Amazon managed policies for Amazon Security Hub
An Amazon managed policy is a standalone policy that is created and administered by Amazon. Amazon managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they're available for all Amazon customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.
You cannot change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. Amazon is most likely to update an Amazon managed policy when a new Amazon Web Service is launched or new API operations become available for existing services.
For more information, see Amazon managed policies in the IAM User Guide.
Amazon managed policy: AWSSecurityHubFullAccess
You can attach the AWSSecurityHubFullAccess policy to your IAM
identities.
This policy grants administrative permissions that allow a principal full access to all Security Hub actions. This policy must be attached to a principal before they enable Security Hub manually for their account. For example, principals with these permissions can both view and update the status of findings. They can configure custom insights, and enable integrations. They can enable and disable standards and controls. Principals for an administrator account can also manage member accounts.
Permissions details
This policy includes the following permissions.
-
securityhub– Allows principals full access to all Security Hub actions. -
guardduty– Allows principals to get information about account status in Amazon GuardDuty. -
iam– Allows principals to create a service-linked role. -
inspector– Allows principals to get information about account status in Amazon Inspector. -
pricing– Allows principals to get a price list of Amazon Web Services and products.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SecurityHubAllowAll", "Effect": "Allow", "Action": "securityhub:*", "Resource": "*" }, { "Sid": "SecurityHubServiceLinkedRole", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringLike": { "iam:AWSServiceName": "securityhub.amazonaws.com" } } }, { "Sid": "OtherServicePermission", "Effect": "Allow", "Action": [ "guardduty:GetDetector", "guardduty:ListDetectors", "inspector2:BatchGetAccountStatus", "pricing:GetProducts" ], "Resource": "*", } ] }
Security Hub managed policy: AWSSecurityHubReadOnlyAccess
You can attach the AWSSecurityHubReadOnlyAccess policy to your IAM
identities.
This policy grants read-only permissions that allow users to view information in Security Hub. Principals with this policy attached cannot make any updates in Security Hub. For example, principals with these permissions can view the list of findings associated with their account, but cannot change the status of a finding. They can view the results of insights, but cannot create or configure custom insights. They cannot configure controls or product integrations.
Permissions details
This policy includes the following permissions.
-
securityhub– Allows users to perform actions that return either a list of items or details about an item. This includes API operations that start withGet,List, orDescribe.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSSecurityHubReadOnlyAccess", "Effect": "Allow", "Action": [ "securityhub:Get*", "securityhub:List*", "securityhub:BatchGet*", "securityhub:Describe*" ], "Resource": "*" } ] }
Amazon managed policy: AWSSecurityHubOrganizationsAccess
You can attach the AWSSecurityHubOrganizationsAccess policy to your IAM
identities.
This policy grants administrative permissions in Amazon Organizations that are required to support the Security Hub integration with Organizations.
These permissions allow the organization management account to designate the delegated administrator account for Security Hub. They also allow the delegated Security Hub administrator account to enable organization accounts as member accounts.
This policy only provides the permissions for Organizations. The organization management account
and delegated Security Hub administrator account also require permissions for the associated
actions in Security Hub. These permissions can be granted using the
AWSSecurityHubFullAccess managed policy.
Permissions details
This policy includes the following permissions.
-
organizations:ListAccounts– Allows principals to retrieve the list of accounts that are part of an organization. -
organizations:DescribeOrganization– Allows principals to retrieve information about the organization. -
organizations:ListRoots– Allows principals to list the root of an organization. -
organizations:ListDelegatedAdministrators– Allows principals to list the delegated administrator of an organization. -
organizations:ListAWSServiceAccessForOrganization– Allows principals to list the Amazon Web Services that an organization uses. -
organizations:ListOrganizationalUnitsForParent– Allows principals to list the child organizational units (OU) of a parent OU. -
organizations:ListAccountsForParent– Allows principals to list the child accounts of a parent OU. -
organizations:DescribeAccount– Allows principals to retrieve information about an account in the organization. -
organizations:DescribeOrganizationalUnit– Allows principals to retrieve information about an OU in the organization. -
organizations:DescribeOrganization– Allows principals to retrieve information about the organization configuration. -
organizations:EnableAWSServiceAccess– Allows principals to enable the Security Hub integration with Organizations. -
organizations:RegisterDelegatedAdministrator– Allows principals to designate the delegated administrator account for Security Hub. -
organizations:DeregisterDelegatedAdministrator– Allows principals to remove the delegated administrator account for Security Hub.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "OrganizationPermissions", "Effect": "Allow", "Action": [ "organizations:ListAccounts", "organizations:DescribeOrganization", "organizations:ListRoots", "organizations:ListDelegatedAdministrators", "organizations:ListAWSServiceAccessForOrganization", "organizations:ListOrganizationalUnitsForParent", "organizations:ListAccountsForParent", "organizations:DescribeAccount", "organizations:DescribeOrganizationalUnit" ], "Resource": "*" }, { "Sid": "OrganizationPermissionsEnable", "Effect": "Allow", "Action": "organizations:EnableAWSServiceAccess", "Resource": "*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": "securityhub.amazonaws.com" } } }, { "Sid": "OrganizationPermissionsDelegatedAdmin", "Effect": "Allow", "Action": [ "organizations:RegisterDelegatedAdministrator", "organizations:DeregisterDelegatedAdministrator" ], "Resource": "arn:aws-cn:organizations::*:account/o-*/*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": "securityhub.amazonaws.com" } } } ] }
Amazon managed policy: AWSSecurityHubServiceRolePolicy
You can't attach AWSSecurityHubServiceRolePolicy to your IAM entities.
This policy is attached to a service-linked role that allows Security Hub to perform actions on
your behalf. For more information, see Service-linked roles for
Security Hub.
This policy grants administrative permissions that allow the service-linked role to perform the security checks for Security Hub controls.
Permissions details
This policy includes permissions to do the following:
-
cloudtrail– Retrieve information about CloudTrail trails. -
cloudwatch– Retrieve the current CloudWatch alarms. -
logs– Retrieve the metric filters for CloudWatch logs. -
sns– Retrieve the list of subscriptions to an SNS topic. -
config– Retrieve information about configuration recorders, resources, and Amazon Config rules. Also allows the service-linked role to create and delete Amazon Config rules, and to run evaluations against the rules. -
iam– Get and generate credential reports for accounts. -
organizations– Retrieve account and organizational unit (OU) information for an organization. -
securityhub– Retrieve information about how the Security Hub service, standards, and controls are configured. -
tag– Retrieve information about resource tags.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SecurityHubServiceRolePermissions", "Effect": "Allow", "Action": [ "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudtrail:GetEventSelectors", "cloudwatch:DescribeAlarms", "cloudwatch:DescribeAlarmsForMetric", "logs:DescribeMetricFilters", "sns:ListSubscriptionsByTopic", "config:DescribeConfigurationRecorders", "config:DescribeConfigurationRecorderStatus", "config:DescribeConfigRules", "config:DescribeConfigRuleEvaluationStatus", "config:BatchGetResourceConfig", "config:SelectResourceConfig", "iam:GenerateCredentialReport", "organizations:ListAccounts", "config:PutEvaluations", "tag:GetResources", "iam:GetCredentialReport", "organizations:DescribeAccount", "organizations:DescribeOrganization", "organizations:ListChildren", "organizations:ListAWSServiceAccessForOrganization", "organizations:DescribeOrganizationalUnit", "securityhub:BatchDisableStandards", "securityhub:BatchEnableStandards", "securityhub:BatchUpdateStandardsControlAssociations", "securityhub:BatchGetSecurityControls", "securityhub:BatchGetStandardsControlAssociations", "securityhub:CreateMembers", "securityhub:DeleteMembers", "securityhub:DescribeHub", "securityhub:DescribeOrganizationConfiguration", "securityhub:DescribeStandards", "securityhub:DescribeStandardsControls", "securityhub:DisassociateFromAdministratorAccount", "securityhub:DisassociateMembers", "securityhub:DisableSecurityHub", "securityhub:EnableSecurityHub", "securityhub:GetEnabledStandards", "securityhub:ListStandardsControlAssociations", "securityhub:ListSecurityControlDefinitions", "securityhub:UpdateOrganizationConfiguration", "securityhub:UpdateSecurityControl", "securityhub:UpdateSecurityHubConfiguration", "securityhub:UpdateStandardsControl", "tag:GetResources" ], "Resource": "*" }, { "Sid": "SecurityHubServiceRoleConfigPermissions", "Effect": "Allow", "Action": [ "config:PutConfigRule", "config:DeleteConfigRule", "config:GetComplianceDetailsByConfigRule" ], "Resource": "arn:aws-cn:config:*:*:config-rule/aws-service-rule/*securityhub*" }, { "Sid": "SecurityHubServiceRoleOrganizationsPermissions", "Effect": "Allow", "Action": [ "organizations:ListDelegatedAdministrators" ], "Resource": "*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": [ "securityhub.amazonaws.com" ] } } } ] }
Security Hub updates to Amazon managed policies
View details about updates to Amazon managed policies for Security Hub since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Security Hub Document history page.
| Change | Description | Date |
|---|---|---|
| AWSSecurityHubFullAccess – Update to an existing policy | Security Hub updated the policy to get pricing details for Amazon Web Services and products. | April 24, 2024 |
| AWSSecurityHubReadOnlyAccess – Update to an existing policy | Security Hub updated this managed policy by adding a Sid field.
|
February 22, 2024 |
| AWSSecurityHubFullAccess – Update to an existing policy | Security Hub updated the policy so it can determine if Amazon GuardDuty and Amazon Inspector are enabled in an account. This helps customers bring together security-related information from multiple Amazon Web Services. | November 16, 2023 |
| AWSSecurityHubOrganizationsAccess – Update to an existing policy | Security Hub updated the policy to grant additional permissions to allow read-only access to Amazon Organizations delegated administrator functionality. This includes details like the root, organizational units (OUs), accounts, organizational structure, and service access. | November 16, 2023 |
| AWSSecurityHubServiceRolePolicy – Update to an existing policy | Security Hub added the BatchGetSecurityControls, DisassociateFromAdministratorAccount, and
UpdateSecurityControl permissions to read and update customizable security control properties.
|
November 26, 2023 |
| AWSSecurityHubServiceRolePolicy – Update to an existing policy | Security Hub added the tag:GetResources permission to read resource tags related to findings.
|
November 7, 2023 |
| AWSSecurityHubServiceRolePolicy – Update to an existing policy | Security Hub added the BatchGetStandardsControlAssociations permission to get information about the
enablement status of a control in a standard.
|
September 27, 2023 |
| AWSSecurityHubServiceRolePolicy – Update to an existing policy | Security Hub added new permissions to get Amazon Organizations data and read and update Security Hub configurations, including standards and controls. | September 20, 2023 |
| AWSSecurityHubServiceRolePolicy – Update to an existing policy | Security Hub moved the existing config:DescribeConfigRuleEvaluationStatus permission to
a different statement within the policy. The config:DescribeConfigRuleEvaluationStatus permission is now applied to all
resources.
|
March 17, 2023 |
| AWSSecurityHubServiceRolePolicy – Update to an existing policy |
Security Hub moved the existing config:PutEvaluations permission to
a different statement within the policy. The config:PutEvaluations permission
is now applied to all resources.
|
July 14, 2021 |
| AWSSecurityHubServiceRolePolicy – Update to an existing policy | Security Hub added a new permission to allow the service-linked role to deliver evaluation results to Amazon Config. | June 29, 2021 |
| AWSSecurityHubServiceRolePolicy – Added to the list of managed policies | Added information about the managed policy AWSSecurityHubServiceRolePolicy, which is used by the Security Hub service-linked role. | June 11, 2021 |
| AWSSecurityHubOrganizationsAccess – New policy | Security Hub added a new policy that grants permissions that are needed for the Security Hub integration with Organizations. | March 15, 2021 |
| Security Hub started tracking changes | Security Hub started tracking changes for its Amazon managed policies. | March 15, 2021 |