AWS Security ChangesHomeSearch

AWS organizations documentation change

Service: organizations · 2025-06-19 · Documentation low

File: organizations/latest/userguide/orgs_policies_detach.md

Summary

Added documentation for detaching Security Hub policies with console procedures

Security assessment

Documents management of Security Hub policies which are security-related features, but does not address any specific vulnerability or security incident. The change adds operational guidance for existing security controls.

Diff

diff --git a/organizations/latest/userguide/orgs_policies_detach.md b/organizations/latest/userguide/orgs_policies_detach.md
index 4fe024686..2b4daef36 100644
--- a//organizations/latest/userguide/orgs_policies_detach.md
+++ b//organizations/latest/userguide/orgs_policies_detach.md
@@ -297,0 +298,37 @@ The list of attached AI services opt-out policies is updated. The policy change
+Security Hub policies
+    
+
+You can detach a Security Hub policy by either navigating to the policy or to the root, OU, or account that you want to detach the policy from.
+
+###### To detach a Security Hub policy by navigating to the root, OU, or account it's attached to
+
+  1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
+
+  2. On the **[AWS accounts](https://console.aws.amazon.com/organizations/v2/home/accounts)** page navigate to the Root, OU, or account that you want to detach a policy from. You might have to expand OUs (choose the  ![Gray cloud icon representing cloud computing or storage services.](/images/organizations/latest/userguide/images/console-expand.png) ) to find the OU or account that you want. Choose the name of the Root, OU, or account.
+
+  3. On the **Policies** tab, choose the radio button next to the Security Hub policy that you want to detach, and then choose **Detach**. 
+
+  4. In the confirmation dialog box, choose **Detach policy**.
+
+The list of attached Security Hub policies is updated. The policy change takes effect immediately.
+
+
+
+
+###### To detach a Security Hub policy by navigating to the policy
+
+  1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
+
+  2. On the **[Security Hub policies](https://console.aws.amazon.com/organizations/v2/home/policies/securityhub-policy)** page, choose the name of the policy that you want to detach from a root, OU, or account.
+
+  3. On the **Targets** tab, choose the radio button next to the root, OU, or account that you want to detach the policy from. You might have to expand OUs (choose the  ![Gray cloud icon representing cloud computing or storage services.](/images/organizations/latest/userguide/images/console-expand.png) ) to find the OU or account that you want.
+
+  4. Choose **Detach**.
+
+  5. In the confirmation dialog box, choose **Detach**.
+
+The list of attached Security Hub policies is updated. The policy change takes effect immediately.
+
+
+
+