aws-securityhub — quality + safety report

---
name: aws-securityhub
description: "AWS SecurityHub API skill. Use when working with AWS SecurityHub for administrator, master, automationrules. Covers 79 endpoints."
version: 1.0.0
generator: lapsh
---

# AWS SecurityHub
API version: 2018-10-26

## Auth
AWS SigV4

## Base URL
Not specified.

## Setup
1. Configure auth: AWS SigV4
2. GET /accounts -- verify access
3. POST /administrator -- create first administrator

## Endpoints

79 endpoints across 21 groups. See references/api-spec.lap for full details.

### administrator
| Method | Path | Description |
|--------|------|-------------|
| POST | /administrator | Accepts the invitation to be a member account and be monitored by the Security Hub administrator account that the invitation was sent from. This operation is only used by member accounts that are not added through Organizations. When the member account accepts the invitation, permission is granted to the administrator account to view findings generated in the member account. |
| POST | /administrator/disassociate | Disassociates the current Security Hub member account from the associated administrator account. This operation is only used by accounts that are not part of an organization. For organization accounts, only the administrator account can disassociate a member account. |
| GET | /administrator | Provides the details for the Security Hub administrator account for the current member account. Can be used by both member accounts that are managed using Organizations and accounts that were invited manually. |

### master
| Method | Path | Description |
|--------|------|-------------|
| POST | /master | This method is deprecated. Instead, use AcceptAdministratorInvitation. The Security Hub console continues to use AcceptInvitation. It will eventually change to use AcceptAdministratorInvitation. Any IAM policies that specifically control access to this function must continue to use AcceptInvitation. You should also add AcceptAdministratorInvitation to your policies to ensure that the correct permissions are in place after the console begins to use AcceptAdministratorInvitation. Accepts the invitation to be a member account and be monitored by the Security Hub administrator account that the invitation was sent from. This operation is only used by member accounts that are not added through Organizations. When the member account accepts the invitation, permission is granted to the administrator account to view findings generated in the member account. |
| POST | /master/disassociate | This method is deprecated. Instead, use DisassociateFromAdministratorAccount. The Security Hub console continues to use DisassociateFromMasterAccount. It will eventually change to use DisassociateFromAdministratorAccount. Any IAM policies that specifically control access to this function must continue to use DisassociateFromMasterAccount. You should also add DisassociateFromAdministratorAccount to your policies to ensure that the correct permissions are in place after the console begins to use DisassociateFromAdministratorAccount. Disassociates the current Security Hub member account from the associated administrator account. This operation is only used by accounts that are not part of an organization. For organization accounts, only the administrator account can disassociate a member account. |
| GET | /master | This method is deprecated. Instead, use GetAdministratorAccount. The Security Hub console continues to use GetMasterAccount. It will eventually change to use GetAdministratorAccount. Any IAM policies that specifically control access to this function must continue to use GetMasterAccount. You should also add GetAdministratorAccount to your policies to ensure that the correct permissions are in place after the console begins to use GetAdministratorAccount. Provides the details for the Security Hub administrator account for the current member account. Can be used by both member accounts that are managed using Organizations and accounts that were invited manually. |

### automationrules
| Method | Path | Description |
|--------|------|-------------|
| POST | /automationrules/delete | Deletes one or more automation rules. |
| POST | /automationrules/get | Retrieves a list of details for automation rules based on rule Amazon Resource Names (ARNs). |
| PATCH | /automationrules/update | Updates one or more automation rules based on rule Amazon Resource Names (ARNs) and input parameters. |
| POST | /automationrules/create | Creates an automation rule based on input parameters. |
| GET | /automationrules/list | A list of automation rules and their metadata for the calling account. |

### standards
| Method | Path | Description |
|--------|------|-------------|
| POST | /standards/deregister | Disables the standards specified by the provided StandardsSubscriptionArns. For more information, see Security Standards section of the Security Hub User Guide. |
| POST | /standards/register | Enables the standards specified by the provided StandardsArn. To obtain the ARN for a standard, use the DescribeStandards operation. For more information, see the Security Standards section of the Security Hub User Guide. |
| GET | /standards | Returns a list of the available standards in Security Hub. For each standard, the results include the standard ARN, the name, and a description. |
| GET | /standards/controls/{StandardsSubscriptionArn+} | Returns a list of security standards controls. For each control, the results include information about whether it is currently enabled, the severity, and a link to remediation information. |
| POST | /standards/get | Returns a list of the standards that are currently enabled. |
| PATCH | /standards/control/{StandardsControlArn+} | Used to control whether an individual security standard control is enabled or disabled. |

### configurationPolicyAssociation
| Method | Path | Description |
|--------|------|-------------|
| POST | /configurationPolicyAssociation/batchget | Returns associations between an Security Hub configuration and a batch of target accounts, organizational units, or the root. Only the Security Hub delegated administrator can invoke this operation from the home Region. A configuration can refer to a configuration policy or to a self-managed configuration. |
| POST | /configurationPolicyAssociation/get | Returns the association between a configuration and a target account, organizational unit, or the root. The configuration can be a configuration policy or self-managed behavior. Only the Security Hub delegated administrator can invoke this operation from the home Region. |
| POST | /configurationPolicyAssociation/list | Provides information about the associations for your configuration policies and self-managed behavior. Only the Security Hub delegated administrator can invoke this operation from the home Region. |
| POST | /configurationPolicyAssociation/associate | Associates a target account, organizational unit, or the root with a specified configuration. The target can be associated with a configuration policy or self-managed behavior. Only the Security Hub delegated administrator can invoke this operation from the home Region. |
| POST | /configurationPolicyAssociation/disassociate | Disassociates a target account, organizational unit, or the root from a specified configuration. When you disassociate a configuration from its target, the target inherits the configuration of the closest parent. If there’s no configuration to inherit, the target retains its settings but becomes a self-managed account. A target can be disassociated from a configuration policy or self-managed behavior. Only the Security Hub delegated administrator can invoke this operation from the home Region. |

### securityControls
| Method | Path | Description |
|--------|------|-------------|
| POST | /securityControls/batchGet | Provides details about a batch of security controls for the current Amazon Web Services account and Amazon Web Services Region. |
| GET | /securityControls/definitions | Lists all of the security controls that apply to a specified standard. |

### associations
| Method | Path | Description |
|--------|------|-------------|
| POST | /associations/batchGet | For a batch of security controls and standards, identifies whether each control is currently enabled or disabled in a standard. |
| PATCH | /associations | For a batch of security controls and standards, this operation updates the enablement status of a control in a standard. |
| GET | /associations | Specifies whether a control is currently enabled or disabled in each enabled standard in the calling account. |

### findings
| Method | Path | Description |
|--------|------|-------------|
| POST | /findings/import | Imports security findings generated by a finding provider into Security Hub. This action is requested by the finding provider to import its findings into Security Hub.  BatchImportFindings must be called by one of the following:   The Amazon Web Services account that is associated with a finding if you are using the default product ARN or are a partner sending findings from within a customer's Amazon Web Services account. In these cases, the identifier of the account that you are calling BatchImportFindings from needs to be the same as the AwsAccountId attribute for the finding.   An Amazon Web Services account that Security Hub has allow-listed for an official partner integration. In this case, you can call BatchImportFindings from the allow-listed account and send findings from different customer accounts in the same batch.   The maximum allowed size for a finding is 240 Kb. An error is returned for any finding larger than 240 Kb. After a finding is created, BatchImportFindings cannot be used to update the following finding fields and objects, which Security Hub customers use to manage their investigation workflow.    Note     UserDefinedFields     VerificationState     Workflow    Finding providers also should not use BatchImportFindings to update the following attributes.    Confidence     Criticality     RelatedFindings     Severity     Types    Instead, finding providers use FindingProviderFields to provide values for these attributes. |
| PATCH | /findings/batchupdate | Used by Security Hub customers to update information about their investigation into a finding. Requested by administrator accounts or member accounts. Administrator accounts can update findings for their account and their member accounts. Member accounts can update findings for their account. Updates from BatchUpdateFindings do not affect the value of UpdatedAt for a finding. Administrator and member accounts can use BatchUpdateFindings to update the following finding fields and objects.    Confidence     Criticality     Note     RelatedFindings     Severity     Types     UserDefinedFields     VerificationState     Workflow    You can configure IAM policies to restrict access to fields and field values. For example, you might not want member accounts to be able to suppress findings or change the finding severity. See Configuring access to BatchUpdateFindings in the Security Hub User Guide. |
| POST | /findings | Returns a list of findings that match the specified criteria. If finding aggregation is enabled, then when you call GetFindings from the aggregation Region, the results include all of the matching findings from both the aggregation Region and the linked Regions. |
| PATCH | /findings | UpdateFindings is a deprecated operation. Instead of UpdateFindings, use the BatchUpdateFindings operation. The UpdateFindings operation updates the Note and RecordState of the Security Hub aggregated findings that the filter attributes specify. Any member account that can view the finding can also see the update to the finding. Finding updates made with UpdateFindings aren't persisted if the same finding is later updated by the finding provider through the BatchImportFindings operation. In addition, Security Hub doesn't rec

… (truncated)