Detect AWS Security Hub Configuration Changes

"AcceptInvitation" - Accepts the invitation to be monitored by a master Security Hub account.

"BatchEnableStandards" - Enables the supported standards (for example, CIS AWS Foundations) specified by the standards ARNs.

"BatchDisableStandards" - Disables the supported standards specified by the standards subscription ARNs.

"BatchImportFindings" - Imports Security Hub findings that are generated by the integrated third-party providers.

"CreateInsight" - Creates an insight, i.e. a collection of findings that identifies a security area within your AWS environment that requires attention and/or intervention.

"CreateMembers" - Creates member Security Hub accounts within the current AWS account (which becomes the master Security Hub account) that has Security Hub service enabled.

"DeclineInvitations" - Declines invitations that are sent to the current AWS account (invitee) by other AWS accounts (inviters).

"DeleteInsight" - Deletes a security insight specified by the insight Amazon Resource Name (ARN).

"DeleteInvitations" - Deletes invitations that are sent to the current AWS account (invitee) by the AWS accounts (inviters).

"DeleteMembers" - Deletes the Security Hub member accounts that are specified by the account IDs.

"DisableImportFindingsForProduct" - Stops you from importing security findings generated by third-party providers into Security Hub.

"DisableSecurityHub" - Disables the Amazon Security Hub service.

"DisassociateFromMasterAccount" - Disassociates the current Security Hub member account from its master account.

"DisassociateMembers" - Disassociates the Security Hub member accounts that are specified by the account IDs from their master account.

"EnableImportFindingsForProduct" - Enables you to import findings generated by integrated third-party providers into Security Hub.

"EnableSecurityHub" - Enables the AWS Security Hub service.

"InviteMembers" - Invites other AWS accounts to enable AWS Security Hub and become Security Hub member accounts.

"UpdateInsight" - Updates the Amazon Security Hub insight specified by the insight ARN.

"BatchUpdateFindings" - Updates the Amazon Security Hub findings specified by their investigation.

Security Hub is the AWS service that gives you a broad view of your high-priority security alerts and compliance status across your AWS accounts. As a comprehensive monitoring tool, specially designed for multi-account AWS environments, Cloud Conformity strongly recommends that you avoid as much as possible to provide your non-privileged IAM users the permission to change the Security Hub service configuration within your Amazon Web Services master account.

The communication channels required for sending RTMA notifications can be configured in your Cloud Conformity account. The list of supported communication channels that you can use to receive configuration change alerts for Amazon Security Hub are SMS, Email, PagerDuty, Slack, Zendesk and ServiceNow.