AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-06-19 · Documentation high

File: securityhub/latest/userguide/security-iam-awsmanpol.md

Summary

Updated Security Hub managed policies documentation to reflect CSPM branding, added new AWSSecurityHubV2ServiceRolePolicy for preview Security Hub version, and updated policy change history

Security assessment

Changes primarily introduce documentation for Security Hub CSPM (Cloud Security Posture Management) features and a new service-linked role policy (AWSSecurityHubV2ServiceRolePolicy) that manages AWS Config rules and organizational security resources. While these updates clarify security-related permissions and features, there is no evidence of addressing a specific security vulnerability or incident.

Diff

diff --git a/securityhub/latest/userguide/security-iam-awsmanpol.md b/securityhub/latest/userguide/security-iam-awsmanpol.md
index 27e402fff..3a8ac254b 100644
--- a//securityhub/latest/userguide/security-iam-awsmanpol.md
+++ b//securityhub/latest/userguide/security-iam-awsmanpol.md
@@ -3 +3 @@
-[Documentation](/index.html)[AWS Security Hub](/securityhub/index.html)[User Guide](what-is-securityhub.html)
+[Documentation](/index.html)[AWS Security Hub](/securityhub/index.html)[ User Guide ](what-is-security-hub-adv.html)
@@ -5 +5 @@
-AWSSecurityHubFullAccessAWSSecurityHubReadOnlyAccess AWSSecurityHubOrganizationsAccess AWSSecurityHubServiceRolePolicyPolicy updates
+AWSSecurityHubFullAccessAWSSecurityHubReadOnlyAccess AWSSecurityHubOrganizationsAccess AWSSecurityHubServiceRolePolicyAWSSecurityHubV2ServiceRolePolicyPolicy updates
@@ -7 +7 @@ AWSSecurityHubFullAccessAWSSecurityHubReadOnlyAccess AWSSecurityHubOrganizations
-# AWS managed policies for AWS Security Hub
+# AWS managed policies for Security Hub
@@ -21 +21 @@ You can attach the `AWSSecurityHubFullAccess` policy to your IAM identities.
-This policy grants administrative permissions that allow a principal full access to all Security Hub actions. This policy must be attached to a principal before they enable Security Hub manually for their account. For example, principals with these permissions can both view and update the status of findings. They can configure custom insights, and enable integrations. They can enable and disable standards and controls. Principals for an administrator account can also manage member accounts.
+This policy grants administrative permissions that allow a principal full access to all Security Hub CSPM actions. This policy must be attached to a principal before they enable Security Hub CSPM manually for their account. For example, principals with these permissions can both view and update the status of findings. They can configure custom insights, and enable integrations. They can enable and disable standards and controls. Principals for an administrator account can also manage member accounts.
@@ -27 +27 @@ This policy includes the following permissions.
-  * `securityhub` – Allows principals full access to all Security Hub actions.
+  * `securityhub` – Allows principals full access to all Security Hub CSPM actions.
@@ -31 +31 @@ This policy includes the following permissions.
-  * `iam` – Allows principals to create a service-linked role.
+  * `iam` – Allows principals to create a service-linked role for Security Hub CSPM and Security Hub.
@@ -57 +57,4 @@ This policy includes the following permissions.
-                        "iam:AWSServiceName": "securityhub.amazonaws.com"
+                        "iam:AWSServiceName": [
+                            "securityhub.amazonaws.com",
+                            "securityhubv2.amazonaws.com"
+                        ]
@@ -75 +78 @@ This policy includes the following permissions.
-## Security Hub managed policy: AWSSecurityHubReadOnlyAccess
+## Security Hub CSPM managed policy: AWSSecurityHubReadOnlyAccess
@@ -79 +82 @@ You can attach the `AWSSecurityHubReadOnlyAccess` policy to your IAM identities.
-This policy grants read-only permissions that allow users to view information in Security Hub. Principals with this policy attached cannot make any updates in Security Hub. For example, principals with these permissions can view the list of findings associated with their account, but cannot change the status of a finding. They can view the results of insights, but cannot create or configure custom insights. They cannot configure controls or product integrations.
+This policy grants read-only permissions that allow users to view information in Security Hub CSPM. Principals with this policy attached cannot make any updates in Security Hub CSPM. For example, principals with these permissions can view the list of findings associated with their account, but cannot change the status of a finding. They can view the results of insights, but cannot create or configure custom insights. They cannot configure controls or product integrations.
@@ -112 +115 @@ You can attach the `AWSSecurityHubOrganizationsAccess` policy to your IAM identi
-This policy grants administrative permissions in AWS Organizations that are required to support the Security Hub integration with Organizations.
+This policy grants administrative permissions in AWS Organizations that are required to support the Security Hub CSPM integration with Organizations.
@@ -114 +117 @@ This policy grants administrative permissions in AWS Organizations that are requ
-These permissions allow the organization management account to designate the delegated administrator account for Security Hub. They also allow the delegated Security Hub administrator account to enable organization accounts as member accounts.
+These permissions allow the organization management account to designate the delegated administrator account for Security Hub CSPM. They also allow the delegated Security Hub CSPM administrator account to enable organization accounts as member accounts.
@@ -116 +119 @@ These permissions allow the organization management account to designate the del
-This policy only provides the permissions for Organizations. The organization management account and delegated Security Hub administrator account also require permissions for the associated actions in Security Hub. These permissions can be granted using the `AWSSecurityHubFullAccess` managed policy.
+This policy only provides the permissions for Organizations. The organization management account and delegated Security Hub CSPM administrator account also require permissions for the associated actions in Security Hub CSPM. These permissions can be granted using the `AWSSecurityHubFullAccess` managed policy.
@@ -142 +145 @@ This policy includes the following permissions.
-  * `organizations:EnableAWSServiceAccess` – Allows principals to enable the Security Hub integration with Organizations.
+  * `organizations:EnableAWSServiceAccess` – Allows principals to enable the Security Hub CSPM integration with Organizations.
@@ -144 +147 @@ This policy includes the following permissions.
-  * `organizations:RegisterDelegatedAdministrator` – Allows principals to designate the delegated administrator account for Security Hub.
+  * `organizations:RegisterDelegatedAdministrator` – Allows principals to designate the delegated administrator account for Security Hub CSPM.
@@ -146 +149 @@ This policy includes the following permissions.
-  * `organizations:DeregisterDelegatedAdministrator` – Allows principals to remove the delegated administrator account for Security Hub.
+  * `organizations:DeregisterDelegatedAdministrator` – Allows principals to remove the delegated administrator account for Security Hub CSPM.
@@ -201 +204 @@ This policy includes the following permissions.
-You can't attach `AWSSecurityHubServiceRolePolicy` to your IAM entities. This policy is attached to a service-linked role that allows Security Hub to perform actions on your behalf. For more information, see [Service-linked roles for Security Hub](./using-service-linked-roles.html).
+You can't attach `AWSSecurityHubServiceRolePolicy` to your IAM entities. This policy is attached to a service-linked role that allows Security Hub CSPM to perform actions on your behalf. For more information, see [Service-linked roles for AWS Security Hub](./using-service-linked-roles.html).
@@ -203 +206 @@ You can't attach `AWSSecurityHubServiceRolePolicy` to your IAM entities. This po
-This policy grants administrative permissions that allow the service-linked role to perform the security checks for Security Hub controls.
+This policy grants administrative permissions that allow the service-linked role to perform the security checks for Security Hub CSPM controls.
@@ -223 +226 @@ This policy includes permissions to do the following:
-  * `securityhub` – Retrieve information about how the Security Hub service, standards, and controls are configured.
+  * `securityhub` – Retrieve information about how the Security Hub CSPM service, standards, and controls are configured.
@@ -315 +318,115 @@ This policy includes permissions to do the following:
-## Security Hub updates to AWS managed policies
+## AWS managed policy: AWSSecurityHubV2ServiceRolePolicy
+
+###### Note
+
+Security Hub is in preview release and subject to change. 
+
+This policy allows Security Hub to manage AWS Config rules and Security Hub resources in your organization and on your behalf. This policy is attached to a service-linked role that allows the service to perform actions on your behalf. You cannot attach this policy to your users, groups, or roles. For more information, see [Service-linked roles for AWS Security Hub](./using-service-linked-roles.html). 
+
+###### Permissions details
+
+This policy includes permissions to do the following: 
+
+  * `config` – Manages service-linked configuration recorders for Security Hub resources. 
+
+  * `iam` – Creates the service-linked role for AWS Config. 
+
+  * `organizations` – Retrieves account and organizational unit (OU) information for an organization. 
+
+  * `securityhub` – Manages the Security Hub configuration. 
+
+  * `tag` – Retrieves information about resource tags. 
+
+
+
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "SecurityHubV2ServiceRoleAssetsConfig",
+                "Effect": "Allow",
+                "Action": [
+                    "config:DeleteServiceLinkedConfigurationRecorder",
+                    "config:DescribeConfigurationRecorders",
+                    "config:DescribeConfigurationRecorderStatus",
+                    "config:PutServiceLinkedConfigurationRecorder"
+                ],
+                "Resource": "arn:aws:config:*:*:configuration-recorder/AWSConfigurationRecorderForSecurityHubAssets/*"
+            },
+            {
+                "Sid": "SecurityHubV2ServiceRoleAssetsIamPermissions",
+                "Effect": "Allow",
+                "Action": [
+                    "iam:CreateServiceLinkedRole"
+                ],
+                "Resource": "arn:aws:iam::*:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig",
+                "Condition": {
+                    "StringEquals": {
+                        "iam:AWSServiceName": "config.amazonaws.com"
+                    }
+                }
+            },
+            {
+                "Sid": "SecurityHubV2ServiceRoleSecurityHubPermissions",
+                "Effect": "Allow",
+                "Action": [
+                    "securityhub:DisableSecurityHubV2",
+                    "securityhub:EnableSecurityHubV2",
+                    "securityhub:DescribeSecurityHubV2"
+                ],
+                "Resource": "arn:aws:securityhub:*:*:hubv2/*",
+                "Condition": {
+                    "StringEquals": {
+                        "aws:ResourceAccount": "${aws:PrincipalAccount}"
+                    }
+                }
+            },
+            {
+                "Sid": "SecurityHubV2ServiceRoleTagPermissions",
+                "Effect": "Allow",
+                "Action": [
+                    "tag:GetResources"
+                ],
+                "Resource": "*"
+            },
+            {
+                "Sid": "SecurityHubV2ServiceRoleOrganizationsPermissionsOnResources",
+                "Effect": "Allow",
+                "Action": [
+                    "organizations:DescribeAccount",
+                    "organizations:DescribeOrganizationalUnit"
+                ],
+                "Resource": "arn:aws:organizations::*:*"
+            },
+            {
+                "Sid": "SecurityHubV2ServiceRoleOrganizationsPermissionsWithoutResources",
+                "Effect": "Allow",
+                "Action": [
+                    "organizations:DescribeOrganization",
+                    "organizations:ListAccounts",
+                    "organizations:ListAWSServiceAccessForOrganization",
+                    "organizations:ListChildren"
+                ],
+                "Resource": "*"
+            },
+            {
+                "Sid": "SecurityHubV2ServiceRoleDelegatedAdminPermissions",
+                "Effect": "Allow",
+                "Action": [
+                    "organizations:ListDelegatedAdministrators"
+                ],
+                "Resource": "*",
+                "Condition": {
+                    "StringEquals": {
+                        "organizations:ServicePrincipal": [
+                            "securityhub.amazonaws.com"
+                        ]
+                    }
+                }
+            }
+        ]
+    }
+
+## Security Hub CSPM updates to AWS managed policies
@@ -317 +434 @@ This policy includes permissions to do the following:
-View details about updates to AWS managed policies for Security Hub since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Security Hub [Document history](./doc-history.html) page.
+View details about updates to AWS managed policies for Security Hub CSPM since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Security Hub CSPM [Document history](./doc-history.html) page.
@@ -321,14 +438,16 @@ Change | Description | Date
-AWSSecurityHubFullAccess  – Update to an existing policy  | Security Hub updated the policy to get pricing details for AWS services and products.  | April 24, 2024  
-AWSSecurityHubReadOnlyAccess  – Update to an existing policy  | Security Hub updated this managed policy by adding a `Sid` field.  | February 22, 2024  
-AWSSecurityHubFullAccess  – Update to an existing policy  | Security Hub updated the policy so it can determine if Amazon GuardDuty and Amazon Inspector are enabled in an account. This helps customers bring together security-related information from multiple AWS services.  | November 16, 2023  
-AWSSecurityHubOrganizationsAccess  – Update to an existing policy  | Security Hub updated the policy to grant additional permissions to allow read-only access to AWS Organizations delegated administrator functionality. This includes details like the root, organizational units (OUs), accounts, organizational structure, and service access.  | November 16, 2023  
-AWSSecurityHubServiceRolePolicy – Update to an existing policy  | Security Hub added the `BatchGetSecurityControls`, `DisassociateFromAdministratorAccount`, and `UpdateSecurityControl` permissions to read and update customizable security control properties.  | November 26, 2023  
-AWSSecurityHubServiceRolePolicy – Update to an existing policy  | Security Hub added the `tag:GetResources` permission to read resource tags related to findings.  | November 7, 2023  
-AWSSecurityHubServiceRolePolicy – Update to an existing policy  | Security Hub added the `BatchGetStandardsControlAssociations` permission to get information about the enablement status of a control in a standard.  | September 27, 2023  
-AWSSecurityHubServiceRolePolicy – Update to an existing policy  | Security Hub added new permissions to get AWS Organizations data and read and update Security Hub configurations, including standards and controls.  | September 20, 2023  
-AWSSecurityHubServiceRolePolicy – Update to an existing policy  | Security Hub moved the existing `config:DescribeConfigRuleEvaluationStatus` permission to a different statement within the policy. The `config:DescribeConfigRuleEvaluationStatus` permission is now applied to all resources.  | March 17, 2023  
-AWSSecurityHubServiceRolePolicy – Update to an existing policy  |  Security Hub moved the existing `config:PutEvaluations` permission to a different statement within the policy. The `config:PutEvaluations` permission is now applied to all resources.  | July 14, 2021  
-AWSSecurityHubServiceRolePolicy – Update to an existing policy  | Security Hub added a new permission to allow the service-linked role to deliver evaluation results to AWS Config.  | June 29, 2021  
-AWSSecurityHubServiceRolePolicy – Added to the list of managed policies  | Added information about the managed policy AWSSecurityHubServiceRolePolicy, which is used by the Security Hub service-linked role.  | June 11, 2021  
-AWSSecurityHubOrganizationsAccess  – New policy  | Security Hub added a new policy that grants permissions that are needed for the Security Hub integration with Organizations.  | March 15, 2021  
-Security Hub started tracking changes  | Security Hub started tracking changes for its AWS managed policies.  | March 15, 2021  
+AWSSecurityHubFullAccess – Update to an existing policy |  Security Hub CSPM added new permission that allows principals to create a service-linked role for Security Hub. | June 17, 2025  
+[AWSSecurityHubV2ServiceRolePolicy](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhubv2servicerolepolicy) – New policy  |  Security Hub added new policy to allow Security Hub to manage AWS Config rules and Security Hub resources in a customer's organization and on the customer's behalf. Security Hub is in preview release and subject to change.  | June 17, 2025  
+AWSSecurityHubFullAccess  – Update to an existing policy  | Security Hub CSPM updated the policy to get pricing details for AWS services and products.  | April 24, 2024  
+AWSSecurityHubReadOnlyAccess  – Update to an existing policy  | Security Hub CSPM updated this managed policy by adding a `Sid` field.  | February 22, 2024