AWS Security Hub (securityhub)

Additions

Actions

• BatchGetConfigurationPolicyAssociations
  
  • Description:  Grants permission to retrieve information about configuration policies associated with a specific list of member accounts and organizational units of the calling account's organization
  • Access:  Read
• CreateConfigurationPolicy
  
  • Description:  Grants permission to create a configuration policy to manage organization member settings in Security Hub
  • Access:  Write
  • Conditions: 

    aws:RequestTag/${TagKey}

    aws:TagKeys

• DeleteConfigurationPolicy
  
  • Description:  Grants permission to delete an existing configuration policy
  • Access:  Write
  • Resources: 

    Name: configuration-policy

    Required: Yes

• GetConfigurationPolicy
  
  • Description:  Grants permission to get a complete overview of one configuration policy created by the calling account
  • Access:  Read
  • Resources: 

    Name: configuration-policy

    Required: Yes

• GetConfigurationPolicyAssociation
  
  • Description:  Grants permission to retrieve information about a configuration policy associated with a member account or organizational unit of the calling account's organization
  • Access:  Read
• GetSecurityControlDefinition
  
  • Description:  Grants permission to get the definition details of a specific security control identified by ID
  • Access:  Read
  • Dependents: 

    securityhub:DescribeStandardsControls

• ListConfigurationPolicies
  
  • Description:  Grants permission to list the summaries of all configuration policies created by the calling account
  • Access:  List
• ListConfigurationPolicyAssociations
  
  • Description:  Grants permission to retrieve information about all configuration policies associationed with all member accounts and organizational units of the calling account's organization
  • Access:  List
• StartConfigurationPolicyAssociation
  
  • Description:  Grants permission to associate a configuration policy with a member account or organizational unit in the calling account's organization
  • Access:  Write
  • Resources: 

    Name: configuration-policy

    Required: No

• StartConfigurationPolicyDisassociation
  
  • Description:  Grants permission to remove a configuration policy association from a member account or organizational unit in the calling account's organization
  • Access:  Write
  • Resources: 

    Name: configuration-policy

    Required: No

• UpdateConfigurationPolicy
  
  • Description:  Grants permission to update an existing configuration policy
  • Access:  Write
  • Resources: 

    Name: configuration-policy

    Required: Yes

• UpdateSecurityControl
  
  • Description:  Grants permission to update properties of a specific security control identified by ID or ARN
  • Access:  Write
  • Dependents: 

    securityhub:UpdateStandardsControl

Resources

• configuration-policy
  
  • Arn:  arn:${Partition}:securityhub:${Region}:${Account}:configuration-policy/${ConfigurationPolicyId}

Updates

Actions

• ListTagsForResource
  
  Resources
  
  • ＋ configuration-policy
• TagResource
  
  Resources
  
  • ＋ configuration-policy
• UntagResource
  
  Resources
  
  • ＋ configuration-policy