an empty response.

See Also:



3998
3999
4000
4001
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 3998

def delete_configuration_policy(params = {}, options = {})
  req = build_request(:delete_configuration_policy, params)
  req.send_request(options)
end

#delete_finding_aggregator(params = {}) ⇒ Struct

The aggregation Region is now called the home Region.

Deletes a finding aggregator. When you delete the finding aggregator, you stop cross-Region aggregation. Finding replication stops occurring from the linked Regions to the home Region.

When you stop cross-Region aggregation, findings that were already replicated and sent to the home Region are still visible from the home Region. However, new findings and finding updates are no longer replicated and sent to the home Region.

Examples:

Example: To delete a finding aggregator


# The following example deletes a finding aggregator in Security Hub. Deleting the finding aggregator stops cross-Region
# aggregation. This operation produces no output.

resp = client.delete_finding_aggregator({
  finding_aggregator_arn: "arn:aws:securityhub:us-east-1:123456789012:finding-aggregator/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
})

Request syntax with placeholder values


resp = client.delete_finding_aggregator({
  finding_aggregator_arn: "NonEmptyString", # required
})

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :finding_aggregator_arn (required, String)

    The ARN of the finding aggregator to delete. To obtain the ARN, use ListFindingAggregators.

Returns:

  • (Struct)

    Returns an empty response.

See Also:



4042
4043
4044
4045
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 4042

def delete_finding_aggregator(params = {}, options = {})
  req = build_request(:delete_finding_aggregator, params)
  req.send_request(options)
end

#delete_insight(params = {}) ⇒ Types::DeleteInsightResponse

Deletes the insight specified by the InsightArn.

Examples:

Example: To delete a custom insight


# The following example deletes a custom insight in Security Hub.

resp = client.delete_insight({
  insight_arn: "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
})

resp.to_h outputs the following:
{
  insight_arn: "arn:aws:securityhub:eu-central-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
}

Request syntax with placeholder values


resp = client.delete_insight({
  insight_arn: "NonEmptyString", # required
})

Response structure


resp.insight_arn #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :insight_arn (required, String)

    The ARN of the insight to delete.

Returns:

See Also:



4084
4085
4086
4087
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 4084

def delete_insight(params = {}, options = {})
  req = build_request(:delete_insight, params)
  req.send_request(options)
end

#delete_invitations(params = {}) ⇒ Types::DeleteInvitationsResponse

We recommend using Organizations instead of Security Hub invitations to manage your member accounts. For information, see Managing Security Hub administrator and member accounts with Organizations in the Security Hub User Guide.

Deletes invitations to become a Security Hub member account.

A Security Hub administrator account can use this operation to delete invitations sent to one or more prospective member accounts.

This operation is only used to delete invitations that are sent to prospective member accounts that aren't part of an Amazon Web Services organization. Organization accounts don't receive invitations.

Examples:

Example: To delete a custom insight


# The following example deletes an invitation sent by the Security Hub administrator account to a prospective member
# account. This operation is used only for invitations sent to accounts that aren't part of an organization. Organization
# accounts don't receive invitations.

resp = client.delete_invitations({
  account_ids: [
    "123456789012", 
  ], 
})

resp.to_h outputs the following:
{
  unprocessed_accounts: [
  ], 
}

Request syntax with placeholder values


resp = client.delete_invitations({
  account_ids: ["NonEmptyString"], # required
})

Response structure


resp.unprocessed_accounts #=> Array
resp.unprocessed_accounts[0]. #=> String
resp.unprocessed_accounts[0].processing_result #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :account_ids (required, Array<String>)

    The list of member account IDs that received the invitations you want to delete.

Returns:

See Also:



4153
4154
4155
4156
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 4153

def delete_invitations(params = {}, options = {})
  req = build_request(:delete_invitations, params)
  req.send_request(options)
end

#delete_members(params = {}) ⇒ Types::DeleteMembersResponse

Deletes the specified member accounts from Security Hub.

You can invoke this API only to delete accounts that became members through invitation. You can't invoke this API to delete accounts that belong to an Organizations organization.

Examples:

Example: To delete a member account


# The following example deletes the specified member account from Security Hub. This operation can be used to delete
# member accounts that are part of an organization or that were invited manually.

resp = client.delete_members({
  account_ids: [
    "123456789111", 
    "123456789222", 
  ], 
})

resp.to_h outputs the following:
{
  unprocessed_accounts: [
  ], 
}

Request syntax with placeholder values


resp = client.delete_members({
  account_ids: ["NonEmptyString"], # required
})

Response structure


resp.unprocessed_accounts #=> Array
resp.unprocessed_accounts[0]. #=> String
resp.unprocessed_accounts[0].processing_result #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :account_ids (required, Array<String>)

    The list of account IDs for the member accounts to delete.

Returns:

See Also:



4206
4207
4208
4209
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 4206

def delete_members(params = {}, options = {})
  req = build_request(:delete_members, params)
  req.send_request(options)
end

#describe_action_targets(params = {}) ⇒ Types::DescribeActionTargetsResponse

Returns a list of the custom action targets in Security Hub in your account.

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Example: To return custom action targets


# The following example returns a list of custom action targets. You use custom actions on findings and insights in
# Security Hub to trigger target actions in Amazon CloudWatch Events.

resp = client.describe_action_targets({
  action_target_arns: [
    "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation", 
  ], 
})

resp.to_h outputs the following:
{
  action_targets: [
    {
      action_target_arn: "arn:aws:securityhub:us-west-1:123456789012:action/custom/Remediation", 
      description: "Action to send the finding for remediation tracking", 
      name: "Send to remediation", 
    }, 
  ], 
}

Request syntax with placeholder values


resp = client.describe_action_targets({
  action_target_arns: ["NonEmptyString"],
  next_token: "NextToken",
  max_results: 1,
})

Response structure


resp.action_targets #=> Array
resp.action_targets[0].action_target_arn #=> String
resp.action_targets[0].name #=> String
resp.action_targets[0].description #=> String
resp.next_token #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :action_target_arns (Array<String>)

    A list of custom action target ARNs for the custom action targets to retrieve.

  • :next_token (String)

    The token that is required for pagination. On your first call to the DescribeActionTargets operation, set the value of this parameter to NULL.

    For subsequent calls to the operation, to continue listing data, set the value of this parameter to the value returned from the previous response.

  • :max_results (Integer)

    The maximum number of results to return.

Returns:

See Also:



4280
4281
4282
4283
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 4280

def describe_action_targets(params = {}, options = {})
  req = build_request(:describe_action_targets, params)
  req.send_request(options)
end

#describe_hub(params = {}) ⇒ Types::DescribeHubResponse

Returns details about the Hub resource in your account, including the HubArn and the time when you enabled Security Hub.

Examples:

Example: To return details about Hub resource


# The following example returns details about the Hub resource in the calling account. The Hub resource represents the
# implementation of  the AWS Security Hub service in the calling account.

resp = client.describe_hub({
  hub_arn: "arn:aws:securityhub:us-west-1:123456789012:hub/default", 
})

resp.to_h outputs the following:
{
  auto_enable_controls: true, 
  control_finding_generator: "SECURITY_CONTROL", 
  hub_arn: "arn:aws:securityhub:us-west-1:123456789012:hub/default", 
  subscribed_at: "2019-11-19T23:15:10.046Z", 
}

Request syntax with placeholder values


resp = client.describe_hub({
  hub_arn: "NonEmptyString",
})

Response structure


resp.hub_arn #=> String
resp.subscribed_at #=> String
resp.auto_enable_controls #=> Boolean
resp.control_finding_generator #=> String, one of "STANDARD_CONTROL", "SECURITY_CONTROL"

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :hub_arn (String)

    The ARN of the Hub resource to retrieve.

Returns:

See Also:



4333
4334
4335
4336
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 4333

def describe_hub(params = {}, options = {})
  req = build_request(:describe_hub, params)
  req.send_request(options)
end

#describe_organization_configuration(params = {}) ⇒ Types::DescribeOrganizationConfigurationResponse

Returns information about the way your organization is configured in Security Hub. Only the Security Hub administrator account can invoke this operation.

Examples:

Example: To get information about organization configuration


# This operation provides information about the way your organization is configured in Security Hub. Only a Security Hub
# administrator account can invoke this operation.

resp = client.describe_organization_configuration({
})

resp.to_h outputs the following:
{
  auto_enable: false, 
  auto_enable_standards: "NONE", 
  member_account_limit_reached: false, 
  organization_configuration: {
    configuration_type: "CENTRAL", 
    status: "ENABLED", 
  }, 
}

Response structure


resp.auto_enable #=> Boolean
resp. #=> Boolean
resp.auto_enable_standards #=> String, one of "NONE", "DEFAULT"
resp.organization_configuration.configuration_type #=> String, one of "CENTRAL", "LOCAL"
resp.organization_configuration.status #=> String, one of "PENDING", "ENABLED", "FAILED"
resp.organization_configuration.status_message #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Returns:

See Also:



4382
4383
4384
4385
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 4382

def describe_organization_configuration(params = {}, options = {})
  req = build_request(:describe_organization_configuration, params)
  req.send_request(options)
end

#describe_products(params = {}) ⇒ Types::DescribeProductsResponse

Returns information about product integrations in Security Hub.

You can optionally provide an integration ARN. If you provide an integration ARN, then the results only include that integration.

If you don't provide an integration ARN, then the results include all of the available product integrations.

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Example: To get information about Security Hub integrations


# The following example returns details about AWS services and third-party products that Security Hub integrates with.

resp = client.describe_products({
  max_results: 1, 
  next_token: "NULL", 
  product_arn: "arn:aws:securityhub:us-east-1:517716713836:product/crowdstrike/crowdstrike-falcon", 
})

resp.to_h outputs the following:
{
  next_token: "U2FsdGVkX18vvPlOqb7RDrWRWVFBJI46MOIAb+nZmRJmR15NoRi2gm13sdQEn3O/pq/78dGs+bKpgA+7HMPHO0qX33/zoRI+uIG/F9yLNhcOrOWzFUdy36JcXLQji3Rpnn/cD1SVkGA98qI3zPOSDg==", 
  products: [
    {
      activation_url: "https://falcon.crowdstrike.com/support/documentation", 
      categories: [
        "Endpoint Detection and Response (EDR)", 
        "AV Scanning and Sandboxing", 
        "Threat Intelligence Feeds and Reports", 
        "Endpoint Forensics", 
        "Network Forensics", 
      ], 
      company_name: "CrowdStrike", 
      description: "CrowdStrike Falcon's single lightweight sensor unifies next-gen antivirus, endpoint detection and response, and 24/7 managed hunting, via the cloud.", 
      integration_types: [
        "SEND_FINDINGS_TO_SECURITY_HUB", 
      ], 
      marketplace_url: "https://aws.amazon.com/marketplace/seller-profile?id=a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
      product_arn: "arn:aws:securityhub:us-east-1:517716713836:product/crowdstrike/crowdstrike-falcon", 
      product_name: "CrowdStrike Falcon", 
      product_subscription_resource_policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"123456789333\"},\"Action\":[\"securityhub:BatchImportFindings\"],\"Resource\":\"arn:aws:securityhub:us-west-1:123456789012:product-subscription/crowdstrike/crowdstrike-falcon\",\"Condition\":{\"StringEquals\":{\"securityhub:TargetAccount\":\"123456789012\"}}},{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"123456789012\"},\"Action\":[\"securityhub:BatchImportFindings\"],\"Resource\":\"arn:aws:securityhub:us-west-1:123456789333:product/crowdstrike/crowdstrike-falcon\",\"Condition\":{\"StringEquals\":{\"securityhub:TargetAccount\":\"123456789012\"}}}]}", 
    }, 
  ], 
}

Request syntax with placeholder values


resp = client.describe_products({
  next_token: "NextToken",
  max_results: 1,
  product_arn: "NonEmptyString",
})

Response structure


resp.products #=> Array
resp.products[0].product_arn #=> String
resp.products[0].product_name #=> String
resp.products[0].company_name #=> String
resp.products[0].description #=> String
resp.products[0].categories #=> Array
resp.products[0].categories[0] #=> String
resp.products[0].integration_types #=> Array
resp.products[0].integration_types[0] #=> String, one of "SEND_FINDINGS_TO_SECURITY_HUB", "RECEIVE_FINDINGS_FROM_SECURITY_HUB", "UPDATE_FINDINGS_IN_SECURITY_HUB"
resp.products[0].marketplace_url #=> String
resp.products[0].activation_url #=> String
resp.products[0].product_subscription_resource_policy #=> String
resp.next_token #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :next_token (String)

    The token that is required for pagination. On your first call to the DescribeProducts operation, set the value of this parameter to NULL.

    For subsequent calls to the operation, to continue listing data, set the value of this parameter to the value returned from the previous response.

  • :max_results (Integer)

    The maximum number of results to return.

  • :product_arn (String)

    The ARN of the integration to return.

Returns:

See Also:



4482
4483
4484
4485
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 4482

def describe_products(params = {}, options = {})
  req = build_request(:describe_products, params)
  req.send_request(options)
end

#describe_standards(params = {}) ⇒ Types::DescribeStandardsResponse

Returns a list of the available standards in Security Hub.

For each standard, the results include the standard ARN, the name, and a description.

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Example: To get available Security Hub standards


# The following example returns a list of available security standards in Security Hub.

resp = client.describe_standards({
})

resp.to_h outputs the following:
{
  standards: [
    {
      description: "The AWS Foundational Security Best Practices standard is a set of automated security checks that detect when AWS accounts and deployed resources do not align to security best practices. The standard is defined by AWS security experts. This curated set of controls helps improve your security posture in AWS, and cover AWS's most popular and foundational services.", 
      enabled_by_default: true, 
      name: "AWS Foundational Security Best Practices v1.0.0", 
      standards_arn: "arn:aws:securityhub:us-west-1::standards/aws-foundational-security-best-practices/v/1.0.0", 
    }, 
    {
      description: "The Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0 is a set of security configuration best practices for AWS. This Security Hub standard automatically checks for your compliance readiness against a subset of CIS requirements.", 
      enabled_by_default: true, 
      name: "CIS AWS Foundations Benchmark v1.2.0", 
      standards_arn: "arn:aws:securityhub:us-west-1::ruleset/cis-aws-foundations-benchmark/v/1.2.0", 
    }, 
    {
      description: "The Center for Internet Security (CIS) AWS Foundations Benchmark v1.4.0 is a set of security configuration best practices for AWS. This Security Hub standard automatically checks for your compliance readiness against a subset of CIS requirements.", 
      enabled_by_default: false, 
      name: "CIS AWS Foundations Benchmark v1.4.0", 
      standards_arn: "arn:aws::securityhub:us-west-1::standards/cis-aws-foundations-benchmark/v/1.4.0", 
    }, 
    {
      description: "The Payment Card Industry Data Security Standard (PCI DSS) v3.2.1 is an information security standard for entities that store, process, and/or transmit cardholder data. This Security Hub standard automatically checks for your compliance readiness against a subset of PCI DSS requirements.", 
      enabled_by_default: false, 
      name: "PCI DSS v3.2.1", 
      standards_arn: "arn:aws:securityhub:us-west-1::standards/pci-dss/v/3.2.1", 
    }, 
  ], 
}

Request syntax with placeholder values


resp = client.describe_standards({
  next_token: "NextToken",
  max_results: 1,
})

Response structure


resp.standards #=> Array
resp.standards[0].standards_arn #=> String
resp.standards[0].name #=> String
resp.standards[0].description #=> String
resp.standards[0].enabled_by_default #=> Boolean
resp.standards[0].standards_managed_by.company #=> String
resp.standards[0].standards_managed_by.product #=> String
resp.next_token #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :next_token (String)

    The token that is required for pagination. On your first call to the DescribeStandards operation, set the value of this parameter to NULL.

    For subsequent calls to the operation, to continue listing data, set the value of this parameter to the value returned from the previous response.

  • :max_results (Integer)

    The maximum number of standards to return.

Returns:

See Also:



4571
4572
4573
4574
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 4571

def describe_standards(params = {}, options = {})
  req = build_request(:describe_standards, params)
  req.send_request(options)
end

#describe_standards_controls(params = {}) ⇒ Types::DescribeStandardsControlsResponse

Returns a list of security standards controls.

For each control, the results include information about whether it is currently enabled, the severity, and a link to remediation information.

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Example: To get a list of controls for a security standard


# The following example returns a list of security controls and control details that apply to a specified security
# standard. The list includes controls that are enabled and disabled in the standard.

resp = client.describe_standards_controls({
  max_results: 2, 
  next_token: "NULL", 
  standards_subscription_arn: "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1", 
})

resp.to_h outputs the following:
{
  controls: [
    {
      control_id: "PCI.AutoScaling.1", 
      control_status: "ENABLED", 
      control_status_updated_at: Time.parse("2020-05-15T18:49:04.473000+00:00"), 
      description: "This AWS control checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.", 
      related_requirements: [
        "PCI DSS 2.2", 
      ], 
      remediation_url: "https://docs.aws.amazon.com/console/securityhub/PCI.AutoScaling.1/remediation", 
      severity_rating: "LOW", 
      standards_control_arn: "arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.AutoScaling.1", 
      title: "Auto scaling groups associated with a load balancer should use health checks", 
    }, 
    {
      control_id: "PCI.CW.1", 
      control_status: "ENABLED", 
      control_status_updated_at: Time.parse("2020-05-15T18:49:04.498000+00:00"), 
      description: "This control checks for the CloudWatch metric filters using the following pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } It checks that the log group name is configured for use with active multi-region CloudTrail, that there is at least one Event Selector for a Trail with IncludeManagementEvents set to true and ReadWriteType set to All, and that there is at least one active subscriber to an SNS topic associated with the alarm.", 
      related_requirements: [
        "PCI DSS 7.2.1", 
      ], 
      remediation_url: "https://docs.aws.amazon.com/console/securityhub/PCI.CW.1/remediation", 
      severity_rating: "MEDIUM", 
      standards_control_arn: "arn:aws:securityhub:us-west-1:123456789012:control/pci-dss/v/3.2.1/PCI.CW.1", 
      title: "A log metric filter and alarm should exist for usage of the \"root\" user", 
    }, 
  ], 
  next_token: "U2FsdGVkX1+eNkPoZHVl11ip5HUYQPWSWZGmftcmJiHL8JoKEsCDuaKayiPDyLK+LiTkShveoOdvfxXCkOBaGhohIXhsIedN+LSjQV/l7kfCfJcq4PziNC1N9xe9aq2pjlLVZnznTfSImrodT5bRNHe4fELCQq/z+5ka+5Lzmc11axcwTd5lKgQyQqmUVoeriHZhyIiBgWKf7oNYdBVG8OEortVWvSkoUTt+B2ThcnC7l43kI0UNxlkZ6sc64AsW", 
}

Request syntax with placeholder values


resp = client.describe_standards_controls({
  standards_subscription_arn: "NonEmptyString", # required
  next_token: "NextToken",
  max_results: 1,
})

Response structure


resp.controls #=> Array
resp.controls[0].standards_control_arn #=> String
resp.controls[0].control_status #=> String, one of "ENABLED", "DISABLED"
resp.controls[0].disabled_reason #=> String
resp.controls[0].control_status_updated_at #=> Time
resp.controls[0].control_id #=> String
resp.controls[0].title #=> String
resp.controls[0].description #=> String
resp.controls[0].remediation_url #=> String
resp.controls[0].severity_rating #=> String, one of "LOW", "MEDIUM", "HIGH", "CRITICAL"
resp.controls[0].related_requirements #=> Array
resp.controls[0].related_requirements[0] #=> String
resp.next_token #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :standards_subscription_arn (required, String)

    The ARN of a resource that represents your subscription to a supported standard. To get the subscription ARNs of the standards you have enabled, use the GetEnabledStandards operation.

  • :next_token (String)

    The token that is required for pagination. On your first call to the DescribeStandardsControls operation, set the value of this parameter to NULL.

    For subsequent calls to the operation, to continue listing data, set the value of this parameter to the value returned from the previous response.

  • :max_results (Integer)

    The maximum number of security standard controls to return.

Returns:

See Also:



4679
4680
4681
4682
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 4679

def describe_standards_controls(params = {}, options = {})
  req = build_request(:describe_standards_controls, params)
  req.send_request(options)
end

#disable_import_findings_for_product(params = {}) ⇒ Struct

Disables the integration of the specified product with Security Hub. After the integration is disabled, findings from that product are no longer sent to Security Hub.

Examples:

Example: To end a Security Hub integration


# The following example ends an integration between Security Hub and the specified product that sends findings to Security
# Hub. After the integration ends, the product no longer sends findings to Security  Hub.

resp = client.disable_import_findings_for_product({
  product_subscription_arn: "arn:aws:securityhub:us-east-1:517716713836:product/crowdstrike/crowdstrike-falcon", 
})

Request syntax with placeholder values


resp = client.disable_import_findings_for_product({
  product_subscription_arn: "NonEmptyString", # required
})

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :product_subscription_arn (required, String)

    The ARN of the integrated product to disable the integration for.

Returns:

  • (Struct)

    Returns an empty response.

See Also:



4713
4714
4715
4716
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 4713

def disable_import_findings_for_product(params = {}, options = {})
  req = build_request(:disable_import_findings_for_product, params)
  req.send_request(options)
end

#disable_organization_admin_account(params = {}) ⇒ Struct

Disables a Security Hub administrator account. Can only be called by the organization management account.

Examples:

Example: To remove a Security Hub administrator account


# The following example removes the Security Hub administrator account in the Region from which the operation was
# executed. This operation doesn't remove the delegated administrator account in AWS Organizations.

resp = client.({
  admin_account_id: "123456789012", 
})

Request syntax with placeholder values


resp = client.({
  admin_account_id: "NonEmptyString", # required
})

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :admin_account_id (required, String)

    The Amazon Web Services account identifier of the Security Hub administrator account.

Returns:

  • (Struct)

    Returns an empty response.

See Also:



4747
4748
4749
4750
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 4747

def (params = {}, options = {})
  req = build_request(:disable_organization_admin_account, params)
  req.send_request(options)
end

#disable_security_hub(params = {}) ⇒ Struct

Disables Security Hub in your account only in the current Amazon Web Services Region. To disable Security Hub in all Regions, you must submit one request per Region where you have enabled Security Hub.

You can't disable Security Hub in an account that is currently the Security Hub administrator.

When you disable Security Hub, your existing findings and insights and any Security Hub configuration settings are deleted after 90 days and cannot be recovered. Any standards that were enabled are disabled, and your administrator and member account associations are removed.

If you want to save your existing findings, you must export them before you disable Security Hub.

Examples:

Example: To deactivate Security Hub


# The following example deactivates Security Hub for the current account and Region.

resp = client.disable_security_hub({
})

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Returns:

  • (Struct)

    Returns an empty response.

See Also:



4781
4782
4783
4784
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 4781

def disable_security_hub(params = {}, options = {})
  req = build_request(:disable_security_hub, params)
  req.send_request(options)
end

#disassociate_from_administrator_account(params = {}) ⇒ Struct

Disassociates the current Security Hub member account from the associated administrator account.

This operation is only used by accounts that are not part of an organization. For organization accounts, only the administrator account can disassociate a member account.

Examples:

Example: To disassociate requesting account from administrator account


# The following example dissociates the requesting account from its associated administrator account.

resp = client.({
})

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Returns:

  • (Struct)

    Returns an empty response.

See Also:



4807
4808
4809
4810
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 4807

def (params = {}, options = {})
  req = build_request(:disassociate_from_administrator_account, params)
  req.send_request(options)
end

#disassociate_from_master_account(params = {}) ⇒ Struct

This method is deprecated. Instead, use DisassociateFromAdministratorAccount.

The Security Hub console continues to use DisassociateFromMasterAccount. It will eventually change to use DisassociateFromAdministratorAccount. Any IAM policies that specifically control access to this function must continue to use DisassociateFromMasterAccount. You should also add DisassociateFromAdministratorAccount to your policies to ensure that the correct permissions are in place after the console begins to use DisassociateFromAdministratorAccount.

Disassociates the current Security Hub member account from the associated administrator account.

This operation is only used by accounts that are not part of an organization. For organization accounts, only the administrator account can disassociate a member account.

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Returns:

  • (Struct)

    Returns an empty response.

See Also:



4837
4838
4839
4840
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 4837

def (params = {}, options = {})
  req = build_request(:disassociate_from_master_account, params)
  req.send_request(options)
end

#disassociate_members(params = {}) ⇒ Struct

Disassociates the specified member accounts from the associated administrator account.

Can be used to disassociate both accounts that are managed using Organizations and accounts that were invited manually.

Examples:

Example: To disassociate member accounts from administrator account


# The following example dissociates the specified member accounts from the associated administrator account.

resp = client.disassociate_members({
  account_ids: [
    "123456789012", 
    "111122223333", 
  ], 
})

Request syntax with placeholder values


resp = client.disassociate_members({
  account_ids: ["NonEmptyString"], # required
})

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :account_ids (required, Array<String>)

    The account IDs of the member accounts to disassociate from the administrator account.

Returns:

  • (Struct)

    Returns an empty response.

See Also:



4876
4877
4878
4879
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 4876

def disassociate_members(params = {}, options = {})
  req = build_request(:disassociate_members, params)
  req.send_request(options)
end

#enable_import_findings_for_product(params = {}) ⇒ Types::EnableImportFindingsForProductResponse

Enables the integration of a partner product with Security Hub. Integrated products send findings to Security Hub.

When you enable a product integration, a permissions policy that grants permission for the product to send findings to Security Hub is applied.

Examples:

Example: To activate an integration


# The following example activates an integration between Security Hub and a third party partner product that sends
# findings to Security Hub.

resp = client.enable_import_findings_for_product({
  product_arn: "arn:aws:securityhub:us-east-1:517716713836:product/crowdstrike/crowdstrike-falcon", 
})

resp.to_h outputs the following:
{
  product_subscription_arn: "arn:aws:securityhub:us-east-1:517716713836:product-subscription/crowdstrike/crowdstrike-falcon", 
}

Request syntax with placeholder values


resp = client.enable_import_findings_for_product({
  product_arn: "NonEmptyString", # required
})

Response structure


resp.product_subscription_arn #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :product_arn (required, String)

    The ARN of the product to enable the integration for.

Returns:

See Also:



4924
4925
4926
4927
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 4924

def enable_import_findings_for_product(params = {}, options = {})
  req = build_request(:enable_import_findings_for_product, params)
  req.send_request(options)
end

#enable_organization_admin_account(params = {}) ⇒ Struct

Designates the Security Hub administrator account for an organization. Can only be called by the organization management account.

Examples:

Example: To designate a Security Hub administrator


# The following example designates the specified account as the Security Hub administrator account. The requesting account
# must be the organization management account.

resp = client.({
  admin_account_id: "123456789012", 
})

Request syntax with placeholder values


resp = client.({
  admin_account_id: "NonEmptyString", # required
})

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :admin_account_id (required, String)

    The Amazon Web Services account identifier of the account to designate as the Security Hub administrator account.

Returns:

  • (Struct)

    Returns an empty response.

See Also:



4958
4959
4960
4961
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 4958

def (params = {}, options = {})
  req = build_request(:enable_organization_admin_account, params)
  req.send_request(options)
end

#enable_security_hub(params = {}) ⇒ Struct

Enables Security Hub for your account in the current Region or the Region you specify in the request.

When you enable Security Hub, you grant to Security Hub the permissions necessary to gather findings from other services that are integrated with Security Hub.

When you use the EnableSecurityHub operation to enable Security Hub, you also automatically enable the following standards:

  • Center for Internet Security (CIS) Amazon Web Services Foundations Benchmark v1.2.0

  • Amazon Web Services Foundational Security Best Practices

Other standards are not automatically enabled.

To opt out of automatically enabled standards, set EnableDefaultStandards to false.

After you enable Security Hub, to enable a standard, use the BatchEnableStandards operation. To disable a standard, use the BatchDisableStandards operation.

To learn more, see the setup information in the Security Hub User Guide.

Examples:

Example: To activate Security Hub


# The following example activates the Security Hub service in the requesting AWS account. The service is activated in the
# current AWS Region or the Region that you specify in the request. Some standards are automatically turned on in your
# account unless you opt out. To determine which standards are automatically turned on, see the Security Hub
# documentation.

resp = client.enable_security_hub({
  enable_default_standards: true, 
  tags: {
    "Department" => "Security", 
  }, 
})

Request syntax with placeholder values


resp = client.enable_security_hub({
  tags: {
    "TagKey" => "TagValue",
  },
  enable_default_standards: false,
  control_finding_generator: "STANDARD_CONTROL", # accepts STANDARD_CONTROL, SECURITY_CONTROL
})

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :tags (Hash<String,String>)

    The tags to add to the hub resource when you enable Security Hub.

  • :enable_default_standards (Boolean)

    Whether to enable the security standards that Security Hub has designated as automatically enabled. If you don't provide a value for EnableDefaultStandards, it is set to true. To not enable the automatically enabled standards, set EnableDefaultStandards to false.

  • :control_finding_generator (String)

    This field, used when enabling Security Hub, specifies whether the calling account has consolidated control findings turned on. If the value for this field is set to SECURITY_CONTROL, Security Hub generates a single finding for a control check even when the check applies to multiple enabled standards.

    If the value for this field is set to STANDARD_CONTROL, Security Hub generates separate findings for a control check when the check applies to multiple enabled standards.

    The value for this field in a member account matches the value in the administrator account. For accounts that aren't part of an organization, the default value of this field is SECURITY_CONTROL if you enabled Security Hub on or after February 23, 2023.

Returns:

  • (Struct)

    Returns an empty response.

See Also:



5051
5052
5053
5054
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 5051

def enable_security_hub(params = {}, options = {})
  req = build_request(:enable_security_hub, params)
  req.send_request(options)
end

#get_administrator_account(params = {}) ⇒ Types::GetAdministratorAccountResponse

Provides the details for the Security Hub administrator account for the current member account.

Can be used by both member accounts that are managed using Organizations and accounts that were invited manually.

Examples:

Example: To get details about the Security Hub administrator account


# The following example provides details about the Security Hub administrator account for the requesting member account.

resp = client.({
})

resp.to_h outputs the following:
{
  administrator: {
    account_id: "123456789012", 
    invitation_id: "7ab938c5d52d7904ad09f9e7c20cc4eb", 
    invited_at: Time.parse("2020-06-01T20:21:18.042000+00:00"), 
    member_status: "ASSOCIATED", 
  }, 
}

Response structure


resp.administrator. #=> String
resp.administrator.invitation_id #=> String
resp.administrator.invited_at #=> Time
resp.administrator.member_status #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Returns:

See Also:



5095
5096
5097
5098
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 5095

def (params = {}, options = {})
  req = build_request(:get_administrator_account, params)
  req.send_request(options)
end

#get_configuration_policy(params = {}) ⇒ Types::GetConfigurationPolicyResponse

Provides information about a configuration policy. Only the Security Hub delegated administrator can invoke this operation from the home Region.

Examples:

Example: To get details about a configuration policy


# This operation provides details about the specified configuration policy.

resp = client.get_configuration_policy({
  identifier: "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
})

resp.to_h outputs the following:
{
  arn: "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
  configuration_policy: {
    security_hub: {
      enabled_standard_identifiers: [
        "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0", 
        "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", 
      ], 
      security_controls_configuration: {
        disabled_security_control_identifiers: [
          "CloudWatch.1", 
        ], 
        security_control_custom_parameters: [
          {
            parameters: {
              "daysToExpiration" => {
                value: {
                  integer: 14, 
                }, 
                value_type: "CUSTOM", 
              }, 
            }, 
            security_control_id: "ACM.1", 
          }, 
        ], 
      }, 
      service_enabled: true, 
    }, 
  }, 
  created_at: Time.parse("2023-01-11T06:17:17.154Z"), 
  description: "Configuration policy for testing FSBP and CIS", 
  id: "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
  name: "TestConfigurationPolicy", 
  updated_at: Time.parse("2023-01-11T06:17:17.154Z"), 
}

Request syntax with placeholder values


resp = client.get_configuration_policy({
  identifier: "NonEmptyString", # required
})

Response structure


resp.arn #=> String
resp.id #=> String
resp.name #=> String
resp.description #=> String
resp.updated_at #=> Time
resp.created_at #=> Time
resp.configuration_policy.security_hub.service_enabled #=> Boolean
resp.configuration_policy.security_hub.enabled_standard_identifiers #=> Array
resp.configuration_policy.security_hub.enabled_standard_identifiers[0] #=> String
resp.configuration_policy.security_hub.security_controls_configuration.enabled_security_control_identifiers #=> Array
resp.configuration_policy.security_hub.security_controls_configuration.enabled_security_control_identifiers[0] #=> String
resp.configuration_policy.security_hub.security_controls_configuration.disabled_security_control_identifiers #=> Array
resp.configuration_policy.security_hub.security_controls_configuration.disabled_security_control_identifiers[0] #=> String
resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters #=> Array
resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].security_control_id #=> String
resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters #=> Hash
resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value_type #=> String, one of "DEFAULT", "CUSTOM"
resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.integer #=> Integer
resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.integer_list #=> Array
resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.integer_list[0] #=> Integer
resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.double #=> Float
resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.string #=> String
resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.string_list #=> Array
resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.string_list[0] #=> String
resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.boolean #=> Boolean
resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.enum #=> String
resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.enum_list #=> Array
resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.enum_list[0] #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :identifier (required, String)

    The Amazon Resource Name (ARN) or universally unique identifier (UUID) of the configuration policy.

Returns:

See Also:



5205
5206
5207
5208
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 5205

def get_configuration_policy(params = {}, options = {})
  req = build_request(:get_configuration_policy, params)
  req.send_request(options)
end

#get_configuration_policy_association(params = {}) ⇒ Types::GetConfigurationPolicyAssociationResponse

Returns the association between a configuration and a target account, organizational unit, or the root. The configuration can be a configuration policy or self-managed behavior. Only the Security Hub delegated administrator can invoke this operation from the home Region.

Examples:

Example: To get details about a configuration association


# This operation provides details about configuration associations for a specific target account, organizational unit, or
# the root.

resp = client.get_configuration_policy_association({
  target: {
    account_id: "111122223333", 
  }, 
})

resp.to_h outputs the following:
{
  association_status: "FAILED", 
  association_status_message: "Configuration Policy a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 couldn\u2019t be applied to account 111122223333 in us-east-1 Region. Retry your request.", 
  association_type: "INHERITED", 
  configuration_policy_id: "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
  target_id: "111122223333", 
  target_type: "ACCOUNT", 
  updated_at: Time.parse("2023-01-11T06:17:17.154Z"), 
}

Request syntax with placeholder values


resp = client.get_configuration_policy_association({
  target: { # required
    account_id: "NonEmptyString",
    organizational_unit_id: "NonEmptyString",
    root_id: "NonEmptyString",
  },
})

Response structure


resp.configuration_policy_id #=> String
resp.target_id #=> String
resp.target_type #=> String, one of "ACCOUNT", "ORGANIZATIONAL_UNIT", "ROOT"
resp.association_type #=> String, one of "INHERITED", "APPLIED"
resp.updated_at #=> Time
resp.association_status #=> String, one of "PENDING", "SUCCESS", "FAILED"
resp.association_status_message #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :target (required, Types::Target)

    The target account ID, organizational unit ID, or the root ID to retrieve the association for.

Returns:

See Also:



5277
5278
5279
5280
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 5277

def get_configuration_policy_association(params = {}, options = {})
  req = build_request(:get_configuration_policy_association, params)
  req.send_request(options)
end

#get_enabled_standards(params = {}) ⇒ Types::GetEnabledStandardsResponse

Returns a list of the standards that are currently enabled.

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Example: To return a list of enabled standards


# The following example returns a list of Security Hub standards that are currently enabled in your account.  

resp = client.get_enabled_standards({
  standards_subscription_arns: [
    "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1", 
  ], 
})

resp.to_h outputs the following:
{
  standards_subscriptions: [
    {
      standards_arn: "arn:aws:securityhub:us-west-1::standards/pci-dss/v/3.2.1", 
      standards_input: {
      }, 
      standards_status: "READY", 
      standards_subscription_arn: "arn:aws:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1", 
    }, 
  ], 
}

Request syntax with placeholder values


resp = client.get_enabled_standards({
  standards_subscription_arns: ["NonEmptyString"],
  next_token: "NextToken",
  max_results: 1,
})

Response structure


resp.standards_subscriptions #=> Array
resp.standards_subscriptions[0].standards_subscription_arn #=> String
resp.standards_subscriptions[0].standards_arn #=> String
resp.standards_subscriptions[0].standards_input #=> Hash
resp.standards_subscriptions[0].standards_input["NonEmptyString"] #=> String
resp.standards_subscriptions[0].standards_status #=> String, one of "PENDING", "READY", "FAILED", "DELETING", "INCOMPLETE"
resp.standards_subscriptions[0].standards_status_reason.status_reason_code #=> String, one of "NO_AVAILABLE_CONFIGURATION_RECORDER", "INTERNAL_ERROR"
resp.next_token #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :standards_subscription_arns (Array<String>)

    The list of the standards subscription ARNs for the standards to retrieve.

  • :next_token (String)

    The token that is required for pagination. On your first call to the GetEnabledStandards operation, set the value of this parameter to NULL.

    For subsequent calls to the operation, to continue listing data, set the value of this parameter to the value returned from the previous response.

  • :max_results (Integer)

    The maximum number of results to return in the response.

Returns:

See Also:



5354
5355
5356
5357
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 5354

def get_enabled_standards(params = {}, options = {})
  req = build_request(:get_enabled_standards, params)
  req.send_request(options)
end

#get_finding_aggregator(params = {}) ⇒ Types::GetFindingAggregatorResponse

The aggregation Region is now called the home Region.

Returns the current configuration in the calling account for cross-Region aggregation. A finding aggregator is a resource that establishes the home Region and any linked Regions.

Examples:

Example: To get cross-Region aggregation details


# The following example returns cross-Region aggregation details for the requesting account. 

resp = client.get_finding_aggregator({
  finding_aggregator_arn: "arn:aws:securityhub:us-east-1:123456789012:finding-aggregator/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
})

resp.to_h outputs the following:
{
  finding_aggregation_region: "us-east-1", 
  finding_aggregator_arn: "arn:aws:securityhub:us-east-1:123456789012:finding-aggregator/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
  region_linking_mode: "SPECIFIED_REGIONS", 
  regions: [
    "us-west-1", 
    "us-west-2", 
  ], 
}

Request syntax with placeholder values


resp = client.get_finding_aggregator({
  finding_aggregator_arn: "NonEmptyString", # required
})

Response structure


resp.finding_aggregator_arn #=> String
resp.finding_aggregation_region #=> String
resp.region_linking_mode #=> String
resp.regions #=> Array
resp.regions[0] #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :finding_aggregator_arn (required, String)

    The ARN of the finding aggregator to return details for. To obtain the ARN, use ListFindingAggregators.

Returns:

See Also:



5416
5417
5418
5419
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 5416

def get_finding_aggregator(params = {}, options = {})
  req = build_request(:get_finding_aggregator, params)
  req.send_request(options)
end

#get_finding_history(params = {}) ⇒ Types::GetFindingHistoryResponse

Returns history for a Security Hub finding in the last 90 days. The history includes changes made to any fields in the Amazon Web Services Security Finding Format (ASFF).

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Example: To get finding history


# The following example retrieves the history of the specified finding during the specified time frame. If the time frame
# permits, Security Hub returns finding history for the last 90 days.

resp = client.get_finding_history({
  end_time: Time.parse("2021-09-31T15:53:35.573Z"), 
  finding_identifier: {
    id: "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
    product_arn: "arn:aws:securityhub:us-west-2:123456789012:product/123456789012/default", 
  }, 
  max_results: 2, 
  start_time: Time.parse("2021-09-30T15:53:35.573Z"), 
})

resp.to_h outputs the following:
{
  records: [
    {
      finding_created: false, 
      finding_identifier: {
        id: "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
        product_arn: "arn:aws:securityhub:us-west-2:123456789012:product/123456789012/default", 
      }, 
      update_source: {
        identity: "arn:aws:iam::444455556666:role/Admin", 
        type: "BATCH_UPDATE_FINDINGS", 
      }, 
      update_time: Time.parse("2021-09-31T15:52:25.573Z"), 
      updates: [
        {
          new_value: "MEDIUM", 
          old_value: "HIGH", 
          updated_field: "Severity", 
        }, 
      ], 
    }, 
  ], 
}

Request syntax with placeholder values


resp = client.get_finding_history({
  finding_identifier: { # required
    id: "NonEmptyString", # required
    product_arn: "NonEmptyString", # required
  },
  start_time: Time.now,
  end_time: Time.now,
  next_token: "NextToken",
  max_results: 1,
})

Response structure


resp.records #=> Array
resp.records[0].finding_identifier.id #=> String
resp.records[0].finding_identifier.product_arn #=> String
resp.records[0].update_time #=> Time
resp.records[0].finding_created #=> Boolean
resp.records[0].update_source.type #=> String, one of "BATCH_UPDATE_FINDINGS", "BATCH_IMPORT_FINDINGS"
resp.records[0].update_source.identity #=> String
resp.records[0].updates #=> Array
resp.records[0].updates[0].updated_field #=> String
resp.records[0].updates[0].old_value #=> String
resp.records[0].updates[0].new_value #=> String
resp.records[0].next_token #=> String
resp.next_token #=> String

Parameters:

  • params (Hash) (defaults to: {})

    ({})

Options Hash (params):

  • :finding_identifier (required, Types::AwsSecurityFindingIdentifier)

    Identifies which finding to get the finding history for.

  • :start_time (Time, DateTime, Date, Integer, String)

    A timestamp that indicates the start time of the requested finding history.

    If you provide values for both StartTime and EndTime, Security Hub returns finding history for the specified time period. If you provide a value for StartTime but not for EndTime, Security Hub returns finding history from the StartTime to the time at which the API is called. If you provide a value for EndTime but not for StartTime, Security Hub returns finding history from the CreatedAt timestamp of the finding to the EndTime. If you provide neither StartTime nor EndTime, Security Hub returns finding history from the CreatedAt timestamp of the finding to the time at which the API is called. In all of these scenarios, the response is limited to 100 results, and the maximum time period is limited to 90 days.

    This field accepts only the specified formats. Timestamps can end with Z or ("+" / "-") time-hour [":" time-minute]. The time-secfrac after seconds is limited to a maximum of 9 digits. The offset is bounded by +/-18:00. Here are valid timestamp formats with examples:

    • YYYY-MM-DDTHH:MM:SSZ (for example, 2019-01-31T23:00:00Z)

    • YYYY-MM-DDTHH:MM:SS.mmmmmmmmmZ (for example, 2019-01-31T23:00:00.123456789Z)

    • YYYY-MM-DDTHH:MM:SS+HH:MM (for example, 2024-01-04T15:25:10+17:59)

    • YYYY-MM-DDTHH:MM:SS-HHMM (for example, 2024-01-04T15:25:10-1759)

    • YYYY-MM-DDTHH:MM:SS.mmmmmmmmm+HH:MM (for example, 2024-01-04T15:25:10.123456789+17:59)

  • :end_time (Time, DateTime, Date, Integer, String)

    An ISO 8601-formatted timestamp that indicates the end time of the requested finding history.

    If you provide values for both StartTime and EndTime, Security Hub returns finding history for the specified time period. If you provide a value for StartTime but not for EndTime, Security Hub returns finding history from the StartTime to the time at which the API is called. If you provide a value for EndTime but not for StartTime, Security Hub returns finding history from the CreatedAt timestamp of the finding to the EndTime. If you provide neither StartTime nor EndTime, Security Hub returns finding history from the CreatedAt timestamp of the finding to the time at which the API is called. In all of these scenarios, the response is limited to 100 results, and the maximum time period is limited to 90 days.

    This field accepts only the specified formats. Timestamps can end with Z or ("+" / "-") time-hour [":" time-minute]. The time-secfrac after seconds is limited to a maximum of 9 digits. The offset is bounded by +/-18:00. Here are valid timestamp formats with examples:

    • YYYY-MM-DDTHH:MM:SSZ (for example, 2019-01-31T23:00:00Z)

    • YYYY-MM-DDTHH:MM:SS.mmmmmmmmmZ (for example, 2019-01-31T23:00:00.123456789Z)

    • YYYY-MM-DDTHH:MM:SS+HH:MM (for example, 2024-01-04T15:25:10+17:59)

    • YYYY-MM-DDTHH:MM:SS-HHMM (for example, 2024-01-04T15:25:10-1759)

    • YYYY-MM-DDTHH:MM:SS.mmmmmmmmm+HH:MM (for example, 2024-01-04T15:25:10.123456789+17:59)

  • :next_token (String)

    A token for pagination purposes. Provide NULL as the initial value. In subsequent requests, provide the token included in the response to get up to an additional 100 results of finding history. If you don’t provide NextToken, Security Hub returns up to 100 results of finding history for each request.

  • :max_results (Integer)

    The maximum number of results to be returned. If you don’t provide it, Security Hub returns up to 100 results of finding history.

Returns:

See Also:



5596
5597
5598
5599
# File 'gems/aws-sdk-securityhub/lib/aws-sdk-securityhub/client.rb', line 5596

def get_finding_history(params = {}, options = {})
  req = build_request(:get_finding_history, params)
  req.send_request(options)
end

#get_findings(params = {}) ⇒ Types::GetFindingsResponse

Returns a list of findings that match the specified criteria.

If cross-Region aggregation is enabled, then when you call GetFindings from the home Region, the results include all of the matching findings from both the home Region and linked Regions.

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Example: To get a list of findings


# The following example returns a filtered and sorted list of Security Hub findings.

resp = client.get_findings({
  filters: {
    aws_account_id: [
      {
        comparison: "PREFIX", 
        value: "123456789012", 
      }, 
    ], 
  }, 
  max_results: 1, 
})

resp.to_h outputs the following:
{
  findings: [
    {
      aws_account_id: "123456789012", 
      company_name: "AWS", 
      compliance: {
        associated_standards: [
          {
            standards_id: "standards/aws-foundational-security-best-practices/v/1.0.0", 
          }, 
          {
            standards_id: "standards/pci-dss/v/3.2.1", 
          }, 
          {
            standards_id: "ruleset/cis-aws-foundations-benchmark/v/1.2.0", 
          }, 
          {
            standards_id: "standards/cis-aws-foundations-benchmark/v/1.4.0", 
          }, 
          {
            standards_id: "standards/service-managed-aws-control-tower/v/1.0.0", 
          }, 
        ], 
        related_requirements: [
          "PCI DSS v3.2.1/3.4", 
          "CIS AWS Foundations Benchmark v1.2.0/2.7", 
          "CIS AWS Foundations Benchmark v1.4.0/3.7", 
        ], 
        security_control_id: "CloudTrail.2", 
        status: "FAILED", 
      }, 
      created_at: "2022-10-06T02:18:23.076Z", 
      description: "This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.", 
      finding_provider_fields: {
        severity: {
          label: "MEDIUM", 
          original: "MEDIUM", 
        }, 
        types: [
          "Software and Configuration Checks/Industry and Regulatory Standards", 
        ], 
      }, 
      first_observed_at: "2022-10-06T02:18:23.076Z", 
      generator_id: "security-control/CloudTrail.2", 
      id: "arn:aws:securityhub:us-east-2:123456789012:security-control/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
      last_observed_at: "2022-10-28T16:10:06.956Z", 
      product_arn: "arn:aws:securityhub:us-east-2::product/aws/securityhub", 
      product_fields: {
        "RelatedAWSResources:0/name" => "securityhub-cloud-trail-encryption-enabled-fe95bf3f", 
        "RelatedAWSResources:0/type" => "AWS::Config::ConfigRule", 
        "Resources:0/Id" => "arn:aws:cloudtrail:us-east-2:123456789012:trail/AWSMacieTrail-DO-NOT-EDIT", 
        "aws/securityhub/CompanyName" => "AWS", 
        "aws/securityhub/FindingId" => "arn:aws:securityhub:us-east-2::product/aws/securityhub/arn:aws:securityhub:us-east-2:123456789012:security-control/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
        "aws/securityhub/ProductName" => "Security Hub", 
      }, 
      product_name: "Security Hub", 
      record_state: "ACTIVE", 
      region: "us-east-2", 
      remediation: {
        recommendation: {
          text: "For directions on how to correct this issue, consult the AWS Security Hub controls documentation.", 
          url: "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation", 
        }, 
      }, 
      resources: [
        {
          id: "arn:aws:cloudtrail:us-east-2:123456789012:trail/AWSMacieTrail-DO-NOT-EDIT", 
          partition: "aws", 
          region: "us-east-2", 
          type: "AwsCloudTrailTrail", 
        }, 
      ], 
      schema_version: "2018-10-08", 
      severity: {
        label: "MEDIUM", 
        normalized: 40, 
        original: "MEDIUM", 
      }, 
      title: "CloudTrail should have encryption at-rest enabled", 
      types: [
        "Software and Configuration Checks/Industry and Regulatory Standards", 
      ], 
      updated_at: "2022-10-28T16:10:00.093Z", 
      workflow: {
        status: "NEW", 
      }, 
      workflow_state: "NEW", 
    }, 
  ], 
}

Request syntax with placeholder values


resp = client.get_findings({
  filters: {
    product_arn: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    aws_account_id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    generator_id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    region: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    type: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    first_observed_at: [
      {
        start: "NonEmptyString",
        end: "NonEmptyString",
        date_range: {
          value: 1,
          unit: "DAYS", # accepts DAYS
        },
      },
    ],
    last_observed_at: [
      {
        start: "NonEmptyString",
        end: "NonEmptyString",
        date_range: {
          value: 1,
          unit: "DAYS", # accepts DAYS
        },
      },
    ],
    created_at: [
      {
        start: "NonEmptyString",
        end: "NonEmptyString",
        date_range: {
          value: 1,
          unit: "DAYS", # accepts DAYS
        },
      },
    ],
    updated_at: [
      {
        start: "NonEmptyString",
        end: "NonEmptyString",
        date_range: {
          value: 1,
          unit: "DAYS", # accepts DAYS
        },
      },
    ],
    severity_product: [
      {
        gte: 1.0,
        lte: 1.0,
        eq: 1.0,
        gt: 1.0,
        lt: 1.0,
      },
    ],
    severity_normalized: [
      {
        gte: 1.0,
        lte: 1.0,
        eq: 1.0,
        gt: 1.0,
        lt: 1.0,
      },
    ],
    severity_label: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    confidence: [
      {
        gte: 1.0,
        lte: 1.0,
        eq: 1.0,
        gt: 1.0,
        lt: 1.0,
      },
    ],
    criticality: [
      {
        gte: 1.0,
        lte: 1.0,
        eq: 1.0,
        gt: 1.0,
        lt: 1.0,
      },
    ],
    title: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    description: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    recommendation_text: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    source_url: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    product_fields: [
      {
        key: "NonEmptyString",
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    product_name: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    company_name: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    user_defined_fields: [
      {
        key: "NonEmptyString",
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    malware_name: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    malware_type: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    malware_path: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    malware_state: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    network_direction: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    network_protocol: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    network_source_ip_v4: [
      {
        cidr: "NonEmptyString",
      },
    ],
    network_source_ip_v6: [
      {
        cidr: "NonEmptyString",
      },
    ],
    network_source_port: [
      {
        gte: 1.0,
        lte: 1.0,
        eq: 1.0,
        gt: 1.0,
        lt: 1.0,
      },
    ],
    network_source_domain: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    network_source_mac: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    network_destination_ip_v4: [
      {
        cidr: "NonEmptyString",
      },
    ],
    network_destination_ip_v6: [
      {
        cidr: "NonEmptyString",
      },
    ],
    network_destination_port: [
      {
        gte: 1.0,
        lte: 1.0,
        eq: 1.0,
        gt: 1.0,
        lt: 1.0,
      },
    ],
    network_destination_domain: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    process_name: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    process_path: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    process_pid: [
      {
        gte: 1.0,
        lte: 1.0,
        eq: 1.0,
        gt: 1.0,
        lt: 1.0,
      },
    ],
    process_parent_pid: [
      {
        gte: 1.0,
        lte: 1.0,
        eq: 1.0,
        gt: 1.0,
        lt: 1.0,
      },
    ],
    process_launched_at: [
      {
        start: "NonEmptyString",
        end: "NonEmptyString",
        date_range: {
          value: 1,
          unit: "DAYS", # accepts DAYS
        },
      },
    ],
    process_terminated_at: [
      {
        start: "NonEmptyString",
        end: "NonEmptyString",
        date_range: {
          value: 1,
          unit: "DAYS", # accepts DAYS
        },
      },
    ],
    threat_intel_indicator_type: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    threat_intel_indicator_value: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    threat_intel_indicator_category: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    threat_intel_indicator_last_observed_at: [
      {
        start: "NonEmptyString",
        end: "NonEmptyString",
        date_range: {
          value: 1,
          unit: "DAYS", # accepts DAYS
        },
      },
    ],
    threat_intel_indicator_source: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    threat_intel_indicator_source_url: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_type: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_partition: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_region: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_tags: [
      {
        key: "NonEmptyString",
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_aws_ec2_instance_type: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_aws_ec2_instance_image_id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_aws_ec2_instance_ip_v4_addresses: [
      {
        cidr: "NonEmptyString",
      },
    ],
    resource_aws_ec2_instance_ip_v6_addresses: [
      {
        cidr: "NonEmptyString",
      },
    ],
    resource_aws_ec2_instance_key_name: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_aws_ec2_instance_iam_instance_profile_arn: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_aws_ec2_instance_vpc_id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_aws_ec2_instance_subnet_id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_aws_ec2_instance_launched_at: [
      {
        start: "NonEmptyString",
        end: "NonEmptyString",
        date_range: {
          value: 1,
          unit: "DAYS", # accepts DAYS
        },
      },
    ],
    resource_aws_s3_bucket_owner_id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_aws_s3_bucket_owner_name: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_aws_iam_access_key_user_name: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_aws_iam_access_key_principal_name: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_aws_iam_access_key_status: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_aws_iam_access_key_created_at: [
      {
        start: "NonEmptyString",
        end: "NonEmptyString",
        date_range: {
          value: 1,
          unit: "DAYS", # accepts DAYS
        },
      },
    ],
    resource_aws_iam_user_user_name: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_container_name: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_container_image_id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_container_image_name: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    resource_container_launched_at: [
      {
        start: "NonEmptyString",
        end: "NonEmptyString",
        date_range: {
          value: 1,
          unit: "DAYS", # accepts DAYS
        },
      },
    ],
    resource_details_other: [
      {
        key: "NonEmptyString",
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    compliance_status: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    verification_state: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    workflow_state: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    workflow_status: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    record_state: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    related_findings_product_arn: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    related_findings_id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    note_text: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    note_updated_at: [
      {
        start: "NonEmptyString",
        end: "NonEmptyString",
        date_range: {
          value: 1,
          unit: "DAYS", # accepts DAYS
        },
      },
    ],
    note_updated_by: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    keyword: [
      {
        value: "NonEmptyString",
      },
    ],
    finding_provider_fields_confidence: [
      {
        gte: 1.0,
        lte: 1.0,
        eq: 1.0,
        gt: 1.0,
        lt: 1.0,
      },
    ],
    finding_provider_fields_criticality: [
      {
        gte: 1.0,
        lte: 1.0,
        eq: 1.0,
        gt: 1.0,
        lt: 1.0,
      },
    ],
    finding_provider_fields_related_findings_id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    finding_provider_fields_related_findings_product_arn: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    finding_provider_fields_severity_label: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    finding_provider_fields_severity_original: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    finding_provider_fields_types: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    sample: [
      {
        value: false,
      },
    ],
    compliance_security_control_id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    compliance_associated_standards_id: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    vulnerabilities_exploit_available: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    vulnerabilities_fix_available: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    compliance_security_control_parameters_name: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    compliance_security_control_parameters_value: [
      {
        value: "NonEmptyString",
        comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
      },
    ],
    aws_account_name: