AWS SecurityHub

2022/04/25 - AWS SecurityHub - 2 updated api methods

Changes  Security Hub now lets you opt-out of auto-enabling the defaults standards (CIS and FSBP) in accounts that are auto-enabled with Security Hub via Security Hub's integration with AWS Organizations.

DescribeOrganizationConfiguration (updated) Link ¶
Changes (response) 
{'AutoEnableStandards': 'NONE | DEFAULT'}

Returns information about the Organizations configuration for Security Hub. Can only be called from a Security Hub administrator account.

See also: AWS API Documentation

Request Syntax

client.describe_organization_configuration()
rtype:

dict

returns:

Response Syntax

{
    'AutoEnable': True|False,
    'MemberAccountLimitReached': True|False,
    'AutoEnableStandards': 'NONE'|'DEFAULT'
}

Response Structure

  • (dict) --

    • AutoEnable (boolean) --

      Whether to automatically enable Security Hub for new accounts in the organization.

      If set to true, then Security Hub is enabled for new accounts. If set to false, then new accounts are not added automatically.

    • MemberAccountLimitReached (boolean) --

      Whether the maximum number of allowed member accounts are already associated with the Security Hub administrator account.

    • AutoEnableStandards (string) --

      Whether to automatically enable Security Hub default standards for new member accounts in the organization.

      The default value of this parameter is equal to DEFAULT.

      If equal to DEFAULT, then Security Hub default standards are automatically enabled for new member accounts. If equal to NONE, then default standards are not automatically enabled for new member accounts.

UpdateOrganizationConfiguration (updated) Link ¶
Changes (request) 
{'AutoEnableStandards': 'NONE | DEFAULT'}

Used to update the configuration related to Organizations. Can only be called from a Security Hub administrator account.

See also: AWS API Documentation

Request Syntax

client.update_organization_configuration(
    AutoEnable=True|False,
    AutoEnableStandards='NONE'|'DEFAULT'
)
type AutoEnable:

boolean

param AutoEnable:

[REQUIRED]

Whether to automatically enable Security Hub for new accounts in the organization.

By default, this is false, and new accounts are not added automatically.

To automatically enable Security Hub for new accounts, set this to true.

type AutoEnableStandards:

string

param AutoEnableStandards:

Whether to automatically enable Security Hub default standards for new member accounts in the organization.

By default, this parameter is equal to DEFAULT, and new member accounts are automatically enabled with default Security Hub standards.

To opt out of enabling default standards for new member accounts, set this parameter equal to NONE.

rtype:

dict

returns:

Response Syntax

{}

Response Structure

  • (dict) --