AWS managed policies for AWS Security Hub - AWS Security Hub

AWS managed policies for AWS Security Hub

An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.

For more information, see AWS managed policies in the IAM User Guide.

AWS managed policy: AWSSecurityHubFullAccess

You can attach the AWSSecurityHubFullAccess policy to your IAM identities.

This policy grants administrative permissions that allow a principal full access to all Security Hub actions. This policy must be attached to a principal before they enable Security Hub manually for their account. For example, principals with these permissions can both view and update the status of findings. They can configure custom insights, and enable integrations. They can enable and disable standards and controls. Principals for an administrator account can also manage member accounts.

Permissions details

This policy includes the following permissions.

  • securityhub – Allows principals full access to all Security Hub actions.

  • guardduty – Allows principals to get information about account status in Amazon GuardDuty.

  • iam – Allows principals to create a service-linked role.

  • inspector – Allows principals to get information about account status in Amazon Inspector.

  • pricing – Allows principals to get a price list of AWS services and products.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "SecurityHubAllowAll", "Effect": "Allow", "Action": "securityhub:*", "Resource": "*" }, { "Sid": "SecurityHubServiceLinkedRole", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringLike": { "iam:AWSServiceName": "securityhub.amazonaws.com" } } }, { "Sid": "OtherServicePermission", "Effect": "Allow", "Action": [ "guardduty:GetDetector", "guardduty:ListDetectors", "inspector2:BatchGetAccountStatus", "pricing:GetProducts" ], "Resource": "*" } ] }

Security Hub managed policy: AWSSecurityHubReadOnlyAccess

You can attach the AWSSecurityHubReadOnlyAccess policy to your IAM identities.

This policy grants read-only permissions that allow users to view information in Security Hub. Principals with this policy attached cannot make any updates in Security Hub. For example, principals with these permissions can view the list of findings associated with their account, but cannot change the status of a finding. They can view the results of insights, but cannot create or configure custom insights. They cannot configure controls or product integrations.

Permissions details

This policy includes the following permissions.

  • securityhub – Allows users to perform actions that return either a list of items or details about an item. This includes API operations that start with Get, List, or Describe.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSSecurityHubReadOnlyAccess", "Effect": "Allow", "Action": [ "securityhub:Get*", "securityhub:List*", "securityhub:BatchGet*", "securityhub:Describe*" ], "Resource": "*" } ] }

AWS managed policy: AWSSecurityHubOrganizationsAccess

You can attach the AWSSecurityHubOrganizationsAccess policy to your IAM identities.

This policy grants administrative permissions in AWS Organizations that are required to support the Security Hub integration with Organizations.

These permissions allow the organization management account to designate the delegated administrator account for Security Hub. They also allow the delegated Security Hub administrator account to enable organization accounts as member accounts.

This policy only provides the permissions for Organizations. The organization management account and delegated Security Hub administrator account also require permissions for the associated actions in Security Hub. These permissions can be granted using the AWSSecurityHubFullAccess managed policy.

Permissions details

This policy includes the following permissions.

  • organizations:ListAccounts – Allows principals to retrieve the list of accounts that are part of an organization.

  • organizations:DescribeOrganization – Allows principals to retrieve information about the organization.

  • organizations:ListRoots – Allows principals to list the root of an organization.

  • organizations:ListDelegatedAdministrators – Allows principals to list the delegated administrator of an organization.

  • organizations:ListAWSServiceAccessForOrganization – Allows principals to list the AWS services that an organization uses.

  • organizations:ListOrganizationalUnitsForParent – Allows principals to list the child organizational units (OU) of a parent OU.

  • organizations:ListAccountsForParent – Allows principals to list the child accounts of a parent OU.

  • organizations:DescribeAccount – Allows principals to retrieve information about an account in the organization.

  • organizations:DescribeOrganizationalUnit – Allows principals to retrieve information about an OU in the organization.

  • organizations:DescribeOrganization – Allows principals to retrieve information about the organization configuration.

  • organizations:EnableAWSServiceAccess – Allows principals to enable the Security Hub integration with Organizations.

  • organizations:RegisterDelegatedAdministrator – Allows principals to designate the delegated administrator account for Security Hub.

  • organizations:DeregisterDelegatedAdministrator – Allows principals to remove the delegated administrator account for Security Hub.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "OrganizationPermissions", "Effect": "Allow", "Action": [ "organizations:ListAccounts", "organizations:DescribeOrganization", "organizations:ListRoots", "organizations:ListDelegatedAdministrators", "organizations:ListAWSServiceAccessForOrganization", "organizations:ListOrganizationalUnitsForParent", "organizations:ListAccountsForParent", "organizations:DescribeAccount", "organizations:DescribeOrganizationalUnit" ], "Resource": "*" }, { "Sid": "OrganizationPermissionsEnable", "Effect": "Allow", "Action": "organizations:EnableAWSServiceAccess", "Resource": "*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": "securityhub.amazonaws.com" } } }, { "Sid": "OrganizationPermissionsDelegatedAdmin", "Effect": "Allow", "Action": [ "organizations:RegisterDelegatedAdministrator", "organizations:DeregisterDelegatedAdministrator" ], "Resource": "arn:aws:organizations::*:account/o-*/*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": "securityhub.amazonaws.com" } } } ] }

AWS managed policy: AWSSecurityHubServiceRolePolicy

You can't attach AWSSecurityHubServiceRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows Security Hub to perform actions on your behalf. For more information, see Service-linked roles for Security Hub.

This policy grants administrative permissions that allow the service-linked role to perform the security checks for Security Hub controls.

Permissions details

This policy includes permissions to do the following:

  • cloudtrail – Retrieve information about CloudTrail trails.

  • cloudwatch – Retrieve the current CloudWatch alarms.

  • logs – Retrieve the metric filters for CloudWatch logs.

  • sns – Retrieve the list of subscriptions to an SNS topic.

  • config – Retrieve information about configuration recorders, resources, and AWS Config rules. Also allows the service-linked role to create and delete AWS Config rules, and to run evaluations against the rules.

  • iam – Get and generate credential reports for accounts.

  • organizations – Retrieve account and organizational unit (OU) information for an organization.

  • securityhub – Retrieve information about how the Security Hub service, standards, and controls are configured.

  • tag – Retrieve information about resource tags.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "SecurityHubServiceRolePermissions", "Effect": "Allow", "Action": [ "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudtrail:GetEventSelectors", "cloudwatch:DescribeAlarms", "cloudwatch:DescribeAlarmsForMetric", "logs:DescribeMetricFilters", "sns:ListSubscriptionsByTopic", "config:DescribeConfigurationRecorders", "config:DescribeConfigurationRecorderStatus", "config:DescribeConfigRules", "config:DescribeConfigRuleEvaluationStatus", "config:BatchGetResourceConfig", "config:SelectResourceConfig", "iam:GenerateCredentialReport", "organizations:ListAccounts", "config:PutEvaluations", "tag:GetResources", "iam:GetCredentialReport", "organizations:DescribeAccount", "organizations:DescribeOrganization", "organizations:ListChildren", "organizations:ListAWSServiceAccessForOrganization", "organizations:DescribeOrganizationalUnit", "securityhub:BatchDisableStandards", "securityhub:BatchEnableStandards", "securityhub:BatchUpdateStandardsControlAssociations", "securityhub:BatchGetSecurityControls", "securityhub:BatchGetStandardsControlAssociations", "securityhub:CreateMembers", "securityhub:DeleteMembers", "securityhub:DescribeHub", "securityhub:DescribeOrganizationConfiguration", "securityhub:DescribeStandards", "securityhub:DescribeStandardsControls", "securityhub:DisassociateFromAdministratorAccount", "securityhub:DisassociateMembers", "securityhub:DisableSecurityHub", "securityhub:EnableSecurityHub", "securityhub:GetEnabledStandards", "securityhub:ListStandardsControlAssociations", "securityhub:ListSecurityControlDefinitions", "securityhub:UpdateOrganizationConfiguration", "securityhub:UpdateSecurityControl", "securityhub:UpdateSecurityHubConfiguration", "securityhub:UpdateStandardsControl", "tag:GetResources" ], "Resource": "*" }, { "Sid": "SecurityHubServiceRoleConfigPermissions", "Effect": "Allow", "Action": [ "config:PutConfigRule", "config:DeleteConfigRule", "config:GetComplianceDetailsByConfigRule" ], "Resource": "arn:aws:config:*:*:config-rule/aws-service-rule/*securityhub*" }, { "Sid": "SecurityHubServiceRoleOrganizationsPermissions", "Effect": "Allow", "Action": [ "organizations:ListDelegatedAdministrators" ], "Resource": "*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": [ "securityhub.amazonaws.com" ] } } } ] }

Security Hub updates to AWS managed policies

View details about updates to AWS managed policies for Security Hub since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Security Hub Document history page.

Change Description Date
AWSSecurityHubFullAccess – Update to an existing policy Security Hub updated the policy to get pricing details for AWS services and products. April 24, 2024
AWSSecurityHubReadOnlyAccess – Update to an existing policy Security Hub updated this managed policy by adding a Sid field. February 22, 2024
AWSSecurityHubFullAccess – Update to an existing policy Security Hub updated the policy so it can determine if Amazon GuardDuty and Amazon Inspector are enabled in an account. This helps customers bring together security-related information from multiple AWS services. November 16, 2023
AWSSecurityHubOrganizationsAccess – Update to an existing policy Security Hub updated the policy to grant additional permissions to allow read-only access to AWS Organizations delegated administrator functionality. This includes details like the root, organizational units (OUs), accounts, organizational structure, and service access. November 16, 2023
AWSSecurityHubServiceRolePolicy – Update to an existing policy Security Hub added the BatchGetSecurityControls, DisassociateFromAdministratorAccount, and UpdateSecurityControl permissions to read and update customizable security control properties. November 26, 2023
AWSSecurityHubServiceRolePolicy – Update to an existing policy Security Hub added the tag:GetResources permission to read resource tags related to findings. November 7, 2023
AWSSecurityHubServiceRolePolicy – Update to an existing policy Security Hub added the BatchGetStandardsControlAssociations permission to get information about the enablement status of a control in a standard. September 27, 2023
AWSSecurityHubServiceRolePolicy – Update to an existing policy Security Hub added new permissions to get AWS Organizations data and read and update Security Hub configurations, including standards and controls. September 20, 2023
AWSSecurityHubServiceRolePolicy – Update to an existing policy Security Hub moved the existing config:DescribeConfigRuleEvaluationStatus permission to a different statement within the policy. The config:DescribeConfigRuleEvaluationStatus permission is now applied to all resources. March 17, 2023
AWSSecurityHubServiceRolePolicy – Update to an existing policy Security Hub moved the existing config:PutEvaluations permission to a different statement within the policy. The config:PutEvaluations permission is now applied to all resources. July 14, 2021
AWSSecurityHubServiceRolePolicy – Update to an existing policy Security Hub added a new permission to allow the service-linked role to deliver evaluation results to AWS Config. June 29, 2021
AWSSecurityHubServiceRolePolicy – Added to the list of managed policies Added information about the managed policy AWSSecurityHubServiceRolePolicy, which is used by the Security Hub service-linked role. June 11, 2021
AWSSecurityHubOrganizationsAccess – New policy Security Hub added a new policy that grants permissions that are needed for the Security Hub integration with Organizations. March 15, 2021
Security Hub started tracking changes Security Hub started tracking changes for its AWS managed policies. March 15, 2021