SecurityHub / Client / batch_get_security_controls



Provides details about a batch of security controls for the current Amazon Web Services account and Amazon Web Services Region.

See also: AWS API Documentation

Request Syntax

response = client.batch_get_security_controls(

SecurityControlIds (list) –


A list of security controls (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters). The security control ID or Amazon Resource Name (ARN) is the same across standards.

  • (string) –

Return type:



Response Syntax

    'SecurityControls': [
            'SecurityControlId': 'string',
            'SecurityControlArn': 'string',
            'Title': 'string',
            'Description': 'string',
            'RemediationUrl': 'string',
            'SeverityRating': 'LOW'|'MEDIUM'|'HIGH'|'CRITICAL',
            'SecurityControlStatus': 'ENABLED'|'DISABLED'
    'UnprocessedIds': [
            'SecurityControlId': 'string',
            'ErrorReason': 'string'

Response Structure

  • (dict) –

    • SecurityControls (list) –

      An array that returns the identifier, Amazon Resource Name (ARN), and other details about a security control. The same information is returned whether the request includes SecurityControlId or SecurityControlArn.

      • (dict) –

        A security control in Security Hub describes a security best practice related to a specific resource.

        • SecurityControlId (string) –

          The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Service name and a number, such as APIGateway.3.

        • SecurityControlArn (string) –

          The Amazon Resource Name (ARN) for a security control across standards, such as arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1. This parameter doesn’t mention a specific standard.

        • Title (string) –

          The title of a security control.

        • Description (string) –

          The description of a security control across standards. This typically summarizes how Security Hub evaluates the control and the conditions under which it produces a failed finding. This parameter doesn’t reference a specific standard.

        • RemediationUrl (string) –

          A link to Security Hub documentation that explains how to remediate a failed finding for a security control.

        • SeverityRating (string) –

          The severity of a security control. For more information about how Security Hub determines control severity, see Assigning severity to control findings in the Security Hub User Guide.

        • SecurityControlStatus (string) –

          The enablement status of a security control in a specific standard.

    • UnprocessedIds (list) –

      A security control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) for which details cannot be returned.

      • (dict) –

        Provides details about a security control for which a response couldn’t be returned.

        • SecurityControlId (string) –

          The control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) for which a response couldn’t be returned.

        • ErrorCode (string) –

          The error code for the unprocessed security control.

        • ErrorReason (string) –

          The reason why the security control was unprocessed.


  • SecurityHub.Client.exceptions.InternalException

  • SecurityHub.Client.exceptions.LimitExceededException

  • SecurityHub.Client.exceptions.InvalidAccessException

  • SecurityHub.Client.exceptions.InvalidInputException