Deleting and disassociating Security Hub configuration policies
The delegated administrator account can delete an AWS Security Hub configuration policy.
Alternatively, the delegated administrator account can retain the configuration policy, but disassociate it from
specific accounts or organizational units (OUs).
The following section explains both of these options.
Deleting configuration policies
When you delete a configuration policy, it no longer exists for your organization. Target accounts, OUs, and the organization root can no longer use the configuration policy. Targets that were associated with a
deleted configuration policy inherit the configuration policy of the closest parent, or become self-managed if the closest parent
is self-managed. If you want a target to use a different configuration, you can associate the target with a new configuration policy. For more information, see
Creating and associating Security Hub configuration policies.
We recommend creating and associating at least
one configuration policy with your organization to provide adequate security coverage.
Before you can delete a configuration policy, you must disassociate the policy from accounts, OUs, or the root to which
it currently applies.
Choose your preferred method, and follow the steps to delete a configuration policy.
- Console
-
To delete a configuration policy
-
Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.
Sign in using the credentials of the Security Hub delegated administrator account in the home Region.
-
In the navigation pane, choose Settings
and Configuration.
-
Choose the Policies tab. Select the
configuration policy that you want to delete, and choose
Delete. If the configuration policy is still associated with any accounts or OUs,
you're prompted to first disassociate the policy from those targets before you can delete it.
-
Review the confirmation message. Enter confirm
, and choose
Delete.
- API
-
To delete a configuration policy
Invoke the DeleteConfigurationPolicy API from the Security Hub delegated administrator
account in the home Region.
Provide the Amazon Resource Name (ARN) or ID of the configuration policy that you
want to delete. If you receive a ConflictException
error,
the configuration policy still applies to accounts or OUs in your organization. To resolve the error,
disassociate the configuration policy from these accounts or OUs before trying to delete it.
Example API request to delete a configuration policy:
{
"Identifier": "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
}
- AWS CLI
-
To delete a configuration policy
Run the delete-configuration-policy command from the
Security Hub delegated administrator account in the home Region.
Provide the Amazon Resource Name (ARN) or ID of the configuration policy that you
want to delete. If you receive a ConflictException
error,
the configuration policy still applies to accounts or OUs in your organization. To resolve the error,
disassociate the configuration policy from these accounts or OUs before trying to delete it.
aws securityhub --region us-east-1 delete-configuration-policy \
--identifier "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
Disassociating a configuration from accounts and OUs
From the delegated administrator account, you can disassociate a target account, OU, or the root from a configuration policy that currently
applies to it or from a self-managed configuration. You can disassociate a target only from an applied configuration, not from an inherited configuration.
To change an inherited configuration, you can apply a configuration policy or self-managed behavior to the affected account or OU. You can also apply a
new configuration policy, which includes your desired modifications, to the closest parent.
Disassociation doesn't delete a configuration policy. The policy is retained in your account, so
you can associate it with other targets in your organization. When
disassociation is complete, an affected target inherits the configuration policy or self-managed behavior of the closest
parent. If there's no inheritable configuration, a target retains the settings it had prior to disassociation but becomes
self-managed.
Choose your preferred method, and follow the steps to disassociate
an account, OU, or root from its current configuration.
- Console
-
To disassociate an account or OU from its current configuration
-
Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.
Sign in using the credentials of the Security Hub delegated administrator account in the home Region.
-
In the navigation pane, choose Settings
and Configuration.
-
On the Organizations tab, select the
account, OU, or the root that you want to disassociate from its current configuration. Choose
Edit.
-
On the Define configuration page, for Management,
choose Policy applied if you want the delegated administrator to be able to apply policies directly to the target. Choose
Inherited if you want the target to inherit the configuration of its closest parent. In either of these cases, the delegated administrator controls settings for the target. Choose
Self-managed if you want the account or OU to control its own settings.
-
After reviewing your changes, choose Next and Apply.
This action overrides existing configurations of
any accounts or OUs that are in scope, if those configurations conflict
with your current selections.
- API
-
To disassociate an account or OU from its current configuration
-
Invoke the StartConfigurationPolicyDisassociation API
from the Security Hub delegated administrator account in the home Region.
-
For ConfigurationPolicyIdentifier
, provide the Amazon
Resource Name (ARN) or ID of the configuration policy that you want to disassociate.
Provide SELF_MANAGED_SECURITY_HUB
for this field to disassociate self-managed behavior.
-
For Target
, provide the accounts, OUs, or the root that you
want to dissociate from this configuration policy.
Example API request to disassociate a configuration policy:
{
"ConfigurationPolicyIdentifier": "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"Target": {"RootId": "r-f6g7h8i9j0example"}
}
- AWS CLI
-
To disassociate an account or OU from its current configuration
-
Run the start-configuration-policy-disassociation
command from the Security Hub delegated administrator account in the home Region.
-
For configuration-policy-identifier
, provide the Amazon
Resource Name (ARN) or ID of the configuration policy that you want to disassociate.
Provide SELF_MANAGED_SECURITY_HUB
for this field to disassociate self-managed behavior.
-
For target
, provide the accounts, OUs, or the root that you
want to dissociate from this configuration policy.
Example command to disassociate a configuration policy:
aws securityhub --region us-east-1 start-configuration-policy-disassociation \
--configuration-policy-identifier "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" \
--target '{"RootId": "r-f6g7h8i9j0example"}'