AWS Security Hub (IAM)

aws security

AWS Security Hub is a cloud security posture management service that performs security best practice checks, aggregates alerts, and enables automated remediation.

Common permissions

securityhub:DescribeHubsecurityhub:GetFindingssecurityhub:GetInsightssecurityhub:ListMemberssecurityhub:UpdateFindingssecurityhub:GetInsightResultssecurityhub:ListInvitationssecurityhub:TagResource

Least-privilege example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "securityhub:DescribeHub",
        "securityhub:GetFindings",
        "securityhub:GetInsights",
        "securityhub:ListMembers",
        "securityhub:UpdateFindings",
        "securityhub:GetInsightResults",
        "securityhub:ListInvitations",
        "securityhub:TagResource"
      ],
      "Resource": "*"
    }
  ]
}

Warnings

Avoid securityhub:* — grants full control including hub deletion and member management
Avoid securityhub:DeleteMembers and securityhub:DeleteInsight — can break security aggregation and monitoring

Resources

AWS referenceservicereference.us-east-1.amazonaws.com/v1/securityhub/securityhub.json ↗

API

full doc /v1/iam/securityhub