Deleting and disassociating Security Hub configuration policies - AWS Security Hub

Deleting and disassociating Security Hub configuration policies

The delegated administrator account can delete an AWS Security Hub configuration policy. Alternatively, the delegated administrator account can retain the configuration policy, but disassociate it from specific accounts or organizational units (OUs).

The following section explains both of these options.

Deleting configuration policies

When you delete a configuration policy, it no longer exists for your organization. Target accounts, OUs, and the organization root can no longer use the configuration policy. Targets that were associated with a deleted configuration policy inherit the configuration policy of the closest parent, or become self-managed if the closest parent is self-managed. If you want a target to use a different configuration, you can associate the target with a new configuration policy. For more information, see Creating and associating Security Hub configuration policies.

We recommend creating and associating at least one configuration policy with your organization to provide adequate security coverage.

Before you can delete a configuration policy, you must disassociate the policy from accounts, OUs, or the root to which it currently applies.

Choose your preferred method, and follow the steps to delete a configuration policy.

Console
To delete a configuration policy
  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

    Sign in using the credentials of the Security Hub delegated administrator account in the home Region.

  2. In the navigation pane, choose Settings and Configuration.

  3. Choose the Policies tab. Select the configuration policy that you want to delete, and choose Delete. If the configuration policy is still associated with any accounts or OUs, you're prompted to first disassociate the policy from those targets before you can delete it.

  4. Review the confirmation message. Enter confirm, and choose Delete.

API

To delete a configuration policy

Invoke the DeleteConfigurationPolicy API from the Security Hub delegated administrator account in the home Region.

Provide the Amazon Resource Name (ARN) or ID of the configuration policy that you want to delete. If you receive a ConflictException error, the configuration policy still applies to accounts or OUs in your organization. To resolve the error, disassociate the configuration policy from these accounts or OUs before trying to delete it.

Example API request to delete a configuration policy:

{ "Identifier": "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }
AWS CLI

To delete a configuration policy

Run the delete-configuration-policy command from the Security Hub delegated administrator account in the home Region.

Provide the Amazon Resource Name (ARN) or ID of the configuration policy that you want to delete. If you receive a ConflictException error, the configuration policy still applies to accounts or OUs in your organization. To resolve the error, disassociate the configuration policy from these accounts or OUs before trying to delete it.

aws securityhub --region us-east-1 delete-configuration-policy \ --identifier "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"

Disassociating a configuration from accounts and OUs

From the delegated administrator account, you can disassociate a target account, OU, or the root from a configuration policy that currently applies to it or from a self-managed configuration. You can disassociate a target only from an applied configuration, not from an inherited configuration. To change an inherited configuration, you can apply a configuration policy or self-managed behavior to the affected account or OU. You can also apply a new configuration policy, which includes your desired modifications, to the closest parent.

Disassociation doesn't delete a configuration policy. The policy is retained in your account, so you can associate it with other targets in your organization. When disassociation is complete, an affected target inherits the configuration policy or self-managed behavior of the closest parent. If there's no inheritable configuration, a target retains the settings it had prior to disassociation but becomes self-managed.

Choose your preferred method, and follow the steps to disassociate an account, OU, or root from its current configuration.

Console
To disassociate an account or OU from its current configuration
  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

    Sign in using the credentials of the Security Hub delegated administrator account in the home Region.

  2. In the navigation pane, choose Settings and Configuration.

  3. On the Organizations tab, select the account, OU, or the root that you want to disassociate from its current configuration. Choose Edit.

  4. On the Define configuration page, for Management, choose Policy applied if you want the delegated administrator to be able to apply policies directly to the target. Choose Inherited if you want the target to inherit the configuration of its closest parent. In either of these cases, the delegated administrator controls settings for the target. Choose Self-managed if you want the account or OU to control its own settings.

  5. After reviewing your changes, choose Next and Apply. This action overrides existing configurations of any accounts or OUs that are in scope, if those configurations conflict with your current selections.

API
To disassociate an account or OU from its current configuration
  1. Invoke the StartConfigurationPolicyDisassociation API from the Security Hub delegated administrator account in the home Region.

  2. For ConfigurationPolicyIdentifier, provide the Amazon Resource Name (ARN) or ID of the configuration policy that you want to disassociate. Provide SELF_MANAGED_SECURITY_HUB for this field to disassociate self-managed behavior.

  3. For Target, provide the accounts, OUs, or the root that you want to dissociate from this configuration policy.

Example API request to disassociate a configuration policy:

{ "ConfigurationPolicyIdentifier": "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Target": {"RootId": "r-f6g7h8i9j0example"} }
AWS CLI
To disassociate an account or OU from its current configuration
  1. Run the start-configuration-policy-disassociation command from the Security Hub delegated administrator account in the home Region.

  2. For configuration-policy-identifier, provide the Amazon Resource Name (ARN) or ID of the configuration policy that you want to disassociate. Provide SELF_MANAGED_SECURITY_HUB for this field to disassociate self-managed behavior.

  3. For target, provide the accounts, OUs, or the root that you want to dissociate from this configuration policy.

Example command to disassociate a configuration policy:

aws securityhub --region us-east-1 start-configuration-policy-disassociation \ --configuration-policy-identifier "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" \ --target '{"RootId": "r-f6g7h8i9j0example"}'