IAM permissions to configure standards and controls

To view information about security controls and enable and disable security controls in standards, the AWS Identity and Access Management (IAM) role that you use to access AWS Security Hub needs permissions to call the following API actions. Without adding permissions for these actions, you won't be able to call these APIs. To get the necessary permissions, you can use Security Hub managed policies. Alternatively, you can update custom IAM policies to include permissions for these actions. Custom policies should also include permissions for the DescribeStandardsControls and UpdateStandardsControl APIs.

BatchGetSecurityControls – Returns information about a batch of security controls for the current account and AWS Region.
ListSecurityControlDefinitions – Returns information about security controls that apply to a specified standard.
ListStandardsControlAssociations – Identifies whether a security control is currently enabled in or disabled from each enabled standard in the account.
BatchGetStandardsControlAssociations – For a batch of security controls, identifies whether each control is currently enabled in or disabled from a specified standard.
BatchUpdateStandardsControlAssociations – Used to enable a security control in standards that include the control, or to disable a control in standards. This is a batch substitute for the existing UpdateStandardsControl API if an administrator doesn’t want to allow member accounts to enable or disable controls.

In addition to the preceding APIs, you should add permission to call BatchGetControlEvaluations to your IAM role. This permission is necessary to view the enablement and compliance status of a control, the findings count for a control, and the overall security score for controls on the Security Hub console. Because only the console calls BatchGetControlEvaluations, this IAM permission doesn't directly correspond to publicly documented Security Hub APIs or AWS CLI commands.

For more information about APIs related to controls and standards, see the AWS Security Hub API Reference.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Standards and controls

Security checks and scores