Product logo
DocsBlogPricing

Permissions for @turbot/aws-securityhub

Taking a look at permissions and associated grant levels for each permission for Security Hub:

PermissionGrant LevelHelp
health:DescribeEventAggregatesMetadata
iam:PassRoleAdminAdmins can allow Security Hub service to use existing IAM roles.
securityhub:AcceptInvitationAdminAdmins can accept the invitation to be monitored by a master Security Hub account.
securityhub:BatchDisableStandardsAdmin
securityhub:BatchEnableStandardsAdmin
securityhub:BatchImportFindingsAdmin
securityhub:CancelProductSubscriptionAdmin
securityhub:CreateActionTargetAdmin
securityhub:CreateInsightAdmin
securityhub:CreateMembersAdmin
securityhub:DeclineInvitationsAdmin
securityhub:DeleteActionTargetAdmin
securityhub:DeleteInsightAdmin
securityhub:DeleteInvitationsAdmin
securityhub:DeleteMembersAdmin
securityhub:DescribeActionTargetsMetadata
securityhub:DescribeHubMetadata
securityhub:DescribeProductsMetadata
securityhub:DisableImportFindingsForProductOperator
securityhub:DisableSecurityHubAdmin
securityhub:DisassociateFromMasterAccountAdmin
securityhub:DisassociateMembersAdmin
securityhub:EnableImportFindingsForProductAdmin
securityhub:EnableSecurityHubAdmin
securityhub:GetEnabledStandardsMetadata
securityhub:GetFindingsMetadata
securityhub:GetInsightResultsMetadata
securityhub:GetInsightsMetadata
securityhub:GetInvitationsCountMetadata
securityhub:GetMasterAccountMetadata
securityhub:GetMembersMetadata
securityhub:GetProductSubscriptionMetadata
securityhub:InviteMembersAdmin
securityhub:IsSecurityHubEnabledMetadata
securityhub:ListEnabledProductsForImportMetadata
securityhub:ListInvitationsMetadata
securityhub:ListMembersMetadata
securityhub:ListTagsForResourceMetadata
securityhub:TagResourceOperator
securityhub:UntagResourceOperator
securityhub:UpdateActionTargetAdmin
securityhub:UpdateFindingsAdmin
securityhub:UpdateInsightAdmin