Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Cannot remove Security Hub Policy Association

0

Hi, during applying CloudFormation configuration of Security Hub (FindingAggregator, OrganizationConfiguration, ConfigurationPolicy and PolicyAssociation specifically) policy attachment in Organization Unit Audit account, there was an issue (association to one region failed) that caused, that even the stack was rollbacked, policy associations to Organization Units were not removed properly. This caused that such configuration (manually switching Security Hub configuration to "Local configuration") cannot be re-applied and fails with error

Error occurred while updating orgs config: You can't disable central configuration while policies and associations exist. Disassociate each configuration policy and self-managed configuration, delete each policy, and try again.

When I’m trying to list policy associations via AWS CLI

aws --profile MY_PROFILE securityhub list-configuration-policy-associations

it fails with

An error occurred (AccessDeniedException) when calling the ListConfigurationPolicyAssociations operation: Must be a Security Hub delegated administrator with Central Configuration enabled

and such associations cannot be seen in AWS Console too.

So basically, there is no way how to remove such Security hub policy association and I cannot re-apply CloudFormation stack. Do you know if there is another possibility how to list/get and remove such associations. Will aws cli error disappear when we use account root account as an emergency?

Thanks a lot.

Topics
Security, Identity, & Compliance
Tags
AWS Security Hub
Language
English
asked a year ago693 views
2 Answers
4

Hello,

Issue you are encountering with Security Hub policy associations not being removed properly after a rollback can be addressed by following these steps:

Use AWS Organizations CLI/API:

  • List the service access for Security Hub
aws organizations list-aws-service-access-for-organization
  • Disassociate the Security Hub service access
aws organizations disable-aws-service-access --service-principal securityhub.amazonaws.com

Use the Root Account: If the above steps fail, try using the root account of your organization's management account to list and remove the policy associations.

Manually Remove Policy Associations:

  • Go to the AWS Management Console.
  • Navigate to AWS Organizations.
  • Locate the affected Organizational Units (OUs).
  • Remove the Security Hub policy associations manually.
EXPERT
answered a year ago
0
Accepted Answer

The issue you're facing is due to the fact that Security Hub policies and associations are managed at the organization level, and the CLI command you're trying to use (aws securityhub list-configuration-policy-associations) requires you to be a delegated administrator for Security Hub with Central Configuration enabled.

Use the AWS Organizations CLI/API: Since the Security Hub policy associations are tied to the AWS Organizations structure, you can try using the AWS Organizations CLI or API to list and disassociate the policies. The relevant commands would be:

        aws organizations list-aws-service-access-for-organization to list the service access for Security Hub.
        aws organizations disassociate-aws-service-access-for-organization to disassociate the Security Hub service access.

Make sure to run these commands with an IAM role or user that has the necessary permissions to manage AWS Organizations.

Use the Root Account: As you mentioned, using the root account of your organization's management account might allow you to bypass the delegated administrator requirement and list/remove the Security Hub policy associations. However, it's generally not recommended to use the root account for such operations, as it violates the principle of least privilege.

Manually Remove the Policy Associations: As a last resort, if you have access to the AWS Organizations management account, you could try manually removing the Security Hub policy associations by navigating to the AWS Organizations service in the AWS Management Console, locating the affected organizational units (OUs), and removing the Security Hub policy associations from there.

answered a year ago
EXPERT
reviewed a year ago
  • Marek
    a year ago

    Hi, thanks a lot. Finally I was able to remove it via an user account created in AWS Audit account and AWS CLI. In this case, there was no issue with delegation.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content