Required permissions to configure controls - AWS Security Hub

Required permissions to configure controls

To view information about security controls and enable and disable security controls in standards, the AWS Identity and Access Management (IAM) role that you use to access AWS Security Hub needs permissions to call the following operations of the Security Hub API.

To get the necessary permissions, you can use Security Hub managed policies. Alternatively, you can update custom IAM policies to include permissions for these actions.

In addition to the preceding APIs, you should add permission to call BatchGetControlEvaluations to your IAM role. This permission is necessary to view the enablement and compliance status of a control, the findings count for a control, and the overall security score for controls on the Security Hub console. Because only the console calls BatchGetControlEvaluations, this permission doesn't directly correspond to publicly documented Security Hub APIs or AWS CLI commands.