Removing tags from Security Hub CSPM resources - Amazon Security Hub
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Removing tags from Security Hub CSPM resources

If you add tags to an Amazon Security Hub Cloud Security Posture Management (CSPM) resource, you can subsequently remove one or more of them. A tag is a label that you define and assign to Amazon resources, including certain types of Security Hub CSPM resources. You can add, edit, and remove tags from the following types of Security Hub CSPM resources: automation rules, configuration policies, and the Hub resource.

To remove tags from an individual Amazon Security Hub Cloud Security Posture Management (CSPM) resource, you can use the Security Hub CSPM API. The Security Hub CSPM console currently doesn't support tag removal.

To remove tags from multiple Security Hub CSPM resources at the same time, use the tagging operations of the Amazon Resource Groups Tagging API.

Important

Removing tags from a resource can affect access to the resource. Before you remove a tag, review any Amazon Identity and Access Management (IAM) policies that might use the tag to control access to resources.

Security Hub CSPM API

To remove tags from a Security Hub CSPM resource (API)

To remove one or more tags from a resource programmatically, use the UntagResource operation of the Security Hub CSPM API. In your request, use the resourceArn parameter to specify the Amazon Resource Name (ARN) of the resource to remove a tag from. Use the tagKeys parameter to specify the tag key of the tag to remove. To remove multiple tags, append the tagKeys parameter and argument for each tag to remove, separated by an ampersand (&)—for example, tagKeys=key1&tagKeys=key2. To remove only a specific tag value (not a tag key) from a resource, edit the tag instead of removing the tag.

If you're using the Amazon CLI, run the untag-resource command to remove one or more tags from a resource. For the resource-arn parameter, specify the ARN of the resource to remove a tag from. Use the tag-keys parameter to specify the tag key of the tag to remove. For example, the following command removes the Environment tag (both the tag key and tag value) from the specified configuration policy:

$ aws securityhub untag-resource \
--resource-arn arn:aws-cn:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 \
--tag-keys Environment

Where resource-arn specifies the ARN of the configuration policy to remove a tag from, and Environment is the tag key of the tag to remove.

To remove multiple tags from a resource, add each additional tag key as an argument for the tag-keys parameter. For example:

$ aws securityhub untag-resource \
--resource-arn arn:aws-cn:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 \
--tag-keys Environment Owner

If the operation succeeds, Security Hub CSPM returns an empty HTTP 200 response. Otherwise, Security Hub CSPM returns an HTTP 4xx or 500 response that indicates why the operation failed.