Updating Security Hub configuration policies

The delegated administrator account can update Amazon Security Hub configuration policies as needed. The delegated administrator can update policy settings, the accounts or OUs with which a policy is associated, or both. When policy settings are updated, accounts that are associated with the configuration policy automatically start using the updated policy.

Similar to when you created the configuration policy, you can update the following policy settings:

Enable or disable Security Hub.
Enable one or more security standards.
Indicate which security controls are enabled across enabled standards. You can do this by providing a list of specific controls that should be enabled, and Security Hub disables all other controls, including new controls when they are released. Alternatively, you can provide a list of specific controls that should be disabled, and Security Hub enables all other controls, including new controls when they are released.
Optionally, customize parameters for select enabled controls across enabled standards.

Choose your preferred method, and follow the steps to update a configuration policy.

If you use central configuration, Security Hub automatically disables controls that involve global resources in all Regions except the home Region. Other controls that you choose to enable though a configuration policy are enabled in all Regions where they are available. To limit findings for these controls to just one Region, you can update your Amazon Config recorder settings and turn off global resource recording in all Regions except the home Region. When you use central configuration, you lack coverage for a control that isn't available in the home Region or any of the linked Regions. For a list of controls that involve global resources, see Controls that use global resources.

Console

To update configuration policies

Open the Amazon Security Hub console at https://console.amazonaws.cn/securityhub/.

Sign in using the credentials of the Security Hub delegated administrator account in the home Region.
In the navigation pane, choose Settings and Configuration.
Choose the Policies tab.
Select the configuration policy that you want to edit, and choose Edit. If desired, edit the policy settings. Leave this section as is if you want to keep the policy settings unchanged.
Choose Next.If desired, edit the policy associations. Leave this section as is if you want to keep the policy associations unchanged. You can associate or disassociate the policy with a maximum of 15 targets (accounts, OUs, or root) when you update it.
Choose Next.
Review your changes, and choose Save and apply. In your home Region and linked Regions, this action overrides the existing configuration settings of accounts that are associated with this configuration policy. Accounts may be associated with a configuration policy through application, or inheritance from a parent node.

API

To update configuration policies

To update the settings in a configuration policy, invoke the UpdateConfigurationPolicy API from the Security Hub delegated administrator account in the home Region.
Provide the Amazon Resource Name (ARN) or ID of the configuration policy that you want to update.
Provide updated values for the fields under ConfigurationPolicy. Optionally, you can also provide a reason for the update.
To add new associations for this configuration policy, invoke the StartConfigurationPolicyAssociation API from the Security Hub delegated administrator account in the home Region. To remove one or more current associations, invoke the StartConfigurationPolicyDisassociation API from the Security Hub delegated administrator account in the home Region.
For the ConfigurationPolicyIdentifier field, provide the ARN or ID of the configuration policy whose associations you want to update.
For the Target field, provide the accounts, OUs, or root ID that you want to associate or disassociate. This action overrides previous policy associations for the specified OUs or accounts.

Note

When you invoke the UpdateConfigurationPolicy API, Security Hub performs a full list replacement for the EnabledStandardIdentifiers, EnabledSecurityControlIdentifiers, DisabledSecurityControlIdentifiers, and SecurityControlCustomParameters fields. Each time you invoke this API, provide the full list of standards that you want to enable and the full list of controls that you want to enable or disable and customize parameters for.

Example API request to update a configuration policy:


{
    "Identifier": "arn:aws-cn:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
    "Description": "Updated configuration policy",
    "UpdatedReason": "Disabling CloudWatch.1",
    "ConfigurationPolicy": {
        "SecurityHub": {
             "ServiceEnabled": true,
             "EnabledStandardIdentifiers": [
                    "arn:aws-cn:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0",
                    "arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0" 
                ],
            "SecurityControlsConfiguration": {
                "DisabledSecurityControlIdentifiers": [
                    "CloudTrail.2",
                    "CloudWatch.1"
                ],
                "SecurityControlCustomParameters": [
                    {
                        "SecurityControlId": "ACM.1",
                        "Parameters": {
                            "daysToExpiration": {
                                "ValueType": "CUSTOM",
                                "Value": {
                                    "Integer": 15
                                }
                            }
                        }
                    }
                ]
            }
        }
    }
}

Amazon CLI

To update configuration policies

To update the settings in a configuration policy, run the update-configuration-policy command from the Security Hub delegated administrator account in the home Region.
Provide the Amazon Resource Name (ARN) or ID of the configuration policy that you want to update.
Provide updated values for the fields under configuration-policy. Optionally, you can also provide a reason for the update.
To add new associations for this configuration policy, run the start-configuration-policy-association command from the Security Hub delegated administrator account in the home Region. To remove one or more current associations, run the start-configuration-policy-disassociation command from the Security Hub delegated administrator account in the home Region.
For the configuration-policy-identifier field, provide the ARN or ID of the configuration policy whose associations you want to update.
For the target field, provide the accounts, OUs, or root ID that you want to associate or disassociate. This action overrides previous policy associations for the specified OUs or accounts.

Note

When you run the update-configuration-policy command, Security Hub performs a full list replacement for the EnabledStandardIdentifiers, EnabledSecurityControlIdentifiers, DisabledSecurityControlIdentifiers, and SecurityControlCustomParameters fields. Each time you run this command, provide the full list of standards that you want to enable and the full list of controls that you want to enable or disable and customize parameters for.

Example command to update a configuration policy:


aws securityhub update-configuration-policy \
--region us-east-1 \
--identifier "arn:aws-cn:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" \
--description "Updated configuration policy" \
--updated-reason "Disabling CloudWatch.1" \
--configuration-policy '{"SecurityHub": {"ServiceEnabled": true, "EnabledStandardIdentifiers": ["arn:aws-cn:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0","arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"],"SecurityControlsConfiguration":{"DisabledSecurityControlIdentifiers": ["CloudTrail.2","CloudWatch.1"], "SecurityControlCustomParameters": [{"SecurityControlId": "ACM.1", "Parameters": {"daysToExpiration": {"ValueType": "CUSTOM", "Value": {"Integer": 15}}}}]}}}'

The StartConfigurationPolicyAssociation API returns a field called AssociationStatus. This field tells you whether a policy association is pending or in a state of success or failure. It can take up to 24 hours for the status to change from PENDING to SUCCESS or FAILURE. For more information about association status, see Association status of a configuration.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Viewing configuration policies

Deleting and disassociating configuration policies