For Agents
Aggregate, query, and triage AWS security findings across accounts and standards. Agents can import findings, update workflow status, run insights, and manage Security Hub members.
Get started with AWS SecurityHub in minutes using your preferred integration method.
# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
"jentic": {
"url": "https://api.jentic.com/mcp",
"auth": "oauth"
}
}
# Then ask your agent:
"list aws security hub findings filtered by severity"
# → Jentic returns the GET /events tool with parameter schema, agent executes.What an agent can do with AWS SecurityHub API.
Import findings from third-party products into Security Hub via BatchImportFindings
Update finding workflow status, severity, and notes with BatchUpdateFindings
Enable and disable security standards such as CIS, PCI DSS, and AWS FSBP
Query active findings with GetFindings using filters on severity, resource, and compliance status
GET STARTED
Use for: I need to import a finding from a third-party scanner into Security Hub, Mark a Security Hub finding as resolved, List all critical-severity findings in the last 24 hours, Enable the CIS AWS Foundations Benchmark standard
Not supported: Does not generate threat findings, run vulnerability scans, or perform forensic investigation — use to aggregate and triage findings produced by GuardDuty, Inspector, Macie, and third-party products only.
Jentic publishes the only available OpenAPI document for AWS SecurityHub, keeping it validated and agent-ready.
Jentic publishes the only available OpenAPI specification for AWS SecurityHub, keeping it validated and agent-ready. AWS Security Hub aggregates, normalises, and prioritises security findings from AWS services such as GuardDuty, Inspector, and Macie, plus integrated third-party products. Agents can ingest findings through BatchImportFindings, update finding status with BatchUpdateFindings, enable security standards like CIS and PCI DSS, run automated insights, and manage member accounts in a multi-account organisation. The API exposes 61 operations covering findings, controls, standards, insights, action targets, and finding aggregators.
Run and inspect Security Hub Insights to surface grouped findings by attribute
Manage Security Hub member accounts with CreateMembers, InviteMembers, and DisassociateMembers
Patterns agents use AWS SecurityHub API for, with concrete tasks.
★ Centralised Multi-Account Findings Triage
Security teams use Security Hub as the single pane of glass for findings across many AWS accounts. The administrator account invites member accounts, enables standards centrally, and queries findings filtered by severity and resource. BatchUpdateFindings is used to set workflow status (NEW, NOTIFIED, SUPPRESSED, RESOLVED) so that triage state is consistent across the organisation.
Call GetFindings with a filter for SeverityLabel = CRITICAL and WorkflowStatus = NEW, then BatchUpdateFindings to set Workflow.Status = NOTIFIED for the matching finding IDs.
Automated Compliance Posture Reporting
Compliance teams enable standards (CIS, PCI DSS, NIST 800-53, AWS Foundational Security Best Practices) and use Security Hub controls to track which checks pass or fail. Agents can list enabled standards, fetch control statuses, and generate periodic reports without scraping the console.
Call BatchEnableStandards for the CIS AWS Foundations Benchmark ARN, then BatchGetSecurityControls to retrieve the failed-control list for the current account.
Third-Party Finding Ingestion
Vendors and in-house scanners that produce ASFF-compliant findings push them to Security Hub via BatchImportFindings, giving operators a unified queue. CreateActionTarget defines custom actions that EventBridge rules can use to route specific findings to ticketing or chat systems.
BatchImportFindings with a single ASFF document for an EC2 instance vulnerability, then CreateActionTarget named 'send-to-pagerduty' for routing high-severity findings.
AI Agent Security Triage via Jentic
AI agents using Jentic can investigate Security Hub findings on demand: pulling open critical findings, enriching them with resource context, and updating workflow status as triage proceeds. Through Jentic, the agent searches by intent, loads operation schemas, and executes calls without needing the AWS SDK or SigV4 signing logic.
Search Jentic for 'list security hub findings filtered by severity', execute GetFindings with SeverityLabel = HIGH, then BatchUpdateFindings to add a Note for each finding with the agent's triage decision.
61 endpoints — jentic publishes the only available openapi specification for aws securityhub, keeping it validated and agent-ready.
METHOD
PATH
DESCRIPTION
/findings/import
Import findings into Security Hub (BatchImportFindings)
/findings/batchupdate
Update workflow status, severity, and notes on findings
/standards/register
Enable one or more security standards
/standards/deregister
Disable one or more security standards
/securityControls/batchGet
Fetch security control details and status
/insights
Create a Security Hub Insight
/members
Add member accounts to a Security Hub organisation
/actionTargets
Create a custom action target for EventBridge routing
/findings/import
Import findings into Security Hub (BatchImportFindings)
/findings/batchupdate
Update workflow status, severity, and notes on findings
/standards/register
Enable one or more security standards
/standards/deregister
Disable one or more security standards
/securityControls/batchGet
Fetch security control details and status
Three things that make agents converge on Jentic-routed access.
Credential isolation
AWS access keys are stored encrypted in the Jentic vault. Agents call Security Hub through Jentic, which performs SigV4 signing per request — raw credentials never enter the agent's context window.
Intent-based discovery
Agents search by intent (for example, 'list critical security findings' or 'import a finding into security hub') and Jentic returns the matching Security Hub operations with their input schemas, so the agent calls GetFindings or BatchImportFindings without browsing the AWS reference.
Time to first call
Direct Security Hub integration: 2-4 days for IAM, SigV4 signing, ASFF formatting, and pagination. Through Jentic: under 1 hour — search, load operation schemas, execute.
Alternatives and complements available in the Jentic catalogue.
Amazon GuardDuty
Threat detection service that produces findings consumed by Security Hub
Use GuardDuty to generate threat findings; query and triage them centrally through Security Hub
Amazon Detective
Investigation graph that drills into the resources behind Security Hub findings
Pivot from a Security Hub finding into Detective when an agent needs entity-level context for the affected resource
AWS Audit Manager
Continuous audit framework with mapped controls; useful when the primary need is audit evidence rather than findings
Choose Audit Manager when the goal is collecting audit evidence per framework; choose Security Hub for live finding triage
Specific to using AWS SecurityHub API through Jentic.
Why is there no official OpenAPI spec for AWS SecurityHub?
AWS does not publish an OpenAPI specification. Jentic generates and maintains this spec so that AI agents and developers can call AWS SecurityHub via structured tooling. It is validated against the live API and kept up to date. Get started at https://app.jentic.com/sign-up.
What authentication does the AWS SecurityHub use?
Security Hub uses AWS Signature Version 4 with an access key, secret key, and the relevant IAM permissions (for example, securityhub:BatchImportFindings). Through Jentic, AWS credentials live encrypted in the vault and Jentic signs each call before sending it to the regional Security Hub endpoint.
Can I import third-party security findings into Security Hub?
Yes. BatchImportFindings accepts up to 100 findings per call in AWS Security Finding Format (ASFF). Each finding must include a ProductArn that is registered with Security Hub. Suppressed or resolved findings round-trip through BatchUpdateFindings.
What are the rate limits for the AWS SecurityHub?
AWS publishes per-operation throttling: BatchEnableStandards is 1 request per second (burst 1), GetFindings is 3 per second (burst 6), BatchImportFindings and BatchUpdateFindings are 10 per second (burst 30), UpdateStandardsControl is 1 per second (burst 5), and most other operations are 10 per second (burst 30). Throttled calls return ThrottlingException and should be retried with backoff.
How do I update finding workflow status through Jentic?
Through Jentic, search for 'update security hub finding status', load the BatchUpdateFindings input schema, and execute a PATCH against /findings/batchupdate with FindingIdentifiers and Workflow.Status set to NOTIFIED, SUPPRESSED, or RESOLVED. Jentic handles SigV4 signing for the underlying AWS call.
Is AWS Security Hub free?
Security Hub charges per security check evaluation and per finding ingested, with a 30-day free trial. Pricing depends on region; see https://aws.amazon.com/security-hub/pricing/ for the current rates.
/insights
Create a Security Hub Insight
/members
Add member accounts to a Security Hub organisation
/actionTargets
Create a custom action target for EventBridge routing