AWS SecurityHub

2025/09/08 - AWS SecurityHub - 3 updated api methods

Changes  This release adds the RESOURCE_NOT_FOUND error code as a possible value in responses to the following operations: BatchGetStandardsControlAssociations, BatchUpdateStandardsControlAssociations, and BatchGetSecurityControls.

BatchGetSecurityControls (updated) Link ¶
Changes (response)
{'UnprocessedIds': {'ErrorCode': {'RESOURCE_NOT_FOUND'}}}

Provides details about a batch of security controls for the current Amazon Web Services account and Amazon Web Services Region.

See also: AWS API Documentation

Request Syntax

client.batch_get_security_controls(
    SecurityControlIds=[
        'string',
    ]
)
type SecurityControlIds:

list

param SecurityControlIds:

[REQUIRED]

A list of security controls (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters). The security control ID or Amazon Resource Name (ARN) is the same across standards.

  • (string) --

rtype:

dict

returns:

Response Syntax

{
    'SecurityControls': [
        {
            'SecurityControlId': 'string',
            'SecurityControlArn': 'string',
            'Title': 'string',
            'Description': 'string',
            'RemediationUrl': 'string',
            'SeverityRating': 'LOW'|'MEDIUM'|'HIGH'|'CRITICAL',
            'SecurityControlStatus': 'ENABLED'|'DISABLED',
            'UpdateStatus': 'READY'|'UPDATING',
            'Parameters': {
                'string': {
                    'ValueType': 'DEFAULT'|'CUSTOM',
                    'Value': {
                        'Integer': 123,
                        'IntegerList': [
                            123,
                        ],
                        'Double': 123.0,
                        'String': 'string',
                        'StringList': [
                            'string',
                        ],
                        'Boolean': True|False,
                        'Enum': 'string',
                        'EnumList': [
                            'string',
                        ]
                    }
                }
            },
            'LastUpdateReason': 'string'
        },
    ],
    'UnprocessedIds': [
        {
            'SecurityControlId': 'string',
            'ErrorCode': 'INVALID_INPUT'|'ACCESS_DENIED'|'NOT_FOUND'|'RESOURCE_NOT_FOUND'|'LIMIT_EXCEEDED',
            'ErrorReason': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • SecurityControls (list) --

      An array that returns the identifier, Amazon Resource Name (ARN), and other details about a security control. The same information is returned whether the request includes SecurityControlId or SecurityControlArn.

      • (dict) --

        A security control in Security Hub describes a security best practice related to a specific resource.

        • SecurityControlId (string) --

          The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Services service name and a number, such as APIGateway.3.

        • SecurityControlArn (string) --

          The Amazon Resource Name (ARN) for a security control across standards, such as arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1. This parameter doesn't mention a specific standard.

        • Title (string) --

          The title of a security control.

        • Description (string) --

          The description of a security control across standards. This typically summarizes how Security Hub evaluates the control and the conditions under which it produces a failed finding. This parameter doesn't reference a specific standard.

        • RemediationUrl (string) --

          A link to Security Hub documentation that explains how to remediate a failed finding for a security control.

        • SeverityRating (string) --

          The severity of a security control. For more information about how Security Hub determines control severity, see Assigning severity to control findings in the Security Hub User Guide.

        • SecurityControlStatus (string) --

          The enablement status of a security control in a specific standard.

        • UpdateStatus (string) --

          Identifies whether customizable properties of a security control are reflected in Security Hub findings. A status of READY indicates that Security Hub uses the current control parameter values when running security checks of the control. A status of UPDATING indicates that all security checks might not use the current parameter values.

        • Parameters (dict) --

          An object that identifies the name of a control parameter, its current value, and whether it has been customized.

          • (string) --

            • (dict) --

              An object that provides the current value of a security control parameter and identifies whether it has been customized.

              • ValueType (string) --

                Identifies whether a control parameter uses a custom user-defined value or subscribes to the default Security Hub behavior.

                When ValueType is set equal to DEFAULT, the default behavior can be a specific Security Hub default value, or the default behavior can be to ignore a specific parameter. When ValueType is set equal to DEFAULT, Security Hub ignores user-provided input for the Value field.

                When ValueType is set equal to CUSTOM, the Value field can't be empty.

              • Value (dict) --

                The current value of a control parameter.

                • Integer (integer) --

                  A control parameter that is an integer.

                • IntegerList (list) --

                  A control parameter that is a list of integers.

                  • (integer) --

                • Double (float) --

                  A control parameter that is a double.

                • String (string) --

                  A control parameter that is a string.

                • StringList (list) --

                  A control parameter that is a list of strings.

                  • (string) --

                • Boolean (boolean) --

                  A control parameter that is a boolean.

                • Enum (string) --

                  A control parameter that is an enum.

                • EnumList (list) --

                  A control parameter that is a list of enums.

                  • (string) --

        • LastUpdateReason (string) --

          The most recent reason for updating the customizable properties of a security control. This differs from the UpdateReason field of the BatchUpdateStandardsControlAssociations API, which tracks the reason for updating the enablement status of a control. This field accepts alphanumeric characters in addition to white spaces, dashes, and underscores.

    • UnprocessedIds (list) --

      A security control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) for which details cannot be returned.

      • (dict) --

        Provides details about a security control for which a response couldn't be returned.

        • SecurityControlId (string) --

          The control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) for which a response couldn't be returned.

        • ErrorCode (string) --

          The error code for the unprocessed security control.

        • ErrorReason (string) --

          The reason why the security control was unprocessed.

BatchGetStandardsControlAssociations (updated) Link ¶
Changes (response)
{'UnprocessedAssociations': {'ErrorCode': {'RESOURCE_NOT_FOUND'}}}

For a batch of security controls and standards, identifies whether each control is currently enabled or disabled in a standard.

Calls to this operation return a RESOURCE_NOT_FOUND_EXCEPTION error when the standard subscription for the association has a NOT_READY_FOR_UPDATES value for StandardsControlsUpdatable.

See also: AWS API Documentation

Request Syntax

client.batch_get_standards_control_associations(
    StandardsControlAssociationIds=[
        {
            'SecurityControlId': 'string',
            'StandardsArn': 'string'
        },
    ]
)
type StandardsControlAssociationIds:

list

param StandardsControlAssociationIds:

[REQUIRED]

An array with one or more objects that includes a security control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) and the Amazon Resource Name (ARN) of a standard. This field is used to query the enablement status of a control in a specified standard. The security control ID or ARN is the same across standards.

  • (dict) --

    An array with one or more objects that includes a security control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) and the Amazon Resource Name (ARN) of a standard. The security control ID or ARN is the same across standards.

    • SecurityControlId (string) -- [REQUIRED]

      The unique identifier (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) of a security control across standards.

    • StandardsArn (string) -- [REQUIRED]

      The ARN of a standard.

rtype:

dict

returns:

Response Syntax

{
    'StandardsControlAssociationDetails': [
        {
            'StandardsArn': 'string',
            'SecurityControlId': 'string',
            'SecurityControlArn': 'string',
            'AssociationStatus': 'ENABLED'|'DISABLED',
            'RelatedRequirements': [
                'string',
            ],
            'UpdatedAt': datetime(2015, 1, 1),
            'UpdatedReason': 'string',
            'StandardsControlTitle': 'string',
            'StandardsControlDescription': 'string',
            'StandardsControlArns': [
                'string',
            ]
        },
    ],
    'UnprocessedAssociations': [
        {
            'StandardsControlAssociationId': {
                'SecurityControlId': 'string',
                'StandardsArn': 'string'
            },
            'ErrorCode': 'INVALID_INPUT'|'ACCESS_DENIED'|'NOT_FOUND'|'RESOURCE_NOT_FOUND'|'LIMIT_EXCEEDED',
            'ErrorReason': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • StandardsControlAssociationDetails (list) --

      Provides the enablement status of a security control in a specified standard and other details for the control in relation to the specified standard.

      • (dict) --

        Provides details about a control's enablement status in a specified standard.

        • StandardsArn (string) --

          The Amazon Resource Name (ARN) of a security standard.

        • SecurityControlId (string) --

          The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Services service name and a number, such as APIGateway.3.

        • SecurityControlArn (string) --

          The ARN of a security control across standards, such as arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1. This parameter doesn't mention a specific standard.

        • AssociationStatus (string) --

          Specifies whether a control is enabled or disabled in a specified standard.

        • RelatedRequirements (list) --

          The requirement that underlies a control in the compliance framework related to the standard.

          • (string) --

        • UpdatedAt (datetime) --

          The time at which the enablement status of the control in the specified standard was last updated.

        • UpdatedReason (string) --

          The reason for updating the enablement status of a control in a specified standard.

        • StandardsControlTitle (string) --

          The title of a control. This field may reference a specific standard.

        • StandardsControlDescription (string) --

          The description of a control. This typically summarizes how Security Hub evaluates the control and the conditions under which it produces a failed finding. This parameter may reference a specific standard.

        • StandardsControlArns (list) --

          Provides the input parameter that Security Hub uses to call the UpdateStandardsControl API. This API can be used to enable or disable a control in a specified standard.

          • (string) --

    • UnprocessedAssociations (list) --

      A security control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) whose enablement status in a specified standard cannot be returned.

      • (dict) --

        Provides details about which control's enablement status couldn't be retrieved in a specified standard when calling BatchUpdateStandardsControlAssociations. This parameter also provides details about why the request was unprocessed.

        • StandardsControlAssociationId (dict) --

          An array with one or more objects that includes a security control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) and the Amazon Resource Name (ARN) of a standard. This parameter shows the specific controls for which the enablement status couldn't be retrieved in specified standards when calling BatchUpdateStandardsControlAssociations.

          • SecurityControlId (string) --

            The unique identifier (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) of a security control across standards.

          • StandardsArn (string) --

            The ARN of a standard.

        • ErrorCode (string) --

          The error code for the unprocessed standard and control association.

        • ErrorReason (string) --

          The reason why the standard and control association was unprocessed.

BatchUpdateStandardsControlAssociations (updated) Link ¶
Changes (response)
{'UnprocessedAssociationUpdates': {'ErrorCode': {'RESOURCE_NOT_FOUND'}}}

For a batch of security controls and standards, this operation updates the enablement status of a control in a standard.

See also: AWS API Documentation

Request Syntax

client.batch_update_standards_control_associations(
    StandardsControlAssociationUpdates=[
        {
            'StandardsArn': 'string',
            'SecurityControlId': 'string',
            'AssociationStatus': 'ENABLED'|'DISABLED',
            'UpdatedReason': 'string'
        },
    ]
)
type StandardsControlAssociationUpdates:

list

param StandardsControlAssociationUpdates:

[REQUIRED]

Updates the enablement status of a security control in a specified standard.

Calls to this operation return a RESOURCE_NOT_FOUND_EXCEPTION error when the standard subscription for the control has StandardsControlsUpdatable value NOT_READY_FOR_UPDATES.

  • (dict) --

    An array of requested updates to the enablement status of controls in specified standards. The objects in the array include a security control ID, the Amazon Resource Name (ARN) of the standard, the requested enablement status, and the reason for updating the enablement status.

    • StandardsArn (string) -- [REQUIRED]

      The Amazon Resource Name (ARN) of the standard in which you want to update the control's enablement status.

    • SecurityControlId (string) -- [REQUIRED]

      The unique identifier for the security control whose enablement status you want to update.

    • AssociationStatus (string) -- [REQUIRED]

      The desired enablement status of the control in the standard.

    • UpdatedReason (string) --

      The reason for updating the control's enablement status in the standard.

rtype:

dict

returns:

Response Syntax

{
    'UnprocessedAssociationUpdates': [
        {
            'StandardsControlAssociationUpdate': {
                'StandardsArn': 'string',
                'SecurityControlId': 'string',
                'AssociationStatus': 'ENABLED'|'DISABLED',
                'UpdatedReason': 'string'
            },
            'ErrorCode': 'INVALID_INPUT'|'ACCESS_DENIED'|'NOT_FOUND'|'RESOURCE_NOT_FOUND'|'LIMIT_EXCEEDED',
            'ErrorReason': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • UnprocessedAssociationUpdates (list) --

      A security control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) whose enablement status in a specified standard couldn't be updated.

      • (dict) --

        Provides details about which control's enablement status could not be updated in a specified standard when calling the BatchUpdateStandardsControlAssociations API. This parameter also provides details about why the request was unprocessed.

        • StandardsControlAssociationUpdate (dict) --

          An array of control and standard associations for which an update failed when calling BatchUpdateStandardsControlAssociations.

          • StandardsArn (string) --

            The Amazon Resource Name (ARN) of the standard in which you want to update the control's enablement status.

          • SecurityControlId (string) --

            The unique identifier for the security control whose enablement status you want to update.

          • AssociationStatus (string) --

            The desired enablement status of the control in the standard.

          • UpdatedReason (string) --

            The reason for updating the control's enablement status in the standard.

        • ErrorCode (string) --

          The error code for the unprocessed update of the control's enablement status in the specified standard.

        • ErrorReason (string) --

          The reason why a control's enablement status in the specified standard couldn't be updated.