AWS SecurityHub

2020/03/26 - AWS SecurityHub - 2 updated api methods

Changes  Security Hub has now made it easier to opt out of default standards when you enable Security Hub. We added a new Boolean parameter to EnableSecurityHub called EnableDefaultStandards. If that parameter is true, Security Hub's default standards are enabled. A new Boolean parameter for standards, EnabledByDefault, indicates whether a standard is a default standard. Today, the only default standard is CIS AWS Foundations Benchmark v1.2. Additional default standards will be added in the future.To learn more, visit our documentation on the EnableSecurityHub API action.

DescribeStandards (updated) Link ¶
Changes (response)
{'Standards': {'EnabledByDefault': 'boolean'}}

Returns a list of the available standards in Security Hub.

For each standard, the results include the standard ARN, the name, and a description.

See also: AWS API Documentation

Request Syntax

client.describe_standards(
    NextToken='string',
    MaxResults=123
)
type NextToken

string

param NextToken

The token that is required for pagination. On your first call to the DescribeStandards operation, set the value of this parameter to NULL .

For subsequent calls to the operation, to continue listing data, set the value of this parameter to the value returned from the previous response.

type MaxResults

integer

param MaxResults

The maximum number of standards to return.

rtype

dict

returns

Response Syntax

{
    'Standards': [
        {
            'StandardsArn': 'string',
            'Name': 'string',
            'Description': 'string',
            'EnabledByDefault': True|False
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • Standards (list) --

      A list of available standards.

      • (dict) --

        Provides information about a specific standard.

        • StandardsArn (string) --

          The ARN of a standard.

        • Name (string) --

          The name of the standard.

        • Description (string) --

          A description of the standard.

        • EnabledByDefault (boolean) --

          Whether the standard is enabled by default. When Security Hub is enabled from the console, if a standard is enabled by default, the check box for that standard is selected by default.

          When Security Hub is enabled using the EnableSecurityHub API operation, the standard is enabled by default unless EnableDefaultStandards is set to false .

    • NextToken (string) --

      The pagination token to use to request the next page of results.

EnableSecurityHub (updated) Link ¶
Changes (request)
{'EnableDefaultStandards': 'boolean'}

Enables Security Hub for your account in the current Region or the Region you specify in the request.

When you enable Security Hub, you grant to Security Hub the permissions necessary to gather findings from other services that are integrated with Security Hub.

When you use the EnableSecurityHub operation to enable Security Hub, you also automatically enable the CIS AWS Foundations standard. You do not enable the Payment Card Industry Data Security Standard (PCI DSS) standard. To not enable the CIS AWS Foundations standard, set EnableDefaultStandards to false .

After you enable Security Hub, to enable a standard, use the `` BatchEnableStandards `` operation. To disable a standard, use the `` BatchDisableStandards `` operation.

To learn more, see Setting Up AWS Security Hub in the AWS Security Hub User Guide .

See also: AWS API Documentation

Request Syntax

client.enable_security_hub(
    Tags={
        'string': 'string'
    },
    EnableDefaultStandards=True|False
)
type Tags

dict

param Tags

The tags to add to the Hub resource when you enable Security Hub.

  • (string) --

    • (string) --

type EnableDefaultStandards

boolean

param EnableDefaultStandards

Whether to enable the security standards that Security Hub has designated as automatically enabled. If you do not provide a value for EnableDefaultStandards , it is set to true . To not enable the automatically enabled standards, set EnableDefaultStandards to false .

rtype

dict

returns

Response Syntax

{}

Response Structure

  • (dict) --