AWSSecurityHubFullAccess
Description: Provides full access to use AWS Security Hub.
AWSSecurityHubFullAccess is an AWS managed policy.
Using this policy
You can attach AWSSecurityHubFullAccess to your users, groups, and roles.
Policy details
-
Type: AWS managed policy
-
Creation time: November 27, 2018, 23:54 UTC
-
Edited time: November 21, 2025, 21:19 UTC
-
ARN:
arn:aws:iam::aws:policy/AWSSecurityHubFullAccess
Policy version
Policy version: v5 (default)
The policy's default version is the version that defines the permissions for the policy. When a user or role with the policy makes a request to access an AWS resource, AWS checks the default version of the policy to determine whether to allow the request.
JSON policy document
{ "Version" : "2012-10-17", "Statement" : [ { "Sid" : "SecurityHubAllowAll", "Effect" : "Allow", "Action" : "securityhub:*", "Resource" : "*" }, { "Sid" : "SecurityHubServiceLinkedRole", "Effect" : "Allow", "Action" : "iam:CreateServiceLinkedRole", "Resource" : "*", "Condition" : { "StringEquals" : { "iam:AWSServiceName" : [ "securityhub.amazonaws.com", "securityhubv2.amazonaws.com" ] } } }, { "Sid" : "OtherServicePermission", "Effect" : "Allow", "Action" : [ "guardduty:GetDetector", "guardduty:ListDetectors", "guardduty:UpdateDetector", "guardduty:EnableOrganizationAdminAccount", "guardduty:ListOrganizationAdminAccounts", "guardduty:DeleteDetector", "guardduty:CreateDetector", "guardduty:CreateMembers", "guardduty:UpdateOrganizationConfiguration", "guardduty:DescribeOrganizationConfiguration", "inspector2:BatchGetAccountStatus", "inspector2:Enable", "inspector2:Disable", "inspector2:EnableDelegatedAdminAccount", "inspector2:DisableDelegatedAdminAccount", "inspector2:ListDelegatedAdminAccounts", "inspector2:UpdateOrganizationConfiguration", "inspector2:DescribeOrganizationConfiguration", "pricing:GetProducts", "account:ListRegions", "account:GetRegionOptStatus", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole" ], "Resource" : "*" } ] }
Learn more
