Required permissions to configure controls
To view information about security controls and enable and disable security controls in standards, the AWS Identity and Access Management (IAM) role that you use to access AWS Security Hub needs permissions to call the following operations of the Security Hub API.
To get the necessary permissions, you can use Security Hub managed policies. Alternatively, you can update custom IAM policies to include permissions for these actions.
-
BatchGetSecurityControls – Returns information about a batch of security controls for the current account and AWS Region.
-
ListSecurityControlDefinitions – Returns information about security controls that apply to a specified standard.
-
ListStandardsControlAssociations – Identifies whether a security control is currently enabled in or disabled from each enabled standard in the account.
-
BatchGetStandardsControlAssociations – For a batch of security controls, identifies whether each control is currently enabled in or disabled from a specified standard.
-
BatchUpdateStandardsControlAssociations – Used to enable a security control in standards that include the control, or to disable a control in standards. This is a batch substitute for the existing
UpdateStandardsControl
operation. -
BatchUpdateStandardsControlAssociations – Used to enable or disable a batch of security controls in standards that include the controls. This is a batch substitute for the existing
UpdateStandardsControl
operation. -
UpdateStandardsControl – Used to enable or disable a single security control in standards that include the control
-
DescribeStandardsControl – Returns details about specified security controls.
In addition to the preceding APIs, you should add permission to call BatchGetControlEvaluations
to your IAM role. This
permission is necessary to view the enablement and compliance status of a control, the
findings count for a control, and the overall security score for controls on the Security Hub
console. Because only the console calls BatchGetControlEvaluations
, this permission doesn't
directly correspond to publicly documented Security Hub APIs or AWS CLI commands.