AWS::SecurityHub::OrganizationConfiguration - Amazon CloudFormation
SyntaxPropertiesReturn valuesExamples
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AWS::SecurityHub::OrganizationConfiguration

The AWS::SecurityHub::OrganizationConfiguration resource specifies the way that your Amazon organization is configured in Amazon Security Hub. Specifically, you can use this resource to specify the configuration type for your organization and whether to automatically Security Hub and security standards in new member accounts. For more information, see Managing administrator and member accounts in the Amazon Security Hub User Guide.

Syntax

To declare this entity in your Amazon CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::SecurityHub::OrganizationConfiguration",
  "Properties" : {
      "AutoEnable" : Boolean,
      "AutoEnableStandards" : String,
      "ConfigurationType" : String
    }
}

YAML

Type: AWS::SecurityHub::OrganizationConfiguration
Properties:
  AutoEnable: Boolean
  AutoEnableStandards: String
  ConfigurationType: String

Properties

AutoEnable

Whether to automatically enable Security Hub in new member accounts when they join the organization.

If set to true, then Security Hub is automatically enabled in new accounts. If set to false, then Security Hub isn't enabled in new accounts automatically. The default value is false.

If the ConfigurationType of your organization is set to CENTRAL, then this field is set to false and can't be changed in the home Region and linked Regions. However, in that case, the delegated administrator can create a configuration policy in which Security Hub is enabled and associate the policy with new organization accounts.

Required: Yes

Type: Boolean

Update requires: No interruption

AutoEnableStandards

Whether to automatically enable Security Hub default standards in new member accounts when they join the organization.

The default value of this parameter is equal to DEFAULT.

If equal to DEFAULT, then Security Hub default standards are automatically enabled for new member accounts. If equal to NONE, then default standards are not automatically enabled for new member accounts.

If the ConfigurationType of your organization is set to CENTRAL, then this field is set to NONE and can't be changed in the home Region and linked Regions. However, in that case, the delegated administrator can create a configuration policy in which specific security standards are enabled and associate the policy with new organization accounts.

Required: No

Type: String

Allowed values: DEFAULT | NONE

Update requires: No interruption

ConfigurationType

Indicates whether the organization uses local or central configuration.

If you use local configuration, the Security Hub delegated administrator can set AutoEnable to true and AutoEnableStandards to DEFAULT. This automatically enables Security Hub and default security standards in new organization accounts. These new account settings must be set separately in each Amazon Web Services Region, and settings may be different in each Region.

If you use central configuration, the delegated administrator can create configuration policies. Configuration policies can be used to configure Security Hub, security standards, and security controls in multiple accounts and Regions. If you want new organization accounts to use a specific configuration, you can create a configuration policy and associate it with the root or specific organizational units (OUs). New accounts will inherit the policy from the root or their assigned OU.

Required: No

Type: String

Allowed values: CENTRAL | LOCAL

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the organization configuration identifier, formatted as AccountId/Region/securityhub-organization-configuration. For example, 123456789012/us-east-1/securityhub-organization-configuration.

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

MemberAccountLimitReached

Whether the maximum number of allowed member accounts are already associated with the Security Hub administrator account.

OrganizationConfigurationIdentifier

The organization configuration identifier, formatted as AccountId/Region/securityhub-organization-configuration. For example, 123456789012/us-east-1/securityhub-organization-configuration.

Status

Describes whether central configuration could be enabled as the ConfigurationType for the organization. If your ConfigurationType is local configuration, then the value of Status is always ENABLED.

StatusMessage

Provides an explanation if the value of Status is equal to FAILED when ConfigurationType is equal to CENTRAL.

Examples

Configuring your organization in Security Hub

The following example configures organization settings in Security Hub.

JSON

{
	"Description": "Example template to configure an organization in Security Hub",
	"Resources": {
		"SecurityHubOrganizationConfiguration": {
			"Type": "AWS::SecurityHub::OrganizationConfiguration",
			"Properties": {
				"AutoEnable": false,
				"AutoEnableStandards": "NONE",
				"ConfigurationType": "CENTRAL"
			}
		}
	}
}

YAML

Description: Example template to configure an organization in Security Hub
Resources:
  SecurityHubOrganizationConfiguration:
    Type: 'AWS::SecurityHub::OrganizationConfiguration'
    Properties:
      AutoEnable: false
      AutoEnableStandards: "NONE"
      ConfigurationType: "CENTRAL"