Deleting and disassociating configuration policies - AWS Security Hub
Deleting configuration policiesDisassociating a configuration from its targets

Deleting and disassociating configuration policies

After creating a configuration policy, the delegated AWS Security Hub administrator can delete it. Alternatively, the delegated administrator can retain the policy, but disassociate it from specific accounts or organizational units (OUs), or from the root.

For background information about the benefits of central configuration and how it works, see Understanding central configuration in Security Hub.

This section explains how to delete or disassociate configuration policies.

Deleting configuration policies

When you delete a configuration policy, it no longer exists for your organization. Target accounts, OUs, and the organization root can no longer use the configuration policy. Targets that were associated with a deleted configuration policy inherit the configuration policy of the closest parent, or become self-managed if the closest parent is self-managed. If you want a target to use a different configuration, you can associate the target with a new configuration policy. For more information, see Creating and associating configuration policies.

We recommend creating and associating at least one configuration policy with your organization to provide adequate security coverage.

Before you can delete a configuration policy, you must disassociate the policy from accounts, OUs, or the root to which it currently applies.

Choose your preferred method, and follow the steps to delete a configuration policy.

Console
To delete a configuration policy

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

    Sign in using the credentials of the Security Hub delegated administrator account in the home Region.

  2. In the navigation pane, choose Settings and Configuration.

  3. Choose the Policies tab. Select the configuration policy that you want to delete, and choose Delete. If the configuration policy is still associated with any accounts or OUs, you're prompted to first disassociate the policy from those targets before you can delete it.

  4. Review the confirmation message. Enter confirm, and choose Delete.

API

To delete a configuration policy

Invoke the DeleteConfigurationPolicy API from the Security Hub delegated administrator account in the home Region.

Provide the Amazon Resource Name (ARN) or ID of the configuration policy that you want to delete. If you receive a ConflictException error, the configuration policy still applies to accounts or OUs in your organization. To resolve the error, disassociate the configuration policy from these accounts or OUs before trying to delete it.

Example API request to delete a configuration policy:

{
    "Identifier": "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
}
AWS CLI

To delete a configuration policy

Run the delete-configuration-policy command from the Security Hub delegated administrator account in the home Region.

Provide the Amazon Resource Name (ARN) or ID of the configuration policy that you want to delete. If you receive a ConflictException error, the configuration policy still applies to accounts or OUs in your organization. To resolve the error, disassociate the configuration policy from these accounts or OUs before trying to delete it.

aws securityhub --region us-east-1 delete-configuration-policy \
--identifier "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"

Disassociating a configuration from its targets

From the delegated administrator account, you can disassociate a configuration policy or self-managed configuration from an account, OU, or root. You can disassociate only a directly applied configuration, not an inherited configuration. To change an inherited configuration, you can apply a configuration policy or self-managed behavior to the affected account or OU. You can also apply a new configuration policy, which includes your desired modifications, to the closest parent.

Disassociation doesn't delete a configuration policy. The policy is retained in your account, so you can associate it with other targets in your organization. When disassociation is complete, an affected target inherits the configuration policy or self-managed behavior of the closest parent. If there's no inheritable configuration, a target retains the settings it had prior to disassociation but becomes self-managed.

Choose your preferred method, and follow the steps to disassociate an account, OU, or root from its current configuration.

Console
To disassociate an account or OU from its current configuration

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

    Sign in using the credentials of the Security Hub delegated administrator account in the home Region.

  2. In the navigation pane, choose Settings and Configuration.

  3. On the Organizations tab, select the account, OU, or the root that you want to disassociate from its current configuration. Choose Edit.

  4. On the Define configuration page, for Management, choose Policy applied if you want the delegated administrator to be able to apply policies directly to the target. Choose Inherited if you want the target to inherit the configuration of its closest parent. In either of these cases, the delegated administrator controls settings for the target. Choose Self-managed if you want the account or OU to control its own settings.

  5. After reviewing your changes, choose Next and Apply. This action overrides existing configurations of any accounts or OUs that are in scope, if those configurations conflict with your current selections.

API
To disassociate an account or OU from its current configuration

  1. Invoke the StartConfigurationPolicyDisassociation API from the Security Hub delegated administrator account in the home Region.

  2. For ConfigurationPolicyIdentifier, provide the Amazon Resource Name (ARN) or ID of the configuration policy that you want to disassociate. Provide SELF_MANAGED_SECURITY_HUB for this field to disassociate self-managed behavior.

  3. For Target, provide the accounts, OUs, or the root that you want to dissociate from this configuration policy.

Example API request to disassociate a configuration policy:

{
    "ConfigurationPolicyIdentifier": "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
    "Target": {"RootId": "r-f6g7h8i9j0example"}
}
AWS CLI
To disassociate an account or OU from its current configuration

  1. Run the start-configuration-policy-disassociation command from the Security Hub delegated administrator account in the home Region.

  2. For configuration-policy-identifier, provide the Amazon Resource Name (ARN) or ID of the configuration policy that you want to disassociate. Provide SELF_MANAGED_SECURITY_HUB for this field to disassociate self-managed behavior.

  3. For target, provide the accounts, OUs, or the root that you want to dissociate from this configuration policy.

Example command to disassociate a configuration policy:

aws securityhub --region us-east-1 start-configuration-policy-disassociation \
--configuration-policy-identifier "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" \
--target '{"RootId": "r-f6g7h8i9j0example"}'