AWS Security ChangesHomeSearch

AWS organizations documentation change

Service: organizations · 2025-06-19 · Documentation medium

File: organizations/latest/userguide/orgs_policies_create.md

Summary

Added documentation for creating Security Hub policies including console/CLI instructions and example policies

Security assessment

The change introduces documentation for Security Hub policies which are security-focused controls, but does not indicate remediation of a specific vulnerability. Security Hub is a security service, so documenting its policy management adds security-related guidance.

Diff

diff --git a/organizations/latest/userguide/orgs_policies_create.md b/organizations/latest/userguide/orgs_policies_create.md
index dfaaac5ca..73ce21eb0 100644
--- a//organizations/latest/userguide/orgs_policies_create.md
+++ b//organizations/latest/userguide/orgs_policies_create.md
@@ -5 +5 @@
-Create a service control policy (SCP)Create a resource control policy (RCP)Create a declarative policyCreate a backup policyCreate a tag policyCreate a chat applications policyCreate an AI services opt-out policy
+Create a service control policy (SCP)Create a resource control policy (RCP)Create a declarative policyCreate a backup policyCreate a tag policyCreate a chat applications policyCreate an AI services opt-out policyCreate a Security Hub policy
@@ -28,0 +29,2 @@ This topic describes how to create policies with AWS Organizations. A _policy_ d
+  * Create a Security Hub policy
+
@@ -931,0 +934,91 @@ This AI services opt-out policy specifies that all accounts affected by the poli
+## Create a Security Hub policy
+
+###### Minimum permissions
+
+To create a Security Hub policy, you need permission to run the following action:
+
+  * `organizations:CreatePolicy`
+
+
+
+
+AWS Management Console
+    
+
+###### To create a Security Hub policy
+
+  1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
+
+  2. On the **[Security Hub policies](https://console.aws.amazon.com/organizations/v2/home/policies/securityhub-policy)** page, choose **Create policy**. 
+
+  3. On the [**Create new Security Hub policy** page](https://console.aws.amazon.com/organizations/v2/home/policies/securityhub-policy/create), enter a **Policy name** and an optional **Policy description**.
+
+  4. (Optional) You can add one or more tags to the policy by choosing **Add tag** and then entering a key and an optional value. Leaving the value blank sets it to an empty string; it isn't `null`. You can attach up to 50 tags to a policy. For more information, see [Tagging AWS Organizations resources](./orgs_tagging.html).
+
+  5. Enter or paste the policy text in the JSON code box. For information about the Security Hub policy syntax, see [Security Hub policy syntax and examples](./orgs_manage_policies_security_hub_syntax.html). For example policies that you can use as a starting point, see [Security Hub policy examples](./orgs_manage_policies_security_hub_syntax.html#security-hub-policy-examples).
+
+  6. When you're finished editing your policy, choose **Create policy** at the lower-right corner of the page.
+
+
+
+
+AWS CLI & AWS SDKs
+    
+
+###### To create an Security Hub policy
+
+You can use one of the following to create a Security Hub policy:
+
+  * AWS CLI: [create-policy](https://docs.aws.amazon.com/cli/latest/reference/organizations/create-policy.html)
+
+**Example: Create a policy that enables Security Hub in all supported Regions**
+
+The following example assumes that you have a file named `testPolicy_enableAllSupportedRegions.json` with the JSON policy text in it. It uses that file to create a new Security Hub policy.
+    
+        $ **aws organizations create-policy \
+        --content file://./testPolicy_enableAllSupportedRegions.json \
+        --name "testPolicy_enableAllSupportedRegions" \
+        --description "Test policy to enable securityhub in ALL_SUPPORTED Regions" \
+        --type SECURITYHUB_POLICY**
+    {
+        "Policy": {
+            "PolicySummary": {
+                "Id": "p-66ev7hgcvj",
+                "Arn": "arn:aws:organizations::123456789012:policy/o-aa111bb222/securityhub_policy/p-66ev7hgcvj",
+                "Name": "testPolicy_enableAllSupportedRegions",
+                "Description": "Test policy to enable securityhub in ALL_SUPPORTED Regions",
+                "Type": "SECURITYHUB_POLICY",
+                "AwsManaged": false
+            },
+            "Content": "{\n  \"securityhub\": {\n    \"enable_in_regions\": {\n      \"@@assign\":[\n        \"ALL_SUPPORTED\"\n      ]\n    },\n    \"disable_in_regions\": {\n      \"@@assign\":[]\n    }\n  }\n}\n"
+        }
+    }
+
+**Example: Create a policy that enables Security Hub in all supported Regions but disable in the us-east-1 Region**
+
+The following example assumes that you have a file named `testPolicy_enableAllSupportedRegions_Disable_us-east-1.json` with the JSON policy text in it. It uses that file to create a new Security Hub policy.
+    
+        $ **aws organizations create-policy \
+        --content file://./testPolicy_enableAllSupportedRegions_Disable_us-east-1.json \
+        --name "testPolicy_enableAllSupportedRegions_Disable_us-east-1" \
+        --description "Test policy to enable securityhub in ALL_SUPPORTED Regions but disable in us-east-1 Region" \
+        --type SECURITYHUB_POLICY**
+    {
+        "Policy": {
+            "PolicySummary": {
+                "Id": "p-66217dwpos",
+                "Arn": "arn:aws:organizations::123456789012:policy/o-aa111bb222/securityhub_policy/p-66217dwpos",
+                "Name": "testPolicy_enableAllSupportedRegions_Disable_us-east-1",
+                "Description": "Test policy to enable securityhub in ALL_SUPPORTED Regions but disable in us-east-1 Region",
+                "Type": "SECURITYHUB_POLICY",
+                "AwsManaged": false
+            },
+            "Content": "{\n  \"securityhub\": {\n    \"enable_in_regions\": {\n      \"@@assign\":[\n        \"ALL_SUPPORTED\"\n      ]\n    },\n    \"disable_in_regions\": {\n      \"@@assign\":[\n        \"us-east-1\"\n      ]\n    }\n  }\n}\n"
+        }
+    }
+
+  * AWS SDKs: [CreatePolicy](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreatePolicy.html)
+
+
+
+