2025/09/08 - AWS SecurityHub - 3 updated api methods
Changes This release adds the RESOURCE_NOT_FOUND error code as a possible value in responses to the following operations: BatchGetStandardsControlAssociations, BatchUpdateStandardsControlAssociations, and BatchGetSecurityControls.
{'UnprocessedIds': {'ErrorCode': {'RESOURCE_NOT_FOUND'}}}
Provides details about a batch of security controls for the current Amazon Web Services account and Amazon Web Services Region.
See also: AWS API Documentation
Request Syntax
client.batch_get_security_controls( SecurityControlIds=[ 'string', ] )
list
[REQUIRED]
A list of security controls (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters). The security control ID or Amazon Resource Name (ARN) is the same across standards.
(string) --
dict
Response Syntax
{ 'SecurityControls': [ { 'SecurityControlId': 'string', 'SecurityControlArn': 'string', 'Title': 'string', 'Description': 'string', 'RemediationUrl': 'string', 'SeverityRating': 'LOW'|'MEDIUM'|'HIGH'|'CRITICAL', 'SecurityControlStatus': 'ENABLED'|'DISABLED', 'UpdateStatus': 'READY'|'UPDATING', 'Parameters': { 'string': { 'ValueType': 'DEFAULT'|'CUSTOM', 'Value': { 'Integer': 123, 'IntegerList': [ 123, ], 'Double': 123.0, 'String': 'string', 'StringList': [ 'string', ], 'Boolean': True|False, 'Enum': 'string', 'EnumList': [ 'string', ] } } }, 'LastUpdateReason': 'string' }, ], 'UnprocessedIds': [ { 'SecurityControlId': 'string', 'ErrorCode': 'INVALID_INPUT'|'ACCESS_DENIED'|'NOT_FOUND'|'RESOURCE_NOT_FOUND'|'LIMIT_EXCEEDED', 'ErrorReason': 'string' }, ] }
Response Structure
(dict) --
SecurityControls (list) --
An array that returns the identifier, Amazon Resource Name (ARN), and other details about a security control. The same information is returned whether the request includes SecurityControlId or SecurityControlArn.
(dict) --
A security control in Security Hub describes a security best practice related to a specific resource.
SecurityControlId (string) --
The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Services service name and a number, such as APIGateway.3.
SecurityControlArn (string) --
The Amazon Resource Name (ARN) for a security control across standards, such as arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1. This parameter doesn't mention a specific standard.
Title (string) --
The title of a security control.
Description (string) --
The description of a security control across standards. This typically summarizes how Security Hub evaluates the control and the conditions under which it produces a failed finding. This parameter doesn't reference a specific standard.
RemediationUrl (string) --
A link to Security Hub documentation that explains how to remediate a failed finding for a security control.
SeverityRating (string) --
The severity of a security control. For more information about how Security Hub determines control severity, see Assigning severity to control findings in the Security Hub User Guide.
SecurityControlStatus (string) --
The enablement status of a security control in a specific standard.
UpdateStatus (string) --
Identifies whether customizable properties of a security control are reflected in Security Hub findings. A status of READY indicates that Security Hub uses the current control parameter values when running security checks of the control. A status of UPDATING indicates that all security checks might not use the current parameter values.
Parameters (dict) --
An object that identifies the name of a control parameter, its current value, and whether it has been customized.
(string) --
(dict) --
An object that provides the current value of a security control parameter and identifies whether it has been customized.
ValueType (string) --
Identifies whether a control parameter uses a custom user-defined value or subscribes to the default Security Hub behavior.
When ValueType is set equal to DEFAULT, the default behavior can be a specific Security Hub default value, or the default behavior can be to ignore a specific parameter. When ValueType is set equal to DEFAULT, Security Hub ignores user-provided input for the Value field.
When ValueType is set equal to CUSTOM, the Value field can't be empty.
Value (dict) --
The current value of a control parameter.
Integer (integer) --
A control parameter that is an integer.
IntegerList (list) --
A control parameter that is a list of integers.
(integer) --
Double (float) --
A control parameter that is a double.
String (string) --
A control parameter that is a string.
StringList (list) --
A control parameter that is a list of strings.
(string) --
Boolean (boolean) --
A control parameter that is a boolean.
Enum (string) --
A control parameter that is an enum.
EnumList (list) --
A control parameter that is a list of enums.
(string) --
LastUpdateReason (string) --
The most recent reason for updating the customizable properties of a security control. This differs from the UpdateReason field of the BatchUpdateStandardsControlAssociations API, which tracks the reason for updating the enablement status of a control. This field accepts alphanumeric characters in addition to white spaces, dashes, and underscores.
UnprocessedIds (list) --
A security control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) for which details cannot be returned.
(dict) --
Provides details about a security control for which a response couldn't be returned.
SecurityControlId (string) --
The control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) for which a response couldn't be returned.
ErrorCode (string) --
The error code for the unprocessed security control.
ErrorReason (string) --
The reason why the security control was unprocessed.
{'UnprocessedAssociations': {'ErrorCode': {'RESOURCE_NOT_FOUND'}}}
For a batch of security controls and standards, identifies whether each control is currently enabled or disabled in a standard.
Calls to this operation return a RESOURCE_NOT_FOUND_EXCEPTION error when the standard subscription for the association has a NOT_READY_FOR_UPDATES value for StandardsControlsUpdatable.
See also: AWS API Documentation
Request Syntax
client.batch_get_standards_control_associations( StandardsControlAssociationIds=[ { 'SecurityControlId': 'string', 'StandardsArn': 'string' }, ] )
list
[REQUIRED]
An array with one or more objects that includes a security control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) and the Amazon Resource Name (ARN) of a standard. This field is used to query the enablement status of a control in a specified standard. The security control ID or ARN is the same across standards.
(dict) --
An array with one or more objects that includes a security control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) and the Amazon Resource Name (ARN) of a standard. The security control ID or ARN is the same across standards.
SecurityControlId (string) -- [REQUIRED]
The unique identifier (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) of a security control across standards.
StandardsArn (string) -- [REQUIRED]
The ARN of a standard.
dict
Response Syntax
{ 'StandardsControlAssociationDetails': [ { 'StandardsArn': 'string', 'SecurityControlId': 'string', 'SecurityControlArn': 'string', 'AssociationStatus': 'ENABLED'|'DISABLED', 'RelatedRequirements': [ 'string', ], 'UpdatedAt': datetime(2015, 1, 1), 'UpdatedReason': 'string', 'StandardsControlTitle': 'string', 'StandardsControlDescription': 'string', 'StandardsControlArns': [ 'string', ] }, ], 'UnprocessedAssociations': [ { 'StandardsControlAssociationId': { 'SecurityControlId': 'string', 'StandardsArn': 'string' }, 'ErrorCode': 'INVALID_INPUT'|'ACCESS_DENIED'|'NOT_FOUND'|'RESOURCE_NOT_FOUND'|'LIMIT_EXCEEDED', 'ErrorReason': 'string' }, ] }
Response Structure
(dict) --
StandardsControlAssociationDetails (list) --
Provides the enablement status of a security control in a specified standard and other details for the control in relation to the specified standard.
(dict) --
Provides details about a control's enablement status in a specified standard.
StandardsArn (string) --
The Amazon Resource Name (ARN) of a security standard.
SecurityControlId (string) --
The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Services service name and a number, such as APIGateway.3.
SecurityControlArn (string) --
The ARN of a security control across standards, such as arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1. This parameter doesn't mention a specific standard.
AssociationStatus (string) --
Specifies whether a control is enabled or disabled in a specified standard.
RelatedRequirements (list) --
The requirement that underlies a control in the compliance framework related to the standard.
(string) --
UpdatedAt (datetime) --
The time at which the enablement status of the control in the specified standard was last updated.
UpdatedReason (string) --
The reason for updating the enablement status of a control in a specified standard.
StandardsControlTitle (string) --
The title of a control. This field may reference a specific standard.
StandardsControlDescription (string) --
The description of a control. This typically summarizes how Security Hub evaluates the control and the conditions under which it produces a failed finding. This parameter may reference a specific standard.
StandardsControlArns (list) --
Provides the input parameter that Security Hub uses to call the UpdateStandardsControl API. This API can be used to enable or disable a control in a specified standard.
(string) --
UnprocessedAssociations (list) --
A security control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) whose enablement status in a specified standard cannot be returned.
(dict) --
Provides details about which control's enablement status couldn't be retrieved in a specified standard when calling BatchUpdateStandardsControlAssociations. This parameter also provides details about why the request was unprocessed.
StandardsControlAssociationId (dict) --
An array with one or more objects that includes a security control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) and the Amazon Resource Name (ARN) of a standard. This parameter shows the specific controls for which the enablement status couldn't be retrieved in specified standards when calling BatchUpdateStandardsControlAssociations.
SecurityControlId (string) --
The unique identifier (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) of a security control across standards.
StandardsArn (string) --
The ARN of a standard.
ErrorCode (string) --
The error code for the unprocessed standard and control association.
ErrorReason (string) --
The reason why the standard and control association was unprocessed.
{'UnprocessedAssociationUpdates': {'ErrorCode': {'RESOURCE_NOT_FOUND'}}}
For a batch of security controls and standards, this operation updates the enablement status of a control in a standard.
See also: AWS API Documentation
Request Syntax
client.batch_update_standards_control_associations( StandardsControlAssociationUpdates=[ { 'StandardsArn': 'string', 'SecurityControlId': 'string', 'AssociationStatus': 'ENABLED'|'DISABLED', 'UpdatedReason': 'string' }, ] )
list
[REQUIRED]
Updates the enablement status of a security control in a specified standard.
Calls to this operation return a RESOURCE_NOT_FOUND_EXCEPTION error when the standard subscription for the control has StandardsControlsUpdatable value NOT_READY_FOR_UPDATES.
(dict) --
An array of requested updates to the enablement status of controls in specified standards. The objects in the array include a security control ID, the Amazon Resource Name (ARN) of the standard, the requested enablement status, and the reason for updating the enablement status.
StandardsArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the standard in which you want to update the control's enablement status.
SecurityControlId (string) -- [REQUIRED]
The unique identifier for the security control whose enablement status you want to update.
AssociationStatus (string) -- [REQUIRED]
The desired enablement status of the control in the standard.
UpdatedReason (string) --
The reason for updating the control's enablement status in the standard.
dict
Response Syntax
{ 'UnprocessedAssociationUpdates': [ { 'StandardsControlAssociationUpdate': { 'StandardsArn': 'string', 'SecurityControlId': 'string', 'AssociationStatus': 'ENABLED'|'DISABLED', 'UpdatedReason': 'string' }, 'ErrorCode': 'INVALID_INPUT'|'ACCESS_DENIED'|'NOT_FOUND'|'RESOURCE_NOT_FOUND'|'LIMIT_EXCEEDED', 'ErrorReason': 'string' }, ] }
Response Structure
(dict) --
UnprocessedAssociationUpdates (list) --
A security control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) whose enablement status in a specified standard couldn't be updated.
(dict) --
Provides details about which control's enablement status could not be updated in a specified standard when calling the BatchUpdateStandardsControlAssociations API. This parameter also provides details about why the request was unprocessed.
StandardsControlAssociationUpdate (dict) --
An array of control and standard associations for which an update failed when calling BatchUpdateStandardsControlAssociations.
StandardsArn (string) --
The Amazon Resource Name (ARN) of the standard in which you want to update the control's enablement status.
SecurityControlId (string) --
The unique identifier for the security control whose enablement status you want to update.
AssociationStatus (string) --
The desired enablement status of the control in the standard.
UpdatedReason (string) --
The reason for updating the control's enablement status in the standard.
ErrorCode (string) --
The error code for the unprocessed update of the control's enablement status in the specified standard.
ErrorReason (string) --
The reason why a control's enablement status in the specified standard couldn't be updated.