AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-06-28 · Documentation medium

File: securityhub/latest/userguide/security-iam-awsmanpol.md

Summary

Expanded documentation for AWSSecurityHubOrganizationsAccess policy with additional Organizations permissions, clarified CSPM management capabilities, and added new policy statements for policy/tag management operations

Security assessment

The changes enhance documentation about IAM policy permissions required for Security Hub CSPM management, including critical Organizations actions like CreatePolicy/DeletePolicy and tagging operations. While these are security-related permissions, there's no evidence of addressing a specific vulnerability - rather expanding documentation for existing security features.

Diff

diff --git a/securityhub/latest/userguide/security-iam-awsmanpol.md b/securityhub/latest/userguide/security-iam-awsmanpol.md
index 3a8ac254b..ddd225d6d 100644
--- a//securityhub/latest/userguide/security-iam-awsmanpol.md
+++ b//securityhub/latest/userguide/security-iam-awsmanpol.md
@@ -115 +115 @@ You can attach the `AWSSecurityHubOrganizationsAccess` policy to your IAM identi
-This policy grants administrative permissions in AWS Organizations that are required to support the Security Hub CSPM integration with Organizations.
+This policy grants administrative permissions to enable and manage Security Hub and Security Hub CSPM within an organization. 
@@ -117 +117 @@ This policy grants administrative permissions in AWS Organizations that are requ
-These permissions allow the organization management account to designate the delegated administrator account for Security Hub CSPM. They also allow the delegated Security Hub CSPM administrator account to enable organization accounts as member accounts.
+The permissions this policy allow the organization management account to designate the delegated administrator account for Security Hub and Security Hub CSPM. They also allow the delegated administrator account to enable organization accounts as member accounts. 
@@ -119 +119 @@ These permissions allow the organization management account to designate the del
-This policy only provides the permissions for Organizations. The organization management account and delegated Security Hub CSPM administrator account also require permissions for the associated actions in Security Hub CSPM. These permissions can be granted using the `AWSSecurityHubFullAccess` managed policy.
+This policy only provides the permissions for Organizations. The organization management account and delegated administrator account also require permissions for associated actions. These permissions can be granted using the `AWSSecurityHubFullAccess` managed policy. 
@@ -138,0 +139,2 @@ This policy includes the following permissions.
+  * `organizations:ListParents` – Lists the root or organizational units (OUs) that serve as the immediate parent of the specified child OU or account. 
+
@@ -143 +145,15 @@ This policy includes the following permissions.
-  * `organizations:DescribeOrganization` – Allows principals to retrieve information about the organization configuration.
+  * `organizations:ListPolicies` – Retrieves the list of all policies in an organization of a specified type. 
+
+  * `organizations:ListPoliciesForTarget` – Lists the policies that are directly attached to the specified target root, organizational unit (OU), or account. 
+
+  * `organizations:ListTargetsForPolicy` – Lists all the roots, organizational units (OUs), and accounts that the specified policy is attached to. 
+
+  * `organizations:EnableAWSServiceAccess` – Allows principals to enable the integration with Organizations.
+
+  * `organizations:RegisterDelegatedAdministrator` – Allows principals to designate the delegated administrator account.
+
+  * `organizations:DeregisterDelegatedAdministrator` – Allows principals to remove the delegated administrator account.
+
+  * `organizations:DescribePolicy` – Retrieves information about a policy. 
+
+  * `organizations:DescribeEffectivePolicy` – Returns the contents of the effective policy for specified policy type and account. 
@@ -145 +161 @@ This policy includes the following permissions.
-  * `organizations:EnableAWSServiceAccess` – Allows principals to enable the Security Hub CSPM integration with Organizations.
+  * `organizations:CreatePolicy` – Creates a policy of a specified type that you can attach to a root, an organizational unit (OU), or an individual AWS account. 
@@ -147 +163 @@ This policy includes the following permissions.
-  * `organizations:RegisterDelegatedAdministrator` – Allows principals to designate the delegated administrator account for Security Hub CSPM.
+  * `organizations:UpdatePolicy` – Updates an existing policy with a new name, description, or content. 
@@ -149 +165,15 @@ This policy includes the following permissions.
-  * `organizations:DeregisterDelegatedAdministrator` – Allows principals to remove the delegated administrator account for Security Hub CSPM.
+  * `organizations:DeletePolicy` – Deletes the specified policy from your organization. 
+
+  * `organizations:AttachPolicy` – Attaches a policy to a root, an organizational unit (OU), or an individual account. 
+
+  * `organizations:DetachPolicy` – Detaches a policy from a target root, organizational unit (OU), or account. 
+
+  * `organizations:EnablePolicyType` – Enables a policy type in a root. 
+
+  * `organizations:DisablePolicyType` – Disables an organizational policy type in a root. 
+
+  * `organizations:TagResource` – Adds one or more tags to the specified resource. 
+
+  * `organizations:UntagResource` – Removes any tags with the specified keys from the specified resource. 
+
+  * `organizations:ListTagsForResource` – Lists tags that are attached to the specified resource. 
@@ -168,0 +199 @@ This policy includes the following permissions.
+                    "organizations:ListParents",
@@ -170 +201,4 @@ This policy includes the following permissions.
-                    "organizations:DescribeOrganizationalUnit"
+                    "organizations:DescribeOrganizationalUnit",
+                    "organizations:ListPolicies",
+                    "organizations:ListPoliciesForTarget",
+                    "organizations:ListTargetsForPolicy"
@@ -197,0 +232,38 @@ This policy includes the following permissions.
+             },
+            {
+                 "Sid": "OrganizationPolicyPermissions",
+                 "Effect": "Allow",
+                 "Action": [
+                     "organizations:DescribePolicy",
+                     "organizations:DescribeEffectivePolicy",
+                     "organizations:CreatePolicy",
+                     "organizations:UpdatePolicy",
+                     "organizations:DeletePolicy",
+                     "organizations:AttachPolicy",
+                     "organizations:DetachPolicy",
+                     "organizations:EnablePolicyType",
+                     "organizations:DisablePolicyType"
+                 ],
+                "Resource": [
+                     "arn:aws:organizations::*:root/o-*/*",
+                     "arn:aws:organizations::*:account/o-*/*",
+                     "arn:aws:organizations::*:ou/o-*/*",
+                     "arn:aws:organizations::*:policy/o-*/securityhub_policy/*"
+                 ],
+                 "Condition": {
+                     "StringLikeIfExists": {
+                         "organizations:PolicyType": "SECURITYHUB_POLICY"
+                     }
+                 }
+             },
+             {
+                 "Sid": "OrganizationPolicyTaggingPermissions",
+                 "Effect": "Allow",
+                 "Action": [
+                     "organizations:TagResource",
+                     "organizations:UntagResource",
+                     "organizations:ListTagsForResource"
+                 ],
+                 "Resource": [
+                     "arn:aws:organizations::*:policy/o-*/securityhub_policy/*"
+                 ]
@@ -437,0 +510,2 @@ Change | Description | Date
+AWSSecurityHubOrganizationsAccess – Update to existing policy  |  Security Hub CSPM added new permission to `AWSSecurityHubOrganizationsAccess`. The permission allows the organization management to enable and manage Security Hub and Security Hub CSPM within an organization.  | June 17, 2025  
+AWSSecurityHubOrganizationsAccess – Update to an existing policy |  Added new permissions that allow the organization management to enable and manage Security Hub and Security Hub CSPM within an organization. | June 17, 2025