AWS organizations documentation change
Summary
Added documentation for creating Security Hub policies including console/CLI instructions and example policies
Security assessment
The change introduces documentation for Security Hub policies which are security-focused controls, but does not indicate remediation of a specific vulnerability. Security Hub is a security service, so documenting its policy management adds security-related guidance.
Diff
diff --git a/organizations/latest/userguide/orgs_policies_create.md b/organizations/latest/userguide/orgs_policies_create.md index dfaaac5ca..73ce21eb0 100644 --- a//organizations/latest/userguide/orgs_policies_create.md +++ b//organizations/latest/userguide/orgs_policies_create.md @@ -5 +5 @@ -Create a service control policy (SCP)Create a resource control policy (RCP)Create a declarative policyCreate a backup policyCreate a tag policyCreate a chat applications policyCreate an AI services opt-out policy +Create a service control policy (SCP)Create a resource control policy (RCP)Create a declarative policyCreate a backup policyCreate a tag policyCreate a chat applications policyCreate an AI services opt-out policyCreate a Security Hub policy @@ -28,0 +29,2 @@ This topic describes how to create policies with AWS Organizations. A _policy_ d + * Create a Security Hub policy + @@ -931,0 +934,91 @@ This AI services opt-out policy specifies that all accounts affected by the poli +## Create a Security Hub policy + +###### Minimum permissions + +To create a Security Hub policy, you need permission to run the following action: + + * `organizations:CreatePolicy` + + + + +AWS Management Console + + +###### To create a Security Hub policy + + 1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account. + + 2. On the **[Security Hub policies](https://console.aws.amazon.com/organizations/v2/home/policies/securityhub-policy)** page, choose **Create policy**. + + 3. On the [**Create new Security Hub policy** page](https://console.aws.amazon.com/organizations/v2/home/policies/securityhub-policy/create), enter a **Policy name** and an optional **Policy description**. + + 4. (Optional) You can add one or more tags to the policy by choosing **Add tag** and then entering a key and an optional value. Leaving the value blank sets it to an empty string; it isn't `null`. You can attach up to 50 tags to a policy. For more information, see [Tagging AWS Organizations resources](./orgs_tagging.html). + + 5. Enter or paste the policy text in the JSON code box. For information about the Security Hub policy syntax, see [Security Hub policy syntax and examples](./orgs_manage_policies_security_hub_syntax.html). For example policies that you can use as a starting point, see [Security Hub policy examples](./orgs_manage_policies_security_hub_syntax.html#security-hub-policy-examples). + + 6. When you're finished editing your policy, choose **Create policy** at the lower-right corner of the page. + + + + +AWS CLI & AWS SDKs + + +###### To create an Security Hub policy + +You can use one of the following to create a Security Hub policy: + + * AWS CLI: [create-policy](https://docs.aws.amazon.com/cli/latest/reference/organizations/create-policy.html) + +**Example: Create a policy that enables Security Hub in all supported Regions** + +The following example assumes that you have a file named `testPolicy_enableAllSupportedRegions.json` with the JSON policy text in it. It uses that file to create a new Security Hub policy. + + $ **aws organizations create-policy \ + --content file://./testPolicy_enableAllSupportedRegions.json \ + --name "testPolicy_enableAllSupportedRegions" \ + --description "Test policy to enable securityhub in ALL_SUPPORTED Regions" \ + --type SECURITYHUB_POLICY** + { + "Policy": { + "PolicySummary": { + "Id": "p-66ev7hgcvj", + "Arn": "arn:aws:organizations::123456789012:policy/o-aa111bb222/securityhub_policy/p-66ev7hgcvj", + "Name": "testPolicy_enableAllSupportedRegions", + "Description": "Test policy to enable securityhub in ALL_SUPPORTED Regions", + "Type": "SECURITYHUB_POLICY", + "AwsManaged": false + }, + "Content": "{\n \"securityhub\": {\n \"enable_in_regions\": {\n \"@@assign\":[\n \"ALL_SUPPORTED\"\n ]\n },\n \"disable_in_regions\": {\n \"@@assign\":[]\n }\n }\n}\n" + } + } + +**Example: Create a policy that enables Security Hub in all supported Regions but disable in the us-east-1 Region** + +The following example assumes that you have a file named `testPolicy_enableAllSupportedRegions_Disable_us-east-1.json` with the JSON policy text in it. It uses that file to create a new Security Hub policy. + + $ **aws organizations create-policy \ + --content file://./testPolicy_enableAllSupportedRegions_Disable_us-east-1.json \ + --name "testPolicy_enableAllSupportedRegions_Disable_us-east-1" \ + --description "Test policy to enable securityhub in ALL_SUPPORTED Regions but disable in us-east-1 Region" \ + --type SECURITYHUB_POLICY** + { + "Policy": { + "PolicySummary": { + "Id": "p-66217dwpos", + "Arn": "arn:aws:organizations::123456789012:policy/o-aa111bb222/securityhub_policy/p-66217dwpos", + "Name": "testPolicy_enableAllSupportedRegions_Disable_us-east-1", + "Description": "Test policy to enable securityhub in ALL_SUPPORTED Regions but disable in us-east-1 Region", + "Type": "SECURITYHUB_POLICY", + "AwsManaged": false + }, + "Content": "{\n \"securityhub\": {\n \"enable_in_regions\": {\n \"@@assign\":[\n \"ALL_SUPPORTED\"\n ]\n },\n \"disable_in_regions\": {\n \"@@assign\":[\n \"us-east-1\"\n ]\n }\n }\n}\n" + } + } + + * AWS SDKs: [CreatePolicy](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreatePolicy.html) + + + +