# Security in AWS Security Hub CSPM
Cloud security at AWS is the highest priority. As an AWS customer, you benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations.
Security is a shared responsibility between AWS and you. The [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) describes this as security *of* the cloud and security *in* the cloud:
+ **Security of the cloud** – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the [AWS compliance programs](https://aws.amazon.com/compliance/programs/). To learn about the compliance programs that apply to AWS Security Hub CSPM, see [AWS Services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/).
+ **Security in the cloud** – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations.
This documentation helps you understand how to apply the shared responsibility model when using Security Hub CSPM. The following topics show you how to configure Security Hub CSPM to meet your security and compliance objectives. You also learn how to use other AWS services that help you to monitor and secure your Security Hub CSPM resources.
**Topics**
+ [Data protection in AWS Security Hub CSPM](data-protection.md)
+ [AWS Identity and Access Management for Security Hub CSPM](security-iam.md)
+ [Compliance validation for AWS Security Hub CSPM](securityhub-compliance.md)
+ [Resilience in AWS Security Hub](disaster-recovery-resiliency.md)
+ [Infrastructure security in AWS Security Hub CSPM](infrastructure-security.md)
+ [AWS Security Hub CSPM and interface VPC endpoints (AWS PrivateLink)](security-vpc-endpoints.md)
# Data protection in AWS Security Hub CSPM
The AWS [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) applies to data protection in AWS Security Hub CSPM. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. You are also responsible for the security configuration and management tasks for the AWS services that you use. For more information about data privacy, see the [Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq/). For information about data protection in Europe, see the [AWS Shared Responsibility Model and GDPR](https://aws.amazon.com/blogs/security/the-aws-shared-responsibility-model-and-gdpr/) blog post on the *AWS Security Blog*.
For data protection purposes, we recommend that you protect AWS account credentials and set up individual users with AWS IAM Identity Center or AWS Identity and Access Management (IAM). That way, each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways:
+ Use multi-factor authentication (MFA) with each account.
+ Use SSL/TLS to communicate with AWS resources. We require TLS 1.2 and recommend TLS 1.3.
+ Set up API and user activity logging with AWS CloudTrail. For information about using CloudTrail trails to capture AWS activities, see [Working with CloudTrail trails](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-trails.html) in the *AWS CloudTrail User Guide*.
+ Use AWS encryption solutions, along with all default security controls within AWS services.
+ Use advanced managed security services such as Amazon Macie, which assists in discovering and securing sensitive data that is stored in Amazon S3.
+ If you require FIPS 140-3 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see [Federal Information Processing Standard (FIPS) 140-3](https://aws.amazon.com/compliance/fips/).
We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form text fields such as a **Name** field. This includes when you work with Security Hub CSPM or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into tags or free-form text fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server.
Security Hub CSPM is a multi-tenant service offering. To ensure data protection, Security Hub CSPM encrypts data at rest and data in transit between component services.
# AWS Identity and Access Management for Security Hub CSPM
AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use Security Hub resources. IAM is an AWS service that you can use with no additional charge.
**Topics**
+ [Audience](#security_iam_audience)
+ [Authenticating with identities](#security_iam_authentication)
+ [Managing access using policies](#security_iam_access-manage)
+ [How Security Hub works with IAM](security_iam_service-with-iam.md)
+ [Identity-based policy examples for AWS Security Hub CSPM](security_iam_id-based-policy-examples.md)
+ [Service-linked roles for AWS Security Hub CSPM](using-service-linked-roles.md)
+ [AWS managed policies for Security Hub](security-iam-awsmanpol.md)
+ [Troubleshooting AWS Security Hub CSPM identity and access](security_iam_troubleshoot.md)
## Audience
How you use AWS Identity and Access Management (IAM) differs based on your role:
+ **Service user** - request permissions from your administrator if you cannot access features (see [Troubleshooting AWS Security Hub CSPM identity and access](security_iam_troubleshoot.md))
+ **Service administrator** - determine user access and submit permission requests (see [How Security Hub works with IAM](security_iam_service-with-iam.md))
+ **IAM administrator** - write policies to manage access (see [Identity-based policy examples for AWS Security Hub CSPM](security_iam_id-based-policy-examples.md))
## Authenticating with identities
Authentication is how you sign in to AWS using your identity credentials. You must be authenticated as the AWS account root user, an IAM user, or by assuming an IAM role.
You can sign in as a federated identity using credentials from an identity source like AWS IAM Identity Center (IAM Identity Center), single sign-on authentication, or Google/Facebook credentials. For more information about signing in, see [How to sign in to your AWS account](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.
For programmatic access, AWS provides an SDK and CLI to cryptographically sign requests. For more information, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html) in the *IAM User Guide*.
### AWS account root user
When you create an AWS account, you begin with one sign-in identity called the AWS account *root user* that has complete access to all AWS services and resources. We strongly recommend that you don't use the root user for everyday tasks. For tasks that require root user credentials, see [Tasks that require root user credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks) in the *IAM User Guide*.
### Federated identity
As a best practice, require human users to use federation with an identity provider to access AWS services using temporary credentials.
A *federated identity* is a user from your enterprise directory, web identity provider, or Directory Service that accesses AWS services using credentials from an identity source. Federated identities assume roles that provide temporary credentials.
For centralized access management, we recommend AWS IAM Identity Center. For more information, see [What is IAM Identity Center?](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) in the *AWS IAM Identity Center User Guide*.
### IAM users and groups
An *[IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html)* is an identity with specific permissions for a single person or application. We recommend using temporary credentials instead of IAM users with long-term credentials. For more information, see [Require human users to use federation with an identity provider to access AWS using temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) in the *IAM User Guide*.
An [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) specifies a collection of IAM users and makes permissions easier to manage for large sets of users. For more information, see [Use cases for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/gs-identities-iam-users.html) in the *IAM User Guide*.
### IAM roles
An *[IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)* is an identity with specific permissions that provides temporary credentials. You can assume a role by [switching from a user to an IAM role (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html) or by calling an AWS CLI or AWS API operation. For more information, see [Methods to assume a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage-assume.html) in the *IAM User Guide*.
IAM roles are useful for federated user access, temporary IAM user permissions, cross-account access, cross-service access, and applications running on Amazon EC2. For more information, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.
## Managing access using policies
You control access in AWS by creating policies and attaching them to AWS identities or resources. A policy defines permissions when associated with an identity or resource. AWS evaluates these policies when a principal makes a request. Most policies are stored in AWS as JSON documents. For more information about JSON policy documents, see [Overview of JSON policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json) in the *IAM User Guide*.
Using policies, administrators specify who has access to what by defining which **principal** can perform **actions** on what **resources**, and under what **conditions**.
By default, users and roles have no permissions. An IAM administrator creates IAM policies and adds them to roles, which users can then assume. IAM policies define permissions regardless of the method used to perform the operation.
### Identity-based policies
Identity-based policies are JSON permissions policy documents that you attach to an identity (user, group, or role). These policies control what actions identities can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*.
Identity-based policies can be *inline policies* (embedded directly into a single identity) or *managed policies* (standalone policies attached to multiple identities). To learn how to choose between managed and inline policies, see [Choose between managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-choosing-managed-or-inline.html) in the *IAM User Guide*.
### Resource-based policies
Resource-based policies are JSON policy documents that you attach to a resource. Examples include IAM *role trust policies* and Amazon S3 *bucket policies*. In services that support resource-based policies, service administrators can use them to control access to a specific resource. You must [specify a principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in a resource-based policy.
Resource-based policies are inline policies that are located in that service. You can't use AWS managed policies from IAM in a resource-based policy.
### Other policy types
AWS supports additional policy types that can set the maximum permissions granted by more common policy types:
+ **Permissions boundaries** – Set the maximum permissions that an identity-based policy can grant to an IAM entity. For more information, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.
+ **Service control policies (SCPs)** – Specify the maximum permissions for an organization or organizational unit in AWS Organizations. For more information, see [Service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *AWS Organizations User Guide*.
+ **Resource control policies (RCPs)** – Set the maximum available permissions for resources in your accounts. For more information, see [Resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) in the *AWS Organizations User Guide*.
+ **Session policies** – Advanced policies passed as a parameter when creating a temporary session for a role or federated user. For more information, see [Session policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) in the *IAM User Guide*.
### Multiple policy types
When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how AWS determines whether to allow a request when multiple policy types are involved, see [Policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html) in the *IAM User Guide*.
# How Security Hub works with IAM
Before you use AWS Identity and Access Management (IAM) to manage access to AWS Security Hub CSPM, learn which IAM features are available to use with Security Hub CSPM.
**IAM features you can use with AWS Security Hub CSPM**
| IAM feature | Security Hub CSPM support |
| --- | --- |
| [Identity-based policies](#security_iam_service-with-iam-id-based-policies) | Yes |
| [Resource-based policies](#security_iam_service-with-iam-resource-based-policies) | No |
| [Policy actions](#security_iam_service-with-iam-id-based-policies-actions) | Yes |
| [Policy resources](#security_iam_service-with-iam-id-based-policies-resources) | No |
| [Policy condition keys](#security_iam_service-with-iam-id-based-policies-conditionkeys) | Yes |
| [Access control lists (ACLs)](#security_iam_service-with-iam-acls) | No |
| [Attribute-based access control (ABAC) – tags in policies](#security_iam_service-with-iam-tags) | Yes |
| [Temporary credentials](#security_iam_service-with-iam-roles-tempcreds) | Yes |
| [Forward access sessions (FAS)](#security_iam_service-with-iam-principal-permissions) | Yes |
| [Service roles](#security_iam_service-with-iam-roles-service) | No |
| [Service-linked roles](#security_iam_service-with-iam-roles-service-linked) | Yes |
For a high-level view of how Security Hub CSPM and other AWS services work with most IAM features, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*.
## Identity-based policies for Security Hub CSPM
**Supports identity-based policies:** Yes
Identity-based policies are JSON permissions policy documents that you can attach to an identity, such as an IAM user, group of users, or role. These policies control what actions users and roles can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*.
With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. To learn about all of the elements that you can use in a JSON policy, see [IAM JSON policy elements reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide*.
Security Hub CSPM supports identity-based policies. For more information, see [Identity-based policy examples for AWS Security Hub CSPM](security_iam_id-based-policy-examples.md).
## Resource-based policies for Security Hub CSPM
**Supports resource-based policies:** No
Resource-based policies are JSON policy documents that you attach to a resource. Examples of resource-based policies are IAM *role trust policies* and Amazon S3 *bucket policies*. In services that support resource-based policies, service administrators can use them to control access to a specific resource. For the resource where the policy is attached, the policy defines what actions a specified principal can perform on that resource and under what conditions. You must [specify a principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in a resource-based policy. Principals can include accounts, users, roles, federated users, or AWS services.
To enable cross-account access, you can specify an entire account or IAM entities in another account as the principal in a resource-based policy. For more information, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.
Security Hub CSPM does not support resource-based policies. You can't attach an IAM policy directly to a Security Hub CSPM resource.
## Policy actions for Security Hub CSPM
**Supports policy actions:** Yes
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.
The `Action` element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Include actions in a policy to grant permissions to perform the associated operation.
Policy actions in Security Hub CSPM use the following prefix before the action:
```
securityhub:
```
For example, to grant a user permission to enable Security Hub CSPM, which is an action that corresponds to the `EnableSecurityHub` operation of the Security Hub CSPM API, include the `securityhub:EnableSecurityHub` action in their policy. Policy statements must include either an `Action` or `NotAction` element. Security Hub CSPM defines its own set of actions that describe tasks that you can perform with this service.
```
"Action": "securityhub:EnableSecurityHub"
```
To specify multiple actions in a single statement, separate them with commas. For example:
```
"Action": [
"securityhub:EnableSecurityHub",
"securityhub:BatchEnableStandards"
```
You can also specify multiple actions using wildcards (\$1). For example, to specify all actions that begin with the word `Get`, include the following action:
```
"Action": "securityhub:Get*"
```
However, as a best practice, you should create policies that follow the principle of least privilege. In other words, you should create policies that include only the permissions that are required to perform a specific task.
The user must have access to the `DescribeStandardsControl` operation in order to have access to `BatchGetSecurityControls`, `BatchGetStandardsControlAssociations`, and `ListStandardsControlAssociations`.
The user must have access to the `UpdateStandardsControls` operation in order to have access to `BatchUpdateStandardsControlAssociations`, and `UpdateSecurityControl`.
For a list of Security Hub CSPM actions, see [Actions defined by AWS Security Hub CSPM](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecurityhub.html#awssecurityhub-actions-as-permissions) in the *Service Authorization Reference*. For examples of policies that specify Security Hub CSPM actions, see [Identity-based policy examples for AWS Security Hub CSPM](security_iam_id-based-policy-examples.md).
## Policy resources for Security Hub CSPM
**Supports policy resources:** No
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.
The `Resource` JSON policy element specifies the object or objects to which the action applies. As a best practice, specify a resource using its [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html). For actions that don't support resource-level permissions, use a wildcard (\$1) to indicate that the statement applies to all resources.
```
"Resource": "*"
```
Security Hub CSPM defines the following resource types:
+ Hub
+ Product
+ Finding aggregator, also referred to as a *cross-Region aggregator*
+ Automation rule
+ Configuration policy
You can specify these types of resources in policies by using ARNs.
For a list of Security Hub CSPM resource types and the ARN syntax for each one, see [Resource types defined by AWS Security Hub CSPM](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecurityhub.html#awssecurityhub-resources-for-iam-policies) in the *Service Authorization Reference*. To learn which actions you can specify for each type of resource, see [Actions defined by AWS Security Hub CSPM](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecurityhub.html#awssecurityhub-actions-as-permissions) in the *Service Authorization Reference*. For examples of policies that specify resources, see [Identity-based policy examples for AWS Security Hub CSPM](security_iam_id-based-policy-examples.md).
## Policy condition keys for Security Hub CSPM
**Supports service-specific policy condition keys:** Yes
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.
The `Condition` element specifies when statements execute based on defined criteria. You can create conditional expressions that use [condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html), such as equals or less than, to match the condition in the policy with values in the request. To see all AWS global condition keys, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*.
For a list of Security Hub CSPM condition keys, see [Condition keys for AWS Security Hub CSPM](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecurityhub.html#awssecurityhub-policy-keys) in the *Service Authorization Reference*. To learn which actions and resources you can use a condition key with, see [Actions defined by AWS Security Hub CSPM](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecurityhub.html#awssecurityhub-actions-as-permissions). For examples of policies that use condition keys, see [Identity-based policy examples for AWS Security Hub CSPM](security_iam_id-based-policy-examples.md).
## Access control lists (ACLs) in Security Hub CSPM
**Supports ACLs:** No
Access control lists (ACLs) control which principals (account members, users, or roles) have permissions to access a resource. ACLs are similar to resource-based policies, although they do not use the JSON policy document format.
Security Hub CSPM doesn't support ACLs, which means you can't attach an ACL to a Security Hub CSPM resource.
## Attribute-based access control (ABAC) with Security Hub CSPM
**Supports ABAC (tags in policies):** Yes
Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes called tags. You can attach tags to IAM entities and AWS resources, then design ABAC policies to allow operations when the principal's tag matches the tag on the resource.
To control access based on tags, you provide tag information in the [condition element](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) of a policy using the `aws:ResourceTag/key-name`, `aws:RequestTag/key-name`, or `aws:TagKeys` condition keys.
If a service supports all three condition keys for every resource type, then the value is **Yes** for the service. If a service supports all three condition keys for only some resource types, then the value is **Partial**.
For more information about ABAC, see [Define permissions with ABAC authorization](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. To view a tutorial with steps for setting up ABAC, see [Use attribute-based access control (ABAC)](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) in the *IAM User Guide*.
You can attach tags to Security Hub CSPM resources. You can also control access to resources by providing tag information in the `Condition` element of a policy.
For information about tagging Security Hub CSPM resources, see [Tagging Security Hub resources](tagging-resources.md). For an example of an identity-based policy that controls access to a resource based on tags, see [Identity-based policy examples for AWS Security Hub CSPM](security_iam_id-based-policy-examples.md).
## Using temporary credentials with Security Hub CSPM
**Supports temporary credentials:** Yes
Temporary credentials provide short-term access to AWS resources and are automatically created when you use federation or switch roles. AWS recommends that you dynamically generate temporary credentials instead of using long-term access keys. For more information, see [Temporary security credentials in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) and [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*.
You can use temporary credentials to sign in with federation, assume an IAM role, or to assume a cross-account role. You obtain temporary security credentials by calling AWS STS API operations such as [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) or [GetFederationToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html).
Security Hub CSPM supports the use of temporary credentials.
## Forward access sessions for Security Hub CSPM
**Supports forward access sessions (FAS):** Yes
Forward access sessions (FAS) use the permissions of the principal calling an AWS service, combined with the requesting AWS service to make requests to downstream services. For policy details when making FAS requests, see [Forward access sessions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html).
For example, Security Hub CSPM makes FAS requests to downstream AWS services when you integrate Security Hub CSPM with AWS Organizations and when you designate the delegated Security Hub CSPM administrator account for an organization in Organizations.
For other tasks, Security Hub CSPM uses a service-linked role to perform actions on your behalf. For details about this role, see [Service-linked roles for AWS Security Hub CSPM](using-service-linked-roles.md).
## Service roles for Security Hub CSPM
Security Hub CSPM doesn't assume or use service roles. To perform actions on your behalf, Security Hub CSPM uses a service-linked role. For details about this role, see [Service-linked roles for AWS Security Hub CSPM](using-service-linked-roles.md).
**Warning**
Changing the permissions for a service role may create operational issues with your use of Security Hub CSPM. Edit service roles only when Security Hub CSPM provides guidance to do so.
## Service-linked roles for Security Hub CSPM
**Supports service-linked roles:** Yes
A service-linked role is a type of service role that is linked to an AWS service. The service can assume the role to perform an action on your behalf. Service-linked roles appear in your AWS account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles.
Security Hub CSPM uses a service-linked role to perform actions on your behalf. For details about this role, see [Service-linked roles for AWS Security Hub CSPM](using-service-linked-roles.md).
# Identity-based policy examples for AWS Security Hub CSPM
By default, users and roles don't have permission to create or modify Security Hub CSPM resources. They also can't perform tasks using the AWS Management Console, AWS CLI, or AWS API. An administrator must create IAM policies that grant users and roles permission to perform specific API operations on the specified resources they need. The administrator must then attach those policies to the users or groups that require those permissions.
To learn how to create an IAM identity-based policy using these example JSON policy documents, see [Creating Policies on the JSON Tab](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-json-editor) in the *IAM User Guide*.
**Topics**
+ [Policy best practices](#security_iam_service-with-iam-policy-best-practices)
+ [Using the Security Hub CSPM console](#security_iam_id-based-policy-examples-console)
+ [Example: Allow users to view their own permissions](#security_iam_id-based-policy-examples-view-own-permissions)
+ [Example: Allow users to create and manage a configuration policy](#security_iam_id-based-policy-examples-create-configuration-policy)
+ [Example: Allow users to view findings](#security_iam_id-based-policy-examples-view-findings)
+ [Example: Allow users to create and manage automation rules](#security_iam_id-based-policy-examples-create-automation-rule)
## Policy best practices
Identity-based policies determine whether someone can create, access, or delete Security Hub resources in your account. These actions can incur costs for your AWS account. When you create or edit identity-based policies, follow these guidelines and recommendations:
+ **Get started with AWS managed policies and move toward least-privilege permissions** – To get started granting permissions to your users and workloads, use the *AWS managed policies* that grant permissions for many common use cases. They are available in your AWS account. We recommend that you reduce permissions further by defining AWS customer managed policies that are specific to your use cases. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) or [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*.
+ **Apply least-privilege permissions** – When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as *least-privilege permissions*. For more information about using IAM to apply permissions, see [ Policies and permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*.
+ **Use conditions in IAM policies to further restrict access** – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific AWS service, such as CloudFormation. For more information, see [ IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*.
+ **Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions** – IAM Access Analyzer validates new and existing policies so that the policies adhere to the IAM policy language (JSON) and IAM best practices. IAM Access Analyzer provides more than 100 policy checks and actionable recommendations to help you author secure and functional policies. For more information, see [Validate policies with IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html) in the *IAM User Guide*.
+ **Require multi-factor authentication (MFA)** – If you have a scenario that requires IAM users or a root user in your AWS account, turn on MFA for additional security. To require MFA when API operations are called, add MFA conditions to your policies. For more information, see [ Secure API access with MFA](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html) in the *IAM User Guide*.
For more information about best practices in IAM, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*.
## Using the Security Hub CSPM console
To access the AWS Security Hub CSPM console, you must have a minimum set of permissions. These permissions must allow you to list and view details about the Security Hub CSPM resources in your AWS account. If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for entities (users or roles) with that policy.
You don't need to allow minimum console permissions for users that are making calls only to the AWS CLI or the AWS API. Instead, allow access to only the actions that match the API operation that they're trying to perform.
To ensure that those users and roles can use the Security Hub CSPM console, also attach the following AWS managed policy to the entity. For more information, see [Adding permissions to a user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "securityhub:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "securityhub.amazonaws.com"
}
}
}
]
}
```
------
## Example: Allow users to view their own permissions
This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the AWS CLI or AWS API.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ViewOwnUserInfo",
"Effect": "Allow",
"Action": [
"iam:GetUserPolicy",
"iam:ListGroupsForUser",
"iam:ListAttachedUserPolicies",
"iam:ListUserPolicies",
"iam:GetUser"
],
"Resource": ["arn:aws:iam::*:user/${aws:username}"]
},
{
"Sid": "NavigateInConsole",
"Effect": "Allow",
"Action": [
"iam:GetGroupPolicy",
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:ListAttachedGroupPolicies",
"iam:ListGroupPolicies",
"iam:ListPolicyVersions",
"iam:ListPolicies",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
```
## Example: Allow users to create and manage a configuration policy
This example shows how you might create an IAM policy that allows a user to create, view, update, and delete configuration policies. This example policy also allows the user to start, stop, and view policy associations. For this IAM policy to work, the user must be the delegated Security Hub CSPM administrator for an organization.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CreateAndUpdateConfigurationPolicy",
"Effect": "Allow",
"Action": [
"securityhub:CreateConfigurationPolicy",
"securityhub:UpdateConfigurationPolicy"
],
"Resource": "*"
},
{
"Sid": "ViewConfigurationPolicy",
"Effect": "Allow",
"Action": [
"securityhub:GetConfigurationPolicy",
"securityhub:ListConfigurationPolicies"
],
"Resource": "*"
},
{
"Sid": "DeleteConfigurationPolicy",
"Effect": "Allow",
"Action": [
"securityhub:DeleteConfigurationPolicy"
],
"Resource": "*"
},
{
"Sid": "ViewConfigurationPolicyAssociation",
"Effect": "Allow",
"Action": [
"securityhub:BatchGetConfigurationPolicyAssociations",
"securityhub:GetConfigurationPolicyAssociation",
"securityhub:ListConfigurationPolicyAssociations"
],
"Resource": "*"
},
{
"Sid": "UpdateConfigurationPolicyAssociation",
"Effect": "Allow",
"Action": [
"securityhub:StartConfigurationPolicyAssociation",
"securityhub:StartConfigurationPolicyDisassociation"
],
"Resource": "*"
}
]
}
```
------
## Example: Allow users to view findings
This example shows how you might create an IAM policy that allows a user to view Security Hub CSPM findings.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ReviewFindings",
"Effect": "Allow",
"Action": [
"securityhub:GetFindings"
],
"Resource": "*"
}
]
}
```
------
## Example: Allow users to create and manage automation rules
This example shows how you might create an IAM policy that allows a user to create, view, update, and delete Security Hub CSPM automation rules. For this IAM policy to work, the user must be a Security Hub CSPM administrator. To limit permissions— for example, to allow a user to only view automation rules—you can remove the create, update, and delete permissions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CreateAndUpdateAutomationRules",
"Effect": "Allow",
"Action": [
"securityhub:CreateAutomationRule",
"securityhub:BatchUpdateAutomationRules"
],
"Resource": "*"
},
{
"Sid": "ViewAutomationRules",
"Effect": "Allow",
"Action": [
"securityhub:BatchGetAutomationRules",
"securityhub:ListAutomationRules"
],
"Resource": "*"
},
{
"Sid": "DeleteAutomationRules",
"Effect": "Allow",
"Action": [
"securityhub:BatchDeleteAutomationRules"
],
"Resource": "*"
}
]
}
```
------
# Service-linked roles for AWS Security Hub CSPM
AWS Security Hub CSPM uses an AWS Identity and Access Management (IAM) [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role) named `AWSServiceRoleForSecurityHub`. This service-linked role is an IAM role that's linked directly to Security Hub CSPM. It's predefined by Security Hub CSPM, and it includes all the permissions that Security Hub CSPM requires to call other AWS services and monitor AWS resources on your behalf. Security Hub CSPM uses this service-linked role in all the AWS Regions where Security Hub CSPM is available.
A service-linked role makes setting up Security Hub CSPM easier because you don't have to manually add the necessary permissions. Security Hub CSPM defines the permissions of its service-linked role, and unless defined otherwise, only Security Hub CSPM can assume the role. The defined permissions include the trust policy and the permissions policy, and you can't attach that permissions policy to any other IAM entity.
To review the details of the service-linked role, you can use the Security Hub CSPM console. In the navigation pane, choose **General** under **Settings**. Then, in the **Service permissions** section, choose **View service permissions**.
You can delete the Security Hub CSPM service-linked role only after you disable Security Hub CSPM in all the Regions where it's enabled. This protects your Security Hub CSPM resources because you can't inadvertently remove permissions to access them.
For information about other services that support service-linked roles, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide* and locate the services that have **Yes** in the **Service-linked roles** column. Choose a **Yes** with a link to review the service-linked role documentation for that service.
**Topics**
+ [Service-linked role permissions for Security Hub CSPM](#slr-permissions)
+ [Creating a service-linked role for Security Hub CSPM](#create-slr)
+ [Editing a service-linked role for Security Hub CSPM](#edit-slr)
+ [Deleting a service-linked role for Security Hub CSPM](#delete-slr)
+ [Service-linked role for AWS Security Hub V2](#slr-permissions-v2)
## Service-linked role permissions for Security Hub CSPM
Security Hub CSPM uses the service-linked role named `AWSServiceRoleForSecurityHub`. It's a service-linked role required for AWS Security Hub CSPM to access your resources. This service-linked role allows Security Hub CSPM to perform tasks such as receive findings from other AWS services and configure the requisite AWS Config infrastructure to run security checks for controls. The `AWSServiceRoleForSecurityHub` service-linked role trusts the `securityhub.amazonaws.com` service to assume the role.
The `AWSServiceRoleForSecurityHub` service-linked role uses the managed policy [`AWSSecurityHubServiceRolePolicy`](security-iam-awsmanpol.md#security-iam-awsmanpol-awssecurityhubservicerolepolicy).
You must grant permissions to allow an IAM identity (such as a role, group, or user) to create, edit, or delete a service-linked role. For the `AWSServiceRoleForSecurityHub` service-linked role to be successfully created, the IAM identity that you use to access Security Hub CSPM must have the required permissions. To grant the required permissions, attach the following policy to the IAM identity.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "securityhub:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "securityhub.amazonaws.com"
}
}
}
]
}
```
------
## Creating a service-linked role for Security Hub CSPM
The `AWSServiceRoleForSecurityHub` service-linked role is created automatically when you enable Security Hub CSPM for the first time or you enable Security Hub CSPM in a Region where you didn't previously enable it. You can also create the `AWSServiceRoleForSecurityHub` service-linked role manually by using the IAM console, the IAM CLI, or the IAM API. For more information about creating the role manually, see [Creating a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the *IAM User Guide*.
**Important**
The service-linked role that's created for a Security Hub CSPM administrator account doesn't apply to associated Security Hub CSPM member accounts.
## Editing a service-linked role for Security Hub CSPM
Security Hub CSPM doesn't allow you to edit the `AWSServiceRoleForSecurityHub` service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role by using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting a service-linked role for Security Hub CSPM
If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete the role. That way, you don't have an unused entity that isn't actively monitored or maintained.
When you disable Security Hub CSPM, Security Hub CSPM doesn't automatically delete the `AWSServiceRoleForSecurityHub` service-linked role for you. If you enable Security Hub CSPM again, the service can then start using the existing service-linked role again. If you no longer need to use Security Hub CSPM, you can manually delete the service-linked role.
**Important**
Before you delete the `AWSServiceRoleForSecurityHub` service-linked role, you must first disable Security Hub CSPM in all the Regions where it's enabled. For more information, see [Disabling Security Hub CSPM](securityhub-disable.md). If Security Hub CSPM isn't disabled when you try to delete the service-linked role, the deletion fails.
To delete the `AWSServiceRoleForSecurityHub` service-linked role, you can use the IAM console, the IAM CLI, or the IAM API. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Service-linked role for AWS Security Hub V2
uses the service-linked role named `AWSServiceRoleForSecurityHubV2`. This service-linked role allows to manage AWS Config rules and resources for your organization and on your behalf. The `AWSServiceRoleForSecurityHubV2` service-linked role trusts the `securityhub.amazonaws.com` service to assume the role.
The `AWSServiceRoleForSecurityHubV2` service-linked role uses the managed policy [`AWSSecurityHubV2ServiceRolePolicy`](security-iam-awsmanpol.md#security-iam-awsmanpol-awssecurityhubv2servicerolepolicy).
**Permissions details**
This policy includes the following permissions:
+ `cloudwatch` – Allows the role to retrieve metrics data to support metering capabilities for resources.
+ `config` – Allows the role to manage service-linked configuration recorders for resources, including support for global AWS Config recorders.
+ `ecr` – Allows the role to retrieve information about Amazon Elastic Container Registry images and repositories to support metering capabilities.
+ `iam` – Allows the role to create the service-linked role for AWS Config and retrieve account information to support metering capabilities.
+ `lambda` – Allows the role to retrieve AWS Lambda function information to support metering capabilities.
+ `organizations` – Allows the role to retrieve account and organizational unit (OU) information for an organization.
+ `securityhub` – Allows the role to manage the configuration.
+ `tag` – Allows the role to retrieve information about resource tags.
You must grant permissions to allow an IAM identity (such as a role, group, or user) to create, edit, or delete a service-linked role. For the `AWSServiceRoleForSecurityHubV2` service-linked role to be successfully created, the IAM identity that you use to access must have the required permissions. To grant the required permissions, attach the following policy to the IAM identity.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "securityhub:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "securityhub.amazonaws.com"
}
}
}
]
}
```
------
### Creating a service-linked role for AWS Security Hub V2
The `AWSServiceRoleForSecurityHubV2` service-linked role is created automatically when you enable for the first time or you enable in a Region where you didn't previously enable it. You can also create the `AWSServiceRoleForSecurityHubV2` service-linked role manually by using the IAM console, the IAM CLI, or the IAM API. For more information about creating the role manually, see [Creating a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the *IAM User Guide*.
**Important**
The service-linked role that's created for a administrator account doesn't apply to associated member accounts.
### Editing a service-linked role for AWS Security Hub V2
doesn't allow you to edit the `AWSServiceRoleForSecurityHubV2` service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role by using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
### Deleting a service-linked role for AWS Security Hub V2
If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete the role. That way, you don't have an unused entity that isn't actively monitored or maintained.
When you disable , doesn't automatically delete the `AWSServiceRoleForSecurityHubV2` service-linked role for you. If you enable again, the service can then start using the existing service-linked role again. If you no longer need to use , you can manually delete the service-linked role.
**Important**
Before you delete the `AWSServiceRoleForSecurityHubV2` service-linked role, you must first disable in all the Regions where it's enabled. For more information, see [Disabling Security Hub CSPM](securityhub-disable.md). If isn't disabled when you try to delete the service-linked role, the deletion fails.
To delete the `AWSServiceRoleForSecurityHubV2` service-linked role, you can use the IAM console, the IAM CLI, or the IAM API. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
# AWS managed policies for Security Hub
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
## AWS managed policy: AWSSecurityHubFullAccess
You can attach the `AWSSecurityHubFullAccess` policy to your IAM identities.
This policy grants administrative permissions that allow a principal full access to all Security Hub CSPM actions. This policy must be attached to a principal before they enable Security Hub CSPM manually for their account. For example, principals with these permissions can both view and update the status of findings. They can also configure custom insights, enable integrations, and enable and disable standards and controls. Principals for an administrator account can also manage member accounts.
**Permissions details**
This policy includes the following permissions:
+ `securityhub` – Allows principals full access to all Security Hub CSPM actions.
+ `guardduty` – Allows principals perform full lifecycle management of a detector, organization admin management, member account mnagement, and organiation-wide configuration in Amazon GuardDuty. This includes API actions: GetDetector, ListDetector, CreateDetector, UpdateDetector, DeleteDetector, EnableOrganizationAdminAccount, ListOrganizationAdminAccounts, CreateMembers, UpdateOrganizationConfiguration, DescribeOrganizationConfiguration.
+ `iam` – Allows principals to create a service-linked role for Security Hub CSPM and Security Hub and to get roles, policies, and policy versions.
+ `inspector` – Allows principals to get information about account status, enable or disable, delegate admin management, and perform organization configuration management in Amazon Inspector. This includes API actions: BatchGetAccountStatus, Enable, Disable, EnableDelegatedAdminAccount, DisableDelegatedAdminAccount, ListDelegatedAdminAccounts, UpdateOrganizationConfiguration, DescribeOrganizationConfiguration.
+ `pricing` – Allows principals to get a price list of AWS services and products.
+ `account` – Allows principals to get information about account Regions to support Region management in Security Hub.
To review the permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSecurityHubFullAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSecurityHubFullAccess.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWSSecurityHubReadOnlyAccess
You can attach the `AWSSecurityHubReadOnlyAccess` policy to your IAM identities.
This policy grants read-only permissions that allow users to view information in Security Hub CSPM. Principals with this policy attached cannot make any updates in Security Hub CSPM. For example, principals with these permissions can view the list of findings associated with their account, but cannot change the status of a finding. They can view the results of insights, but cannot create or configure custom insights. They cannot configure controls or product integrations.
**Permissions details**
This policy includes the following permissions:
+ `securityhub` – Allows users to perform actions that return a list of items or details about an item. This includes API operations that start with `Get`, `List`, or `Describe`.
To review the permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSecurityHubReadOnlyAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSecurityHubReadOnlyAccess.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWSSecurityHubOrganizationsAccess
You can attach the `AWSSecurityHubOrganizationsAccess` policy to your IAM identities.
This policy grants administrative permissions to enable and manage Security Hub, Security Hub CSPM, Amazon GuardDuty and Amazon Inspector for an organization in AWS Organizations. The permissions for this policy allow the organization management account to designate the delegated administrator account for Security Hub, Security Hub CSPM, Amazon GuardDuty and Amazon Inspector. They also allow the delegated administrator account to enable organization accounts as member accounts.
This policy only provides permissions for AWS Organizations. The organization management account and delegated administrator account also require permissions for associated actions. These permissions can be granted using the `AWSSecurityHubFullAccess` managed policy.
Creating or updating a delegated administrator policy in a management account requires additional permissions that are not provided in this policy. To perform these actions is is recommended to add permissions for `organizations:PutResourcePolicy` or attach the AWSOrganizationsFullAccess policy.
**Permissions details**
This policy includes the following permissions:
+ `organizations:ListAccounts` – Allows principals to retrieve the list of accounts that are part of an organization.
+ `organizations:DescribeOrganization` – Allows principals to retrieve information about the organization.
+ `organizations:ListRoots` – Allows principals to list the root of an organization.
+ `organizations:ListDelegatedAdministrators` – Allows principals to list the delegated administrator of an organization.
+ `organizations:ListAWSServiceAccessForOrganization` – Allows principals to list the AWS services that an organization uses.
+ `organizations:ListOrganizationalUnitsForParent` – Allows principals to list the child organizational units (OU) of a parent OU.
+ `organizations:ListAccountsForParent` – Allows principals to list the child accounts of a parent OU.
+ `organizations:ListParents` – Lists the root or organizational units (OUs) that serve as the immediate parent of the specified child OU or account.
+ `organizations:DescribeAccount` – Allows principals to retrieve information about an account in the organization.
+ `organizations:DescribeOrganizationalUnit` – Allows principals to retrieve information about an OU in the organization.
+ `organizations:ListPolicies` – Retrieves the list of all policies in an organization of a specified type.
+ `organizations:ListPoliciesForTarget` – Lists the policies that are directly attached to the specified target root, organizational unit (OU), or account.
+ `organizations:ListTargetsForPolicy` – Lists all the roots, organizational units (OUs), and accounts that the specified policy is attached to.
+ `organizations:EnableAWSServiceAccess` – Allows principals to enable the integration with Organizations.
+ `organizations:RegisterDelegatedAdministrator` – Allows principals to designate the delegated administrator account.
+ `organizations:DeregisterDelegatedAdministrator` – Allows principals to remove the delegated administrator account.
+ `organizations:DescribePolicy` – Retrieves information about a policy.
+ `organizations:DescribeEffectivePolicy` – Returns the contents of the effective policy for specified policy type and account.
+ `organizations:CreatePolicy` – Creates a policy of a specified type that you can attach to a root, an organizational unit (OU), or an individual AWS account.
+ `organizations:UpdatePolicy` – Updates an existing policy with a new name, description, or content.
+ `organizations:DeletePolicy` – Deletes the specified policy from your organization.
+ `organizations:AttachPolicy` – Attaches a policy to a root, an organizational unit (OU), or an individual account.
+ `organizations:DetachPolicy` – Detaches a policy from a target root, organizational unit (OU), or account.
+ `organizations:EnablePolicyType` – Enables a policy type in a root.
+ `organizations:DisablePolicyType` – Disables an organizational policy type in a root.
+ `organizations:TagResource` – Adds one or more tags to a specified resource.
+ `organizations:UntagResource` – Removes any tags with the specified keys from a specified resource.
+ `organizations:ListTagsForResource` – Lists tags that are attached to a specified resource.
+ `organizations:DescribeResourcePolicy` – Retrieves information about a resource policy.
To review the permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSecurityHubOrganizationsAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSecurityHubOrganizationsAccess.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWSSecurityHubServiceRolePolicy
You can't attach `AWSSecurityHubServiceRolePolicy` to your IAM entities. This policy is attached to a service-linked role that allows Security Hub CSPM to perform actions on your behalf. For more information, see [Service-linked roles for AWS Security Hub CSPM](using-service-linked-roles.md).
This policy grants administrative permissions that allow the service-linked role to perform tasks such as run security checks for Security Hub CSPM controls.
**Permissions details**
This policy includes the following permissions:
+ `cloudtrail` – Retrieve information about CloudTrail trails.
+ `cloudwatch` – Retrieve current CloudWatch alarms.
+ `logs` – Retrieve metric filters for CloudWatch logs.
+ `sns` – Retrieve the list of subscriptions to an SNS topic.
+ `config` – Retrieve information about configuration recorders, resources, and AWS Config rules. Also allows the service-linked role to create and delete AWS Config rules, and to run evaluations against the rules.
+ `iam` – Retrieve and generate credential reports for accounts.
+ `organizations` – Retrieve account and organizational unit (OU) information for an organization.
+ `securityhub` – Retrieve information about how the Security Hub CSPM service, standards, and controls are configured.
+ `tag` – Retrieve information about resource tags.
To review the permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSecurityHubServiceRolePolicy.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSecurityHubServiceRolePolicy.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWSSecurityHubV2ServiceRolePolicy
**Note**
Security Hub is in preview release and subject to change.
This policy allows Security Hub to manage AWS Config rules and Security Hub resources for your organization and on your behalf. This policy is attached to a service-linked role that allows the service to perform actions on your behalf. You cannot attach this policy to your IAM identities. For more information, see [Service-linked roles for AWS Security Hub CSPM](using-service-linked-roles.md).
**Permissions details**
This policy includes the following permissions:
+ `cloudwatch` – Retrieve metrics data to support metering capabilities for Security Hub resources.
+ `config` – Manage service-linked configuration recorders for Security Hub resources, including support for global Config recorders.
+ `ecr` – Retrieve information about Amazon Elastic Container Registry images and repositories to support metering capabilities.
+ `iam` – Create the service-linked role for AWS Config and retrieve account information to support metering capabilities.
+ `lambda` – Retrieve AWS Lambda function information to support metering capabilities.
+ `organizations` – Retrieve account and organizational unit (OU) information for an organization.
+ `securityhub` – Manage the Security Hub configuration.
+ `tag` – Retrieve information about resource tags.
To review the permissions for this policy, see [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSecurityHubV2ServiceRolePolicy.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSecurityHubV2ServiceRolePolicy.html) in the *AWS Managed Policy Reference Guide*.
## Security Hub updates to AWS managed policies
The following table provides details about updates to AWS managed policies for AWS Security Hub and Security Hub CSPM since this service began tracking these changes. For automatic alerts about updates to the policies, subscribe to the RSS feed on the [Security Hub document history](doc-history.md) page.
| Change | Description | Date |
| --- | --- | --- |
| [AWSSecurityHubOrganizationsAccess](#security-iam-awsmanpol-awssecurityhuborganizationsaccess) – Updated policy | Security Hub updated the policy to add permissions to describe resource policies to support Security Hub features. Security Hub is in preview release and subject to change. | November 12, 2025 |
| [AWSSecurityHubFullAccess](#security-iam-awsmanpol-awssecurityhubfullaccess) – Updated policy | Security Hub updated the policy to add capabilities around managing GuardDuty, Amazon Inspector, and account management to support Security Hub features. Security Hub is in preview release and subject to change. | November 17, 2025 |
| [AWSSecurityHubV2ServiceRolePolicy](#security-iam-awsmanpol-awssecurityhubv2servicerolepolicy) – Updated policy | Security Hub updated the policy to add metering capabilities for Amazon Elastic Container Registry, AWS Lambda, Amazon CloudWatch, and AWS Identity and Access Management to support Security Hub features. The update also added support for global AWS Config recorders. Security Hub is in preview release and subject to change. | November 5, 2025 |
| [AWSSecurityHubOrganizationsAccess](#security-iam-awsmanpol-awssecurityhuborganizationsaccess) – Update to an existing policy | Security Hub added new permissions to the policy. The permissions allow the organization management to enable and manage Security Hub and Security Hub CSPM for an organization. | June 17, 2025 |
| [AWSSecurityHubFullAccess](#security-iam-awsmanpol-awssecurityhubfullaccess) – Update to an existing policy | Security Hub CSPM added new permissions that allow principals to create a service-linked role for Security Hub. | June 17, 2025 |
| [AWSSecurityHubFullAccess ](#security-iam-awsmanpol-awssecurityhubfullaccess) – Update to an existing policy | Security Hub CSPM updated the policy to get pricing details for AWS services and products. | April 24, 2024 |
| [AWSSecurityHubReadOnlyAccess ](#security-iam-awsmanpol-awssecurityhubreadonlyaccess) – Update to an existing policy | Security Hub CSPM updated this managed policy by adding a Sid field. | February 22, 2024 |
| [AWSSecurityHubFullAccess ](#security-iam-awsmanpol-awssecurityhubfullaccess) – Update to an existing policy | Security Hub CSPM updated the policy so it can determine if Amazon GuardDuty and Amazon Inspector are enabled in an account. This helps customers bring together security-related information from multiple AWS services. | November 16, 2023 |
| [AWSSecurityHubOrganizationsAccess ](#security-iam-awsmanpol-awssecurityhuborganizationsaccess) – Update to an existing policy | Security Hub CSPM updated the policy to grant additional permissions to allow read-only access to AWS Organizations delegated administrator functionality. This includes details like the root, organizational units (OUs), accounts, organizational structure, and service access. | November 16, 2023 |
| [AWSSecurityHubServiceRolePolicy](#security-iam-awsmanpol-awssecurityhubservicerolepolicy) – Update to an existing policy | Security Hub CSPM added the BatchGetSecurityControls, DisassociateFromAdministratorAccount, and UpdateSecurityControl permissions to read and update customizable security control properties. | November 26, 2023 |
| [AWSSecurityHubServiceRolePolicy](#security-iam-awsmanpol-awssecurityhubservicerolepolicy) – Update to an existing policy | Security Hub CSPM added the tag:GetResources permission to read resource tags related to findings. | November 7, 2023 |
| [AWSSecurityHubServiceRolePolicy](#security-iam-awsmanpol-awssecurityhubservicerolepolicy) – Update to an existing policy | Security Hub CSPM added the BatchGetStandardsControlAssociations permission to get information about the enablement status of a control in a standard. | September 27, 2023 |
| [AWSSecurityHubServiceRolePolicy](#security-iam-awsmanpol-awssecurityhubservicerolepolicy) – Update to an existing policy | Security Hub CSPM added new permissions to get AWS Organizations data and read and update Security Hub CSPM configurations, including standards and controls. | September 20, 2023 |
| [AWSSecurityHubServiceRolePolicy](#security-iam-awsmanpol-awssecurityhubservicerolepolicy) – Update to an existing policy | Security Hub CSPM moved the existing config:DescribeConfigRuleEvaluationStatus permission to a different statement within the policy. The config:DescribeConfigRuleEvaluationStatus permission is now applied to all resources. | March 17, 2023 |
| [AWSSecurityHubServiceRolePolicy](#security-iam-awsmanpol-awssecurityhubservicerolepolicy) – Update to an existing policy | Security Hub CSPM moved the existing config:PutEvaluations permission to a different statement within the policy. The config:PutEvaluations permission is now applied to all resources. | July 14, 2021 |
| [AWSSecurityHubServiceRolePolicy](#security-iam-awsmanpol-awssecurityhubservicerolepolicy) – Update to an existing policy | Security Hub CSPM added a new permission to allow the service-linked role to deliver evaluation results to AWS Config. | June 29, 2021 |
| [AWSSecurityHubServiceRolePolicy](#security-iam-awsmanpol-awssecurityhubservicerolepolicy) – Added to the list of managed policies | Added information about the managed policy AWSSecurityHubServiceRolePolicy, which is used by the Security Hub CSPM service-linked role. | June 11, 2021 |
| [AWSSecurityHubOrganizationsAccess ](#security-iam-awsmanpol-awssecurityhuborganizationsaccess) – New policy | Security Hub CSPM added a new policy that grants permissions that are needed for the Security Hub CSPM integration with Organizations. | March 15, 2021 |
| Security Hub CSPM started tracking changes | Security Hub CSPM started tracking changes for its AWS managed policies. | March 15, 2021 |
# Troubleshooting AWS Security Hub CSPM identity and access
Use the following information to help you diagnose and fix common issues that you might encounter when working with AWS Security Hub CSPM and IAM.
**Topics**
+ [I am not authorized to perform an action in Security Hub CSPM](#security_iam_troubleshoot-no-permissions)
+ [I am not authorized to perform iam:PassRole](#security_iam_troubleshoot-passrole)
+ [I want programmatic access to Security Hub CSPM](#security_iam_troubleshoot-access-keys)
+ [I'm an administrator and want to allow others to access Security Hub CSPM](#security_iam_troubleshoot-admin-delegate)
+ [I want to allow people outside my AWS account to access my Security Hub CSPM resources](#security_iam_troubleshoot-cross-account-access)
## I am not authorized to perform an action in Security Hub CSPM
If the AWS Management Console tells you that you're not authorized to perform an action, then you must contact your administrator for assistance. Your administrator is the person that provided you with your sign-in credentials.
The following example error occurs when the user `mateojackson` tries to use the console to view details about a *widget* but does not have `securityhub:GetWidget` permissions.
```
User: arn:aws:iam::123456789012:user/mateojackson is not authorized to perform: securityhub:GetWidget on resource: my-example-widget
```
In this case, Mateo asks his administrator to update his policies to allow him to access the `my-example-widget` resource using the `securityhub:GetWidget` action.
## I am not authorized to perform iam:PassRole
If you receive an error that you're not authorized to perform the `iam:PassRole` action, your policies must be updated to allow you to pass a role to Security Hub.
Some AWS services allow you to pass an existing role to that service instead of creating a new service role or service-linked role. To do this, you must have permissions to pass the role to the service.
The following example error occurs when an IAM user named `marymajor` tries to use the console to perform an action in Security Hub. However, the action requires the service to have permissions that are granted by a service role. Mary does not have permissions to pass the role to the service.
```
User: arn:aws:iam::123456789012:user/marymajor is not authorized to perform: iam:PassRole
```
In this case, Mary's policies must be updated to allow her to perform the `iam:PassRole` action.
If you need help, contact your AWS administrator. Your administrator is the person who provided you with your sign-in credentials.
## I want programmatic access to Security Hub CSPM
Users need programmatic access if they want to interact with AWS outside of the AWS Management Console. The way to grant programmatic access depends on the type of user that's accessing AWS.
To grant users programmatic access, choose one of the following options.
****
| Which user needs programmatic access? | To | By |
| --- | --- | --- |
| IAM | (Recommended) Use console credentials as temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/securityhub/latest/userguide/security_iam_troubleshoot.html) |
| Workforce identity (Users managed in IAM Identity Center) | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/securityhub/latest/userguide/security_iam_troubleshoot.html) |
| IAM | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions in [Using temporary credentials with AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) in the IAM User Guide. |
| IAM | (Not recommended)Use long-term credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/securityhub/latest/userguide/security_iam_troubleshoot.html) |
## I'm an administrator and want to allow others to access Security Hub CSPM
To provide access, add permissions to your users, groups, or roles:
+ Users and groups in AWS IAM Identity Center:
Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*.
+ Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
+ Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
+ (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.
## I want to allow people outside my AWS account to access my Security Hub CSPM resources
You can create a role that users in other accounts or people outside of your organization can use to access your resources. You can specify who is trusted to assume the role. For services that support resource-based policies or access control lists (ACLs), you can use those policies to grant people access to your resources.
To learn more, consult the following:
+ To learn whether Security Hub supports these features, see [How Security Hub works with IAM](security_iam_service-with-iam.md).
+ To learn how to provide access to your resources across AWS accounts that you own, see [Providing access to an IAM user in another AWS account that you own](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html) in the *IAM User Guide*.
+ To learn how to provide access to your resources to third-party AWS accounts, see [Providing access to AWS accounts owned by third parties](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html) in the *IAM User Guide*.
+ To learn how to provide access through identity federation, see [Providing access to externally authenticated users (identity federation)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html) in the *IAM User Guide*.
+ To learn the difference between using roles and resource-based policies for cross-account access, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.
# Compliance validation for AWS Security Hub CSPM
To learn whether an AWS service is within the scope of specific compliance programs, see [AWS services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/) and choose the compliance program that you are interested in. For general information, see [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/).
You can download third-party audit reports using AWS Artifact. For more information, see [Downloading Reports in AWS Artifact](https://docs.aws.amazon.com/artifact/latest/ug/downloading-documents.html).
Your compliance responsibility when using AWS services is determined by the sensitivity of your data, your company's compliance objectives, and applicable laws and regulations. For more information about your compliance responsibility when using AWS services, see [AWS Security Documentation](https://docs.aws.amazon.com/security/).
# Resilience in AWS Security Hub
The AWS global infrastructure is built around AWS Regions and Availability Zones. Regions provide multiple physically separated and isolated Availability Zones, which are connected through low-latency, high-throughput, and highly redundant networking. With Availability Zones, you can design and operate applications and databases that automatically fail over between zones without interruption. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data center infrastructures.
For more information about AWS Regions and Availability Zones, see [AWS Global Infrastructure](https://aws.amazon.com/about-aws/global-infrastructure/).
# Infrastructure security in AWS Security Hub CSPM
As a managed service, AWS Security Hub CSPM is protected by AWS global network security. For information about AWS security services and how AWS protects infrastructure, see [AWS Cloud Security](https://aws.amazon.com/security/). To design your AWS environment using the best practices for infrastructure security, see [Infrastructure Protection](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/infrastructure-protection.html) in *Security Pillar AWS Well‐Architected Framework*.
You use AWS published API calls to access Security Hub CSPM through the network. Clients must support the following:
+ Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3.
+ Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes.
# AWS Security Hub CSPM and interface VPC endpoints (AWS PrivateLink)
You can establish a private connection between your VPC and AWS Security Hub CSPM by creating an *interface VPC endpoint*. Interface endpoints are powered by [AWS PrivateLink](https://aws.amazon.com/privatelink), a technology that enables you to privately access Security Hub CSPM APIs without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC don't need public IP addresses to communicate with Security Hub CSPM APIs. Traffic between your VPC and Security Hub CSPM does not leave the Amazon network.
Each interface endpoint is represented by one or more [Elastic Network Interfaces](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html) in your subnets. For more information, see [Access an AWS service using an interface VPC endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-interface.html) in the *Amazon Virtual Private Cloud Guide*.
## Considerations for Security Hub CSPM VPC endpoints
Before you set up an interface VPC endpoint for Security Hub CSPM, ensure that you review the prerequisites and other information in the [Amazon Virtual Private Cloud Guide](https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html).
Security Hub CSPM supports making calls to all of its API actions from your VPC.
## Creating an interface VPC endpoint for Security Hub CSPM
You can create a VPC endpoint for the Security Hub CSPM service using either the Amazon VPC console or the AWS Command Line Interface (AWS CLI). For more information, see [Create a VPC endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-interface.html#create-interface-endpoint) in the *Amazon Virtual Private Cloud Guide*.
Create a VPC endpoint for Security Hub CSPM using the following service name:
`com.amazonaws.region.securityhub`
Where *region* is the Region code for the applicable AWS Region.
If you enable private DNS for the endpoint, you can make API requests to Security Hub CSPM using its default DNS name for the Region, for example, `securityhub.us-east-1.amazonaws.com` for the US East (N. Virginia) Region.
## Creating a VPC endpoint policy for Security Hub CSPM
You can attach an endpoint policy to your VPC endpoint that controls access to Security Hub CSPM. The policy specifies the following information:
+ The principal that can perform actions.
+ The actions that can be performed.
+ The resources on which actions can be performed.
For more information, see [Control access to VPC endpoints using endpoint policies](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html) in the *Amazon Virtual Private Cloud Guide*.
**Example: VPC endpoint policy for Security Hub CSPM actions**
The following is an example of an endpoint policy for Security Hub CSPM. When attached to an endpoint, this policy grants access to the listed Security Hub CSPM actions for all principals on all resources.
```
{
"Statement":[
{
"Principal":"*",
"Effect":"Allow",
"Action":[
"securityhub:getFindings",
"securityhub:getEnabledStandards",
"securityhub:getInsights"
],
"Resource":"*"
}
]
}
```
## Shared subnets
You can't create, describe, modify, or delete VPC endpoints in subnets that are shared with you. However, you can use the VPC endpoints in subnets that are shared with you. For information about VPC sharing, see [Share your VPC subnets with other accounts](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-sharing.html) in the *Amazon Virtual Private Cloud Guide*.