AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2026-07-10 · Documentation low

File: securityhub/latest/userguide/securityhub-v2-da-policy.md

Summary

Updated documentation for Security Hub configuration policies and deployments with improved clarity, corrected typos, restructured procedures, and enhanced instructions for managing security capabilities across AWS Organizations.

Security assessment

The changes improve documentation clarity for configuring Security Hub's security capabilities (security management, threat analytics, vulnerability management) but contain no evidence of addressing a specific vulnerability or security incident. Updates focus on procedural accuracy and readability.

Diff

diff --git a/securityhub/latest/userguide/securityhub-v2-da-policy.md b/securityhub/latest/userguide/securityhub-v2-da-policy.md
index 6445ba536..aee51194f 100644
--- a//securityhub/latest/userguide/securityhub-v2-da-policy.md
+++ b//securityhub/latest/userguide/securityhub-v2-da-policy.md
@@ -15 +15 @@ The delegated administrator for an AWS Organization can configure security capab
-The configuration catalog of Security Hub offers multiple options to help configure your AWS Organization accounts for the security capabilities provided by . 
+The configuration catalog of Security Hub offers multiple options to help configure your AWS Organization accounts for the security capabilities provided by Security Hub. 
@@ -25 +25 @@ This is the recommended configuration to deploy for Security Hub.
-**Description** : This configuration tyurns on Security Hub's essential security management, posture management, threat analytics, and vulnerability management capabilities. It optionally enables additional capabilities. 
+**Description** : This configuration turns on Security Hub's essential security management, posture management, threat analytics, and vulnerability management capabilities. It optionally enables additional capabilities. 
@@ -33 +33 @@ This is the recommended configuration to deploy for Security Hub.
-### Posture management from AWS Security Hub CSPM)
+### Posture management from AWS Security Hub CSPM
@@ -47 +47 @@ This is the recommended configuration to deploy for Security Hub.
-The following procedure describes how to create a configuration with a type of policy for your AWS Organization accounts. To create a configuration policy the delegated administrator policy needs to be created in the AWS Organization management account. For information about creating the delegated administrator policy in Security Hub, see [Creating the delegated administrator policy in Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-v2-policy-statement.html). 
+The following procedure describes how to create a configuration with a type of policy for your AWS Organization accounts. To create a configuration policy, you must first create the delegated administrator policy in the AWS Organization management account. For information about creating the delegated administrator policy in Security Hub, see [Creating the delegated administrator policy in Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-v2-policy-statement.html). 
@@ -55 +55 @@ The following procedure describes how to create a configuration with a type of p
-  3. Choose an item with a type of **policy** or **policy and deployment** from the Configuration catalog. To fully configure Security Hub it is recommended to choose **Security Hub (essential and additional capabilities)**. 
+  3. Choose an item with a type of **policy** or **policy and deployment** from the Configuration catalog. To fully configure Security Hub, we recommend choosing **Security Hub (essential and additional capabilities)**. 
@@ -57 +57 @@ The following procedure describes how to create a configuration with a type of p
-  4. On the **Configure Security Hub** page in the **Details** section enter a name and a description for the policy. 
+  4. On the **Configure Security Hub** page, in the **Details** section, enter a name and a description for the policy. 
@@ -59 +59 @@ The following procedure describes how to create a configuration with a type of p
-  5. In the **Security capabilities** section do one of the following: 
+  5. In the **Security capabilities** section, choose one of the following: 
@@ -61 +61 @@ The following procedure describes how to create a configuration with a type of p
-    1. (Option 1) Choose **Enable all capabilities**. This will turn on all of the Security Hub essential capabilties, threat analytics, and additional capabilties. 
+     * **Enable all capabilities** – Turns on all Security Hub essential capabilities, threat analytics, and additional capabilities.
@@ -63 +63 @@ The following procedure describes how to create a configuration with a type of p
-    2. (Option 2) Choose **Customize capabilities**. Select the threat analytics and additional capabilities that should be turned on. You cannot deselect any capabilities that are part of the Security Hub essential plan capabilities. 
+     * **Customize capabilities** – Select capabilities from the Security management, Threat analytics, and Vulnerability management sections. You cannot deselect capabilities that are part of the Security Hub essential plan.
@@ -65 +65 @@ The following procedure describes how to create a configuration with a type of p
-  6. In the **Account selection** section, select one of the following options. Choose **All organizational units and accounts** if you want to apply the configuration to all organizational units and accounts. Choose **Specific organizational units and accounts** if you want to apply the configuration to specific organizational units and accounts. If you choose this option, use the search bar or organizational structure tree to specify the organizational units and accounts where the policy will be applied. Choose **No organizational units or accounts** if you do not want to apply the configuration to any organizational unit or account. 
+  6. In the **Account selection** section, choose one of the following options: 
@@ -67 +67 @@ The following procedure describes how to create a configuration with a type of p
-  7. In the **Regions** section, choose **Enable all Regions** , **Disable all Regions** , or **Specify Regions**. If you choose **Enable all Regions** , you can determine whether to automatically enable new Regions. If you choose **Disable all Regions** , you can determine whether to automatically disable new Regions. If you choose **Specify Regions** , you must choose which Regions you want to enable and disable. 
+     * **All organizational units and accounts** – Applies the configuration to your entire organization.
@@ -69 +69 @@ The following procedure describes how to create a configuration with a type of p
-  8. (Optional) For **Advanced settings** , please refer to the [guidance](https://docs.aws.amazon.com/organizations/latest/userguide/policy-operators.html) from AWS Organizations. 
+     * **Specific organizational units and accounts** – Use the search bar or organizational structure tree to select the organizational units and accounts where the policy applies.
@@ -71 +71,13 @@ The following procedure describes how to create a configuration with a type of p
-  9. (Optional) For **Resource tags** , add tags as key-value pairs to help you easily identify the configuration. 
+     * **No organizational units or accounts** – Does not apply the configuration to any organizational unit or account.
+
+  7. In the **Regions** section, choose one of the following: 
+
+     * **Enable all Regions** – Optionally choose whether to automatically enable new Regions.
+
+     * **Disable all Regions** – Optionally choose whether to automatically disable new Regions.
+
+     * **Specify Regions** – Choose which Regions to enable and disable.
+
+  8. (Optional) For **Advanced settings** , see [Inheritance operators](https://docs.aws.amazon.com/organizations/latest/userguide/policy-operators.html) in the _AWS Organizations User Guide_. 
+
+  9. (Optional) For **Resource tags** , add tags as key-value pairs to help you identify the configuration. 
@@ -75 +87,3 @@ The following procedure describes how to create a configuration with a type of p
-  11. Review your changes, and then choose **Apply**. Your target accounts are configured based on the policy. The configuration status of your policy will display at the top of the Policies page. Each capability will provide a status on if it was configured or where there are deployment failures. For any failures click on the link for the failure message to see more details. To view the effective policy at the account level, you can review the **Organization** tab on the **Configurations** page where you can choose an account. 
+  11. Review your changes, and then choose **Apply**. 
+
+The configuration status of your policy displays at the top of the Policies page. Each capability provides a status indicating whether it was configured successfully or has deployment failures. For any failures, choose the failure link to see more details. To view the effective policy at the account level, review the **Organization** tab on the **Configurations** page. 
@@ -84 +98 @@ The following procedure describes how to create a configuration with a type of d
-###### To create a deployment that enables and disables member accounts
+###### To create a deployment that enables member accounts
@@ -90 +104,3 @@ The following procedure describes how to create a configuration with a type of d
-  3. Choose an item with a type of **deployment** from the Configuration catalog. To fully configure Security Hub it is recommended to choose **Security Hub (essential and additional capabilities)**. 
+  3. Choose an item with a type of **deployment** from the Configuration catalog. 
+
+  4. In the **Security capabilities** section, select the security capabilities to turn on. 
@@ -92 +108 @@ The following procedure describes how to create a configuration with a type of d
-  4. In the **Security capabilities** section Select the security capabilities that should be turned on. 
+  5. In the **Account selection** section, choose one of the following options: 
@@ -94 +110 @@ The following procedure describes how to create a configuration with a type of d
-  5. In the **Account selection** section, select one of the following options. Choose **All organizational units and accounts** if you want to apply the configuration to all organizational units and accounts. Choose **Specific organizational units and accounts** if you want to apply the configuration to specific organizational units and accounts. If you choose this option, use the search bar or organizational structure tree to specify the organizational units and accounts where the policy will be applied. Choose **No organizational units or accounts** if you do not want to apply the configuration to any organizational unit or account. 
+     * **All organizational units and accounts** – Applies the deployment to your entire organization.
@@ -96 +112,11 @@ The following procedure describes how to create a configuration with a type of d
-  6. In the **Regions** section, choose **Enable all Regions** , **Disable all Regions** , or **Specify Regions**. If you choose **Enable all Regions** , you can determine whether to automatically enable new Regions. If you choose **Disable all Regions** , you can determine whether to automatically disable new Regions. If you choose **Specify Regions** , you must choose which Regions you want to enable and disable. 
+     * **Specific organizational units and accounts** – Use the search bar or organizational structure tree to select the organizational units and accounts where the deployment applies.
+
+     * **No organizational units or accounts** – Does not apply the deployment to any organizational unit or account.
+
+  6. In the **Regions** section, choose one of the following: 
+
+     * **Enable all Regions** – Optionally choose whether to automatically enable new Regions.
+
+     * **Disable all Regions** – Optionally choose whether to automatically disable new Regions.
+
+     * **Specify Regions** – Choose which Regions to enable and disable.
@@ -105 +131,3 @@ The following procedure describes how to create a configuration with a type of d
-You can edit the capabilities, Regions, and accounts assocaited with configurations that have a type of **policy**. 
+You can edit the capabilities, Regions, and accounts associated with a configuration policy. When you open a policy for editing, the console displays the current configuration. 
+
+###### Note
@@ -107 +135 @@ You can edit the capabilities, Regions, and accounts assocaited with configurati
-The following describes how to edit a configuration policy in Security Hub
+Changes apply only to the capabilities you select in the updated policy. Unselected capabilities retain their existing configuration across the accounts and Regions in the policy. 
@@ -109 +137 @@ The following describes how to edit a configuration policy in Security Hub
-###### To create edit a configuration policy
+###### To edit a configuration policy
@@ -115 +143 @@ The following describes how to edit a configuration policy in Security Hub
-  3. In the **Configured policies** tab select the radio button for the policy you want to edit. Choose the **Edit**. 
+  3. In the **Configured policies** tab, select the radio button for the policy you want to edit, and then choose **Edit**. 
@@ -117 +145 @@ The following describes how to edit a configuration policy in Security Hub
-  4. To make changes in the **Account selection** section, select one of the following options. Choose **All organizational units and accounts** if you want to apply the configuration to all organizational units and accounts. Choose **Specific organizational units and accounts** if you want to apply the configuration to specific organizational units and accounts. If you choose this option, use the search bar or organizational structure tree to specify the organizational units and accounts where the policy will be applied. Choose **No organizational units or accounts** if you do not want to apply the configuration to any organizational unit or account. 
+  4. In the **Capability** section, choose one of the following: 
@@ -119 +147 @@ The following describes how to edit a configuration policy in Security Hub
-  5. To make changes in the **Regions** section, choose **Enable all Regions** , **Disable all Regions** , or **Specify Regions**. If you choose **Enable all Regions** , you can determine whether to automatically enable new Regions. If you choose **Disable all Regions** , you can determine whether to automatically disable new Regions. If you choose **Specify Regions** , you must choose which Regions you want to enable and disable. 
+     * **Configure and enable all capabilities** – Enables all capabilities in the policy.
@@ -121 +149 @@ The following describes how to edit a configuration policy in Security Hub
-  6. Choose **Next**. 
+     * Select individual capabilities and choose **Enable** , **Disable** , or **Custom** for each one.
@@ -123 +151 @@ The following describes how to edit a configuration policy in Security Hub
-  7. Review your changes, and then choose **Update**. Your target accounts are configured based on the policy. 
+  5. In the **Account selection** section, choose one of the following options: 
@@ -124,0 +153 @@ The following describes how to edit a configuration policy in Security Hub
+     * **All organizational units and accounts** – Applies the policy to your entire organization.
@@ -125,0 +155 @@ The following describes how to edit a configuration policy in Security Hub
+     * **Specific organizational units and accounts** – Use the search bar or organizational structure tree to select the organizational units and accounts where the policy applies.
@@ -126,0 +157 @@ The following describes how to edit a configuration policy in Security Hub
+     * **No organizational units or accounts** – Removes the policy from all targets.
@@ -128 +159 @@ The following describes how to edit a configuration policy in Security Hub
-## Deleting a configuration policy
+  6. In the **Regions** section, configure which Regions the policy applies to. The options depend on your **Capability** selections. 
@@ -130 +161,24 @@ The following describes how to edit a configuration policy in Security Hub
-You can delete configuration that you have a type of **policy**. When you delete a policy all attached accounts and organiational units will be removed from the policy. 
+**If you chose to enable all capabilities:**
+
+     * **Across all selected capabilities** – Sets the same Region configuration for all capabilities.
+
+     * **Per capability** – Lets you choose Regions individually for each capability.
+
+Then choose **Enable all Regions** (with the option to automatically enable new Regions) or **Enable in some Regions** to select specific Regions. 
+
+**If you chose mixed actions (enable, disable, or custom) for individual capabilities:**
+
+     * If all selected capabilities share the same action, choose **Across all selected capabilities** to set Regions uniformly. To set Regions for each capability individually, choose **Per capability**.
+
+     * If capabilities have different actions, you must assign Regions for each capability individually.
+
+     * For capabilities with the **Custom** action, choose **Across all selected capabilities** to set Regions uniformly for all capabilities. To configure Regions for each capability separately, choose **Per capability**. 
+
+  7. Choose **Next**. 
+
+  8. Review your changes, and then choose **Update**. The updated policy configures the target accounts. 
+
+
+
+
+## Deleting a configuration policy
@@ -132 +186 @@ You can delete configuration that you have a type of **policy**. When you delete
-The following describes how to delete a configuration policy in Security Hub.
+You can delete a configuration policy. When you delete a policy, the service removes all attached accounts and organizational units from the policy. 
@@ -134 +188 @@ The following describes how to delete a configuration policy in Security Hub.
-###### To create delete a configuration policy
+###### To delete a configuration policy
@@ -140 +194 @@ The following describes how to delete a configuration policy in Security Hub.
-  3. In the **Configured policies** tab select the radio button for the policy you want to edit. Choose the **Delete** button. 
+  3. In the **Configured policies** tab, select the policy you want to delete, and then choose **Delete**. 
@@ -142 +196 @@ The following describes how to delete a configuration policy in Security Hub.
-  4. Type **delete** in the confirmation box. Choose the **Delete**. 
+  4. Enter `delete` in the confirmation box, and then choose **Delete**.