AWS Security Hub
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Managing Access to Security Hub

Use AWS Identity and Access Management to manage access to Security Hub and Security Hub resources.

Using IAM Policies to Delegate Security Hub Access to IAM Identities

This section describes how to delegate Security Hub access to various IAM identities (users, groups, and roles).

By default, access to the Security Hub resources is restricted to the owner of the account that the resources were created in. If you're the owner, you can choose to grant full or limited access to Security Hub to the various IAM identities in your account. For more information about creating IAM access policies, see Controlling Access Using Policies.

AWS Managed (Predefined) Policies for Security Hub

AWS addresses many common use cases by providing standalone IAM policies that AWS creates and administers. These managed policies grant necessary permissions for common use cases so that you don't have to investigate which permissions are needed. For more information, see AWS Managed Policies in the IAM User Guide.

The following AWS managed policies, which you can attach to users in your account, are specific to Security Hub:

  • AWSSecurityHubFullAccess – Provides access to all Security Hub functionality

  • AWSSecurityHubReadOnlyAccess – Provides read-only access to Security Hub

Resources Defined by Security Hub

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table.

Resources Available in Security Hub

Resource Types ARN
action-target arn:${Partition}:securityhub:${Region}:${Account}:action/custom/${Id}
hub arn:${Partition}:securityhub:${Region}:${Account}:hub/default
insight arn:${Partition}:securityhub:${Region}:${Account}:insight/${Company}/${ProductId}/${UniqueId}
standard arn:${Partition}:securityhub:::ruleset/${StandardsName}/v/${StandardsVersion}
standards-subscription arn:${Partition}:securityhub:${Region}:${Account}:subscription/${StandardsName}/v/${StandardsVersion}
product-subscription arn:${Partition}:securityhub:${Region}:${Account}:product-subscription/${Company}/${ProductId}
product arn:${Partition}:securityhub:${Region}:${Account}:product/${Company}/${ProductId}

Security Hub defines the following condition key that you can use in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies.

Condition Keys Description Type
securityhub:TargetAccount The ID of the AWS account to import findings in to. In the AWS Security Finding format, this field is called AwsAccountId String