AWS organizations documentation change
Summary
Added documentation for updating Security Hub policies including console steps, CLI examples, and required permissions
Security assessment
The change adds documentation for managing Security Hub policies which are inherently security-related, but there's no evidence of addressing a specific vulnerability. It documents existing security feature management.
Diff
diff --git a/organizations/latest/userguide/orgs_policies_update.md b/organizations/latest/userguide/orgs_policies_update.md index 86baf6e8d..f2fe6f243 100644 --- a//organizations/latest/userguide/orgs_policies_update.md +++ b//organizations/latest/userguide/orgs_policies_update.md @@ -5 +5 @@ -Update a service control policy (SCP)Update a resource control policy (RCP)Update a declarative policyUpdate a backup policyUpdate a tag policyUpdate a chat applications policyUpdate an AI services opt-out policy +Update a service control policy (SCP)Update a resource control policy (RCP)Update a declarative policyUpdate a backup policyUpdate a tag policyUpdate a chat applications policyUpdate an AI services opt-out policyUpdate a Security Hub policy @@ -28,0 +29,2 @@ This topic describes how to update policies with AWS Organizations. A _policy_ d + * Update a Security Hub policy + @@ -774,0 +777,81 @@ The following example changes the JSON policy document attached to an AI service +## Update a Security Hub policy + +###### Minimum permissions + +To update a Security Hub policy, you must have permission to run the following actions: + + * `organizations:UpdatePolicy` with a `Resource` element in the same policy statement that includes the ARN of the specified policy (or "*") + + * `organizations:DescribePolicy` with a `Resource` element in the same policy statement that includes the Amazon Resource Name (ARN) of the specified policy (or "*") + + + + +AWS Management Console + + +###### To update a Security Hub policy + + 1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account. + + 2. On the **[Security Hub policies](https://console.aws.amazon.com/organizations/v2/home/policies/securityhub-policy)** page, choose the name of the policy that you want to update. + + 3. On the policy's detail page, choose **Edit policy**. + + 4. You can enter a new **Policy name** , **Policy description** , or edit the **JSON** policy text. For information about Security Hub policy syntax, see [Security Hub policy syntax and examples](./orgs_manage_policies_security_hub_syntax.html). For example policies that you can use as a starting point, see [Security Hub policy examples](./orgs_manage_policies_security_hub_syntax.html#security-hub-policy-examples). + + 5. When you're finished updating the policy, choose **Save changes**. + + + + +AWS CLI & AWS SDKs + + +###### To update a policy + +You can use one of the following to update a policy: + + * AWS CLI: [update-policy](https://docs.aws.amazon.com/cli/latest/reference/organizations/update-policy.html) + +The following example renames a Security Hub policy. + + $ **aws organizations update-policy \ + --policy-id p-66ev7hgcvj \ + --name "Renamed policy"** + { + "Policy": { + "PolicySummary": { + "Id": "p-66ev7hgcvj", + "Arn": "arn:aws:organizations::123456789012:policy/o-aa111bb222/securityhub_policy/p-66ev7hgcvj", + "Name": "Renamed policy", + "Type": "SECURITYHUB_POLICY", + "AwsManaged": false + }, + "Content": "{\n \"securityhub\": {\n \"enable_in_regions\": {\n \"@@assign\":[\n \"ALL_SUPPORTED\"\n ]\n },\n \"disable_in_regions\": {\n \"@@assign\":[]\n }\n }\n}\n" + } + } + +The following example adds or changes the description for a Security Hub policy. + + $ **aws organizations update-policy \ + --policy-id p-66ev7hgcvj \ + --name "My new description"** + { + "Policy": { + "PolicySummary": { + "Id": "p-66ev7hgcvj", + "Arn": "arn:aws:organizations::123456789012:policy/o-aa111bb222/securityhub_policy/p-66ev7hgcvj", + "Name": "My new description", + "Type": "SECURITYHUB_POLICY", + "AwsManaged": false + }, + "Content": "{\n \"securityhub\": {\n \"enable_in_regions\": {\n \"@@assign\":[\n \"ALL_SUPPORTED\"\n ]\n },\n \"disable_in_regions\": {\n \"@@assign\":[]\n }\n }\n}\n" + } + } + + * AWS SDKs: [UpdatePolicy](https://docs.aws.amazon.com/organizations/latest/APIReference/API_UpdatePolicy.html) + + + +