- 最新
- 最多得票
- 最多評論
Hello,
Issue you are encountering with Security Hub policy associations not being removed properly after a rollback can be addressed by following these steps:
Use AWS Organizations CLI/API:
- List the service access for Security Hub
aws organizations list-aws-service-access-for-organization
- Disassociate the Security Hub service access
aws organizations disable-aws-service-access --service-principal securityhub.amazonaws.com
Use the Root Account: If the above steps fail, try using the root account of your organization's management account to list and remove the policy associations.
Manually Remove Policy Associations:
- Go to the AWS Management Console.
- Navigate to AWS Organizations.
- Locate the affected Organizational Units (OUs).
- Remove the Security Hub policy associations manually.
The issue you're facing is due to the fact that Security Hub policies and associations are managed at the organization level, and the CLI command you're trying to use (aws securityhub list-configuration-policy-associations) requires you to be a delegated administrator for Security Hub with Central Configuration enabled.
Use the AWS Organizations CLI/API: Since the Security Hub policy associations are tied to the AWS Organizations structure, you can try using the AWS Organizations CLI or API to list and disassociate the policies. The relevant commands would be:
aws organizations list-aws-service-access-for-organization to list the service access for Security Hub.
aws organizations disassociate-aws-service-access-for-organization to disassociate the Security Hub service access.
Make sure to run these commands with an IAM role or user that has the necessary permissions to manage AWS Organizations.
Use the Root Account: As you mentioned, using the root account of your organization's management account might allow you to bypass the delegated administrator requirement and list/remove the Security Hub policy associations. However, it's generally not recommended to use the root account for such operations, as it violates the principle of least privilege.
Manually Remove the Policy Associations: As a last resort, if you have access to the AWS Organizations management account, you could try manually removing the Security Hub policy associations by navigating to the AWS Organizations service in the AWS Management Console, locating the affected organizational units (OUs), and removing the Security Hub policy associations from there.
相關內容
- 已提問 6 個月前
Hi, thanks a lot. Finally I was able to remove it via an user account created in AWS Audit account and AWS CLI. In this case, there was no issue with delegation.