Updating Security Hub configuration policies - AWS Security Hub

Updating Security Hub configuration policies

The delegated administrator account can update AWS Security Hub configuration policies as needed. The delegated administrator can update policy settings, the accounts or OUs with which a policy is associated, or both. When policy settings are updated, accounts that are associated with the configuration policy automatically start using the updated policy.

Similar to when you created the configuration policy, you can update the following policy settings:

  • Enable or disable Security Hub.

  • Enable one or more security standards.

  • Indicate which security controls are enabled across enabled standards. You can do this by providing a list of specific controls that should be enabled, and Security Hub disables all other controls, including new controls when they are released. Alternatively, you can provide a list of specific controls that should be disabled, and Security Hub enables all other controls, including new controls when they are released.

  • Optionally, customize parameters for select enabled controls across enabled standards.

Choose your preferred method, and follow the steps to update a configuration policy.

Console
To update configuration policies
  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

    Sign in using the credentials of the Security Hub delegated administrator account in the home Region.

  2. In the navigation pane, choose Settings and Configuration.

  3. Choose the Policies tab.

  4. Select the configuration policy that you want to edit, and choose Edit. If desired, edit the policy settings. Leave this section as is if you want to keep the policy settings unchanged.

  5. Choose Next.If desired, edit the policy associations. Leave this section as is if you want to keep the policy associations unchanged.

  6. Choose Next.

  7. Review your changes, and choose Save and apply. In your home Region and linked Regions, this action overrides the existing configuration settings of accounts that are associated with this configuration policy. Accounts may be associated with a configuration policy through application, or inheritance from a parent node.

API
To update configuration policies
  1. To update the settings in a configuration policy, invoke the UpdateConfigurationPolicy API from the Security Hub delegated administrator account in the home Region.

  2. Provide the Amazon Resource Name (ARN) or ID of the configuration policy that you want to update.

  3. Provide updated values for the fields under ConfigurationPolicy. Optionally, you can also provide a reason for the update.

  4. To add new associations for this configuration policy, invoke the StartConfigurationPolicyAssociation API from the Security Hub delegated administrator account in the home Region. To remove one or more current associations, invoke the StartConfigurationPolicyDisassociation API from the Security Hub delegated administrator account in the home Region.

  5. For the ConfigurationPolicyIdentifier field, provide the ARN or ID of the configuration policy whose associations you want to update.

  6. For the Target field, provide the accounts, OUs, or root ID that you want to associate or disassociate. This action overrides previous policy associations for the specified OUs or accounts.

Note

When you invoke the UpdateConfigurationPolicy API, Security Hub performs a full list replacement for the EnabledStandardIdentifiers, EnabledSecurityControlIdentifiers, DisabledSecurityControlIdentifiers, and SecurityControlCustomParameters fields. Each time you invoke this API, provide the full list of standards that you want to enable and the full list of controls that you want to enable or disable and customize parameters for.

Example API request to update a configuration policy:

{ "Identifier": "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Description": "Updated configuration policy", "UpdatedReason": "Disabling CloudWatch.1", "ConfigurationPolicy": { "SecurityHub": { "ServiceEnabled": true, "EnabledStandardIdentifiers": [ "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0", "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0" ], "SecurityControlsConfiguration": { "DisabledSecurityControlIdentifiers": [ "CloudTrail.2", "CloudWatch.1" ], "SecurityControlCustomParameters": [ { "SecurityControlId": "ACM.1", "Parameters": { "daysToExpiration": { "ValueType": "CUSTOM", "Value": { "Integer": 15 } } } } ] } } } }
AWS CLI
To update configuration policies
  1. To update the settings in a configuration policy, run the update-configuration-policy command from the Security Hub delegated administrator account in the home Region.

  2. Provide the Amazon Resource Name (ARN) or ID of the configuration policy that you want to update.

  3. Provide updated values for the fields under configuration-policy. Optionally, you can also provide a reason for the update.

  4. To add new associations for this configuration policy, run the start-configuration-policy-association command from the Security Hub delegated administrator account in the home Region. To remove one or more current associations, run the start-configuration-policy-disassociation command from the Security Hub delegated administrator account in the home Region.

  5. For the configuration-policy-identifier field, provide the ARN or ID of the configuration policy whose associations you want to update.

  6. For the target field, provide the accounts, OUs, or root ID that you want to associate or disassociate. This action overrides previous policy associations for the specified OUs or accounts.

Note

When you run the update-configuration-policy command, Security Hub performs a full list replacement for the EnabledStandardIdentifiers, EnabledSecurityControlIdentifiers, DisabledSecurityControlIdentifiers, and SecurityControlCustomParameters fields. Each time you run this command, provide the full list of standards that you want to enable and the full list of controls that you want to enable or disable and customize parameters for.

Example command to update a configuration policy:

aws securityhub update-configuration-policy \ --region us-east-1 \ --identifier "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" \ --description "Updated configuration policy" \ --updated-reason "Disabling CloudWatch.1" \ --configuration-policy '{"SecurityHub": {"ServiceEnabled": true, "EnabledStandardIdentifiers": ["arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0","arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"],"SecurityControlsConfiguration":{"DisabledSecurityControlIdentifiers": ["CloudTrail.2","CloudWatch.1"], "SecurityControlCustomParameters": [{"SecurityControlId": "ACM.1", "Parameters": {"daysToExpiration": {"ValueType": "CUSTOM", "Value": {"Integer": 15}}}}]}}}'

The StartConfigurationPolicyAssociation API returns a field called AssociationStatus. This field tells you whether a policy association is pending or in a state of success or failure. It can take up to 24 hours for the status to change from PENDING to SUCCESS or FAILURE. For more information about association status, see Association status of a configuration.