Compliance - AWS Security Hub


Contains finding details that are specific to control-based findings. Only returned for findings generated from controls.



The enabled security standards in which a security control is currently enabled.

Type: Array of AssociatedStandard objects

Required: No


For a control, the industry or regulatory framework requirements that are related to the control. The check for that control is aligned with these requirements.

Type: Array of strings

Pattern: .*\S.*

Required: No


The unique identifier of a control across standards. Values for this field typically consist of an AWS service and a number, such as APIGateway.5.

Type: String

Pattern: .*\S.*

Required: No


An object that includes security control parameter names and values.

Type: Array of SecurityControlParameter objects

Required: No


The result of a standards check.

The valid values for Status are as follows.

    • PASSED - Standards check passed for all evaluated resources.

    • WARNING - Some information is missing or this check is not supported for your configuration.

    • FAILED - Standards check failed for at least one evaluated resource.

    • NOT_AVAILABLE - Check could not be performed due to a service outage, API error, or because the result of the AWS Config evaluation was NOT_APPLICABLE. If the AWS Config evaluation result was NOT_APPLICABLE, then after 3 days, Security Hub automatically archives the finding.

Type: String


Required: No


For findings generated from controls, a list of reasons behind the value of Status. For the list of status reason codes and their meanings, see Standards-related information in the ASFF in the AWS Security Hub User Guide.

Type: Array of StatusReason objects

Required: No

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: