StartConfigurationPolicyAssociation
Associates a target account, organizational unit, or the root with a specified configuration. The target can be associated with a configuration policy or self-managed behavior. Only the AWS Security Hub delegated administrator can invoke this operation from the home Region.
Request Syntax
POST /configurationPolicyAssociation/associate HTTP/1.1
Content-type: application/json
{
"ConfigurationPolicyIdentifier": "string",
"Target": { ... }
}URI Request Parameters
The request does not use any URI parameters.
Request Body
The request accepts the following data in JSON format.
- ConfigurationPolicyIdentifier
-
The Amazon Resource Name (ARN) of a configuration policy, the universally unique identifier (UUID) of a configuration policy, or a value of
SELF_MANAGED_SECURITY_HUBfor a self-managed configuration.Type: String
Pattern:
.*\S.*Required: Yes
- Target
-
The identifier of the target account, organizational unit, or the root to associate with the specified configuration.
Type: Target object
Note: This object is a Union. Only one member of this object can be specified or returned.
Required: Yes
Response Syntax
HTTP/1.1 200
Content-type: application/json
{
"AssociationStatus": "string",
"AssociationStatusMessage": "string",
"AssociationType": "string",
"ConfigurationPolicyId": "string",
"TargetId": "string",
"TargetType": "string",
"UpdatedAt": "string"
}Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- AssociationStatus
-
The current status of the association between the specified target and the configuration.
Type: String
Valid Values:
PENDING | SUCCESS | FAILED - AssociationStatusMessage
-
An explanation for a
FAILEDvalue forAssociationStatus.Type: String
Pattern:
.*\S.* - AssociationType
-
Indicates whether the association between the specified target and the configuration was directly applied by the Security Hub delegated administrator or inherited from a parent.
Type: String
Valid Values:
INHERITED | APPLIED - ConfigurationPolicyId
-
The UUID of the configuration policy.
Type: String
Pattern:
.*\S.* - TargetId
-
The identifier of the target account, organizational unit, or the organization root with which the configuration is associated.
Type: String
Pattern:
.*\S.* - TargetType
-
Indicates whether the target is an AWS account, organizational unit, or the organization root.
Type: String
Valid Values:
ACCOUNT | ORGANIZATIONAL_UNIT | ROOT - UpdatedAt
-
The date and time, in UTC and ISO 8601 format, that the configuration policy association was last updated.
Type: Timestamp
Errors
For information about the errors that are common to all actions, see Common Errors.
- AccessDeniedException
-
You don't have permission to perform the action specified in the request.
HTTP Status Code: 403
- InternalException
-
Internal server error.
HTTP Status Code: 500
- InvalidAccessException
-
The account doesn't have permission to perform this action.
HTTP Status Code: 401
- InvalidInputException
-
The request was rejected because you supplied an invalid or out-of-range value for an input parameter.
HTTP Status Code: 400
- LimitExceededException
-
The request was rejected because it attempted to create resources beyond the current AWS account or throttling limits. The error code describes the limit exceeded.
HTTP Status Code: 429
- ResourceNotFoundException
-
The request was rejected because we can't find the specified resource.
HTTP Status Code: 404
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
