Viewing Security Hub configuration policies
The delegated administrator account can view AWS Security Hub configuration policies for an organization and their details.
Choose your preferred method, and follow the steps to view your configuration policies.
Association status of a configuration
The following central configuration API operations return a field called AssociationStatus
:
BatchGetConfigurationPolicyAssociations
GetConfigurationPolicyAssociation
ListConfigurationPolicyAssociations
StartConfigurationPolicyAssociation
This field is returned both when the underlying configuration is a configuration policy and when it's self-managed behavior.
The value of AssociationStatus
tells you
whether a policy association is pending or in a state of success or failure. It can take up to 24 hours for the status to change from
PENDING
to SUCCESS
or FAILURE
. The association status of a parent OU or the root depends on the
status of its children. If the association status of all the children is SUCCESS
, the association status of the parent
is SUCCESS
. If the association status of one or more children is FAILED
, the association status of the parent
is FAILED
.
The value of AssociationStatus
also depends on all Regions. If the association succeeds in the home Region and all
linked Regions, the value of
AssociationStatus
is SUCCESS
. If the association fails in one or more of these Regions, the value of AssociationStatus
is FAILED
.
The following behavior also impacts the value of AssociationStatus
:
If the target is a parent OU or the root, it has an
AssociationStatus
ofSUCCESS
orFAILED
only when all of the children have aSUCCESS
orFAILED
status. If the association status of a child account or OU changes (for example, when a linked Region is added or removed) after you first associate the parent with a configuration, the change doesn't update the association status of the parent unless you invoke theStartConfigurationPolicyAssociation
API again.If the target is an account, it has an
AssociationStatus
ofSUCCESS
orFAILED
only if the association has a result ofSUCCESS
orFAILED
in the home Region and all linked Regions. If the association status of a target account changes (for example, when a linked Region is added or removed) after you first associate it with a configuration, its association status is updated. However, the change doesn't update the association status of the parent unless you invoke theStartConfigurationPolicyAssociation
API again.
If you add a new linked Region, Security Hub replicates your existing associations that are in a PENDING
,
SUCCESS
, or FAILED
state in the new Region.
Common reasons for association failure
A configuration policy association might fail for the following common reasons:
Organizations management account isn't a member – If you want to associate a configuration policy with the Organizations management account, that account must already have Security Hub enabled. This makes the management account a member account in the organization.
AWS Config isn't enabled or properly configured – To enable standards in a configuration policy, AWS Config must be enabled and configured to record relevant resources.
Must associate from delegated administrator account – You can only associate a policy with target accounts and OUs when you're signed in to the delegated administrator account.
Must associate from home Region – You can only associate a policy with target accounts and OUs when you're signed in to the home Region.
Opt-in Region not enabled – Policy association fails for a member account or OU in a linked Region if it's an opt-in Region that the delegated administrator hasn't enabled. You can retry after enabling the Region from the delegated administrator account.
Member account suspended – Policy association fails if you try to associate a policy with a suspended member account.