AWS managed policies for Security Hub
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see AWS managed policies in the IAM User Guide.
AWS managed policy: AWSSecurityHubFullAccess
You can attach the AWSSecurityHubFullAccess policy to your IAM
identities.
This policy grants administrative permissions that allow a principal full access to all Security Hub CSPM actions. This policy must be attached to a principal before they enable Security Hub CSPM manually for their account. For example, principals with these permissions can both view and update the status of findings. They can configure custom insights, and enable integrations. They can enable and disable standards and controls. Principals for an administrator account can also manage member accounts.
Permissions details
This policy includes the following permissions.
-
securityhub– Allows principals full access to all Security Hub CSPM actions. -
guardduty– Allows principals to get information about account status in Amazon GuardDuty. -
iam– Allows principals to create a service-linked role for Security Hub CSPM and Security Hub. -
inspector– Allows principals to get information about account status in Amazon Inspector. -
pricing– Allows principals to get a price list of AWS services and products.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SecurityHubAllowAll", "Effect": "Allow", "Action": "securityhub:*", "Resource": "*" }, { "Sid": "SecurityHubServiceLinkedRole", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringLike": { "iam:AWSServiceName": [ "securityhub.amazonaws.com", "securityhubv2.amazonaws.com" ] } } }, { "Sid": "OtherServicePermission", "Effect": "Allow", "Action": [ "guardduty:GetDetector", "guardduty:ListDetectors", "inspector2:BatchGetAccountStatus", "pricing:GetProducts" ], "Resource": "*" } ] }
Security Hub CSPM managed policy: AWSSecurityHubReadOnlyAccess
You can attach the AWSSecurityHubReadOnlyAccess policy to your IAM
identities.
This policy grants read-only permissions that allow users to view information in Security Hub CSPM. Principals with this policy attached cannot make any updates in Security Hub CSPM. For example, principals with these permissions can view the list of findings associated with their account, but cannot change the status of a finding. They can view the results of insights, but cannot create or configure custom insights. They cannot configure controls or product integrations.
Permissions details
This policy includes the following permissions.
-
securityhub– Allows users to perform actions that return either a list of items or details about an item. This includes API operations that start withGet,List, orDescribe.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSSecurityHubReadOnlyAccess", "Effect": "Allow", "Action": [ "securityhub:Get*", "securityhub:List*", "securityhub:BatchGet*", "securityhub:Describe*" ], "Resource": "*" } ] }
AWS managed policy: AWSSecurityHubOrganizationsAccess
You can attach the AWSSecurityHubOrganizationsAccess policy to your IAM identities.
This policy grants administrative permissions to enable and manage Security Hub and Security Hub CSPM within an organization.
The permissions this policy allow the organization management account to designate the delegated administrator account for Security Hub and Security Hub CSPM. They also allow the delegated administrator account to enable organization accounts as member accounts.
This policy only provides the permissions for Organizations.
The organization management account and delegated administrator account also require permissions for associated actions.
These permissions can be granted using the AWSSecurityHubFullAccess managed policy.
Permissions details
This policy includes the following permissions.
-
organizations:ListAccounts– Allows principals to retrieve the list of accounts that are part of an organization. -
organizations:DescribeOrganization– Allows principals to retrieve information about the organization. -
organizations:ListRoots– Allows principals to list the root of an organization. -
organizations:ListDelegatedAdministrators– Allows principals to list the delegated administrator of an organization. -
organizations:ListAWSServiceAccessForOrganization– Allows principals to list the AWS services that an organization uses. -
organizations:ListOrganizationalUnitsForParent– Allows principals to list the child organizational units (OU) of a parent OU. -
organizations:ListAccountsForParent– Allows principals to list the child accounts of a parent OU. -
organizations:ListParents– Lists the root or organizational units (OUs) that serve as the immediate parent of the specified child OU or account. -
organizations:DescribeAccount– Allows principals to retrieve information about an account in the organization. -
organizations:DescribeOrganizationalUnit– Allows principals to retrieve information about an OU in the organization. -
organizations:ListPolicies– Retrieves the list of all policies in an organization of a specified type. -
organizations:ListPoliciesForTarget– Lists the policies that are directly attached to the specified target root, organizational unit (OU), or account. -
organizations:ListTargetsForPolicy– Lists all the roots, organizational units (OUs), and accounts that the specified policy is attached to. -
organizations:EnableAWSServiceAccess– Allows principals to enable the integration with Organizations. -
organizations:RegisterDelegatedAdministrator– Allows principals to designate the delegated administrator account. -
organizations:DeregisterDelegatedAdministrator– Allows principals to remove the delegated administrator account. -
organizations:DescribePolicy– Retrieves information about a policy. -
organizations:DescribeEffectivePolicy– Returns the contents of the effective policy for specified policy type and account. -
organizations:CreatePolicy– Creates a policy of a specified type that you can attach to a root, an organizational unit (OU), or an individual AWS account. -
organizations:UpdatePolicy– Updates an existing policy with a new name, description, or content. -
organizations:DeletePolicy– Deletes the specified policy from your organization. -
organizations:AttachPolicy– Attaches a policy to a root, an organizational unit (OU), or an individual account. -
organizations:DetachPolicy– Detaches a policy from a target root, organizational unit (OU), or account. -
organizations:EnablePolicyType– Enables a policy type in a root. -
organizations:DisablePolicyType– Disables an organizational policy type in a root. -
organizations:TagResource– Adds one or more tags to the specified resource. -
organizations:UntagResource– Removes any tags with the specified keys from the specified resource. -
organizations:ListTagsForResource– Lists tags that are attached to the specified resource.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "OrganizationPermissions", "Effect": "Allow", "Action": [ "organizations:ListAccounts", "organizations:DescribeOrganization", "organizations:ListRoots", "organizations:ListDelegatedAdministrators", "organizations:ListAWSServiceAccessForOrganization", "organizations:ListOrganizationalUnitsForParent", "organizations:ListAccountsForParent", "organizations:ListParents", "organizations:DescribeAccount", "organizations:DescribeOrganizationalUnit", "organizations:ListPolicies", "organizations:ListPoliciesForTarget", "organizations:ListTargetsForPolicy" ], "Resource": "*" }, { "Sid": "OrganizationPermissionsEnable", "Effect": "Allow", "Action": "organizations:EnableAWSServiceAccess", "Resource": "*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": "securityhub.amazonaws.com" } } }, { "Sid": "OrganizationPermissionsDelegatedAdmin", "Effect": "Allow", "Action": [ "organizations:RegisterDelegatedAdministrator", "organizations:DeregisterDelegatedAdministrator" ], "Resource": "arn:aws:organizations::*:account/o-*/*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": "securityhub.amazonaws.com" } } }, { "Sid": "OrganizationPolicyPermissions", "Effect": "Allow", "Action": [ "organizations:DescribePolicy", "organizations:DescribeEffectivePolicy", "organizations:CreatePolicy", "organizations:UpdatePolicy", "organizations:DeletePolicy", "organizations:AttachPolicy", "organizations:DetachPolicy", "organizations:EnablePolicyType", "organizations:DisablePolicyType" ], "Resource": [ "arn:aws:organizations::*:root/o-*/*", "arn:aws:organizations::*:account/o-*/*", "arn:aws:organizations::*:ou/o-*/*", "arn:aws:organizations::*:policy/o-*/securityhub_policy/*" ], "Condition": { "StringLikeIfExists": { "organizations:PolicyType": "SECURITYHUB_POLICY" } } }, { "Sid": "OrganizationPolicyTaggingPermissions", "Effect": "Allow", "Action": [ "organizations:TagResource", "organizations:UntagResource", "organizations:ListTagsForResource" ], "Resource": [ "arn:aws:organizations::*:policy/o-*/securityhub_policy/*" ] } ] }
AWS managed policy: AWSSecurityHubServiceRolePolicy
You can't attach AWSSecurityHubServiceRolePolicy to your IAM entities.
This policy is attached to a service-linked role that allows Security Hub CSPM to perform actions on
your behalf. For more information, see Service-linked roles for AWS Security Hub.
This policy grants administrative permissions that allow the service-linked role to perform the security checks for Security Hub CSPM controls.
Permissions details
This policy includes permissions to do the following:
-
cloudtrail– Retrieve information about CloudTrail trails. -
cloudwatch– Retrieve the current CloudWatch alarms. -
logs– Retrieve the metric filters for CloudWatch logs. -
sns– Retrieve the list of subscriptions to an SNS topic. -
config– Retrieve information about configuration recorders, resources, and AWS Config rules. Also allows the service-linked role to create and delete AWS Config rules, and to run evaluations against the rules. -
iam– Get and generate credential reports for accounts. -
organizations– Retrieve account and organizational unit (OU) information for an organization. -
securityhub– Retrieve information about how the Security Hub CSPM service, standards, and controls are configured. -
tag– Retrieve information about resource tags.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SecurityHubServiceRolePermissions", "Effect": "Allow", "Action": [ "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudtrail:GetEventSelectors", "cloudwatch:DescribeAlarms", "cloudwatch:DescribeAlarmsForMetric", "logs:DescribeMetricFilters", "sns:ListSubscriptionsByTopic", "config:DescribeConfigurationRecorders", "config:DescribeConfigurationRecorderStatus", "config:DescribeConfigRules", "config:DescribeConfigRuleEvaluationStatus", "config:BatchGetResourceConfig", "config:SelectResourceConfig", "iam:GenerateCredentialReport", "organizations:ListAccounts", "config:PutEvaluations", "tag:GetResources", "iam:GetCredentialReport", "organizations:DescribeAccount", "organizations:DescribeOrganization", "organizations:ListChildren", "organizations:ListAWSServiceAccessForOrganization", "organizations:DescribeOrganizationalUnit", "securityhub:BatchDisableStandards", "securityhub:BatchEnableStandards", "securityhub:BatchUpdateStandardsControlAssociations", "securityhub:BatchGetSecurityControls", "securityhub:BatchGetStandardsControlAssociations", "securityhub:CreateMembers", "securityhub:DeleteMembers", "securityhub:DescribeHub", "securityhub:DescribeOrganizationConfiguration", "securityhub:DescribeStandards", "securityhub:DescribeStandardsControls", "securityhub:DisassociateFromAdministratorAccount", "securityhub:DisassociateMembers", "securityhub:DisableSecurityHub", "securityhub:EnableSecurityHub", "securityhub:GetEnabledStandards", "securityhub:ListStandardsControlAssociations", "securityhub:ListSecurityControlDefinitions", "securityhub:UpdateOrganizationConfiguration", "securityhub:UpdateSecurityControl", "securityhub:UpdateSecurityHubConfiguration", "securityhub:UpdateStandardsControl", "tag:GetResources" ], "Resource": "*" }, { "Sid": "SecurityHubServiceRoleConfigPermissions", "Effect": "Allow", "Action": [ "config:PutConfigRule", "config:DeleteConfigRule", "config:GetComplianceDetailsByConfigRule" ], "Resource": "arn:aws:config:*:*:config-rule/aws-service-rule/*securityhub*" }, { "Sid": "SecurityHubServiceRoleOrganizationsPermissions", "Effect": "Allow", "Action": [ "organizations:ListDelegatedAdministrators" ], "Resource": "*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": [ "securityhub.amazonaws.com" ] } } } ] }
AWS managed policy: AWSSecurityHubV2ServiceRolePolicy
Note
Security Hub is in preview release and subject to change.
This policy allows Security Hub to manage AWS Config rules and Security Hub resources in your organization and on your behalf. This policy is attached to a service-linked role that allows the service to perform actions on your behalf. You cannot attach this policy to your users, groups, or roles. For more information, see Service-linked roles for AWS Security Hub.
Permissions details
This policy includes permissions to do the following:
-
config– Manages service-linked configuration recorders for Security Hub resources. -
iam– Creates the service-linked role for AWS Config. -
organizations– Retrieves account and organizational unit (OU) information for an organization. -
securityhub– Manages the Security Hub configuration. -
tag– Retrieves information about resource tags.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SecurityHubV2ServiceRoleAssetsConfig", "Effect": "Allow", "Action": [ "config:DeleteServiceLinkedConfigurationRecorder", "config:DescribeConfigurationRecorders", "config:DescribeConfigurationRecorderStatus", "config:PutServiceLinkedConfigurationRecorder" ], "Resource": "arn:aws:config:*:*:configuration-recorder/AWSConfigurationRecorderForSecurityHubAssets/*" }, { "Sid": "SecurityHubV2ServiceRoleAssetsIamPermissions", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig", "Condition": { "StringEquals": { "iam:AWSServiceName": "config.amazonaws.com" } } }, { "Sid": "SecurityHubV2ServiceRoleSecurityHubPermissions", "Effect": "Allow", "Action": [ "securityhub:DisableSecurityHubV2", "securityhub:EnableSecurityHubV2", "securityhub:DescribeSecurityHubV2" ], "Resource": "arn:aws:securityhub:*:*:hubv2/*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "SecurityHubV2ServiceRoleTagPermissions", "Effect": "Allow", "Action": [ "tag:GetResources" ], "Resource": "*" }, { "Sid": "SecurityHubV2ServiceRoleOrganizationsPermissionsOnResources", "Effect": "Allow", "Action": [ "organizations:DescribeAccount", "organizations:DescribeOrganizationalUnit" ], "Resource": "arn:aws:organizations::*:*" }, { "Sid": "SecurityHubV2ServiceRoleOrganizationsPermissionsWithoutResources", "Effect": "Allow", "Action": [ "organizations:DescribeOrganization", "organizations:ListAccounts", "organizations:ListAWSServiceAccessForOrganization", "organizations:ListChildren" ], "Resource": "*" }, { "Sid": "SecurityHubV2ServiceRoleDelegatedAdminPermissions", "Effect": "Allow", "Action": [ "organizations:ListDelegatedAdministrators" ], "Resource": "*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": [ "securityhub.amazonaws.com" ] } } } ] }
Security Hub CSPM updates to AWS managed policies
View details about updates to AWS managed policies for Security Hub CSPM since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Security Hub CSPM Document history page.
| Change | Description | Date |
|---|---|---|
| AWSSecurityHubOrganizationsAccess – Update to existing policy |
Security Hub CSPM added new permission to AWSSecurityHubOrganizationsAccess.
The permission allows the organization management to enable and manage Security Hub and Security Hub CSPM within an organization.
|
June 17, 2025 |
|
AWSSecurityHubOrganizationsAccess – Update to an existing policy |
Added new permissions that allow the organization management to enable and manage Security Hub and Security Hub CSPM within an organization. |
June 17, 2025 |
|
AWSSecurityHubFullAccess – Update to an existing policy |
Security Hub CSPM added new permission that allows principals to create a service-linked role for Security Hub. |
June 17, 2025 |
|
AWSSecurityHubV2ServiceRolePolicy – New policy |
Security Hub added new policy to allow Security Hub to manage AWS Config rules and Security Hub resources in a customer's organization and on the customer's behalf. Security Hub is in preview release and subject to change. |
June 17, 2025 |
| AWSSecurityHubFullAccess – Update to an existing policy | Security Hub CSPM updated the policy to get pricing details for AWS services and products. | April 24, 2024 |
| AWSSecurityHubReadOnlyAccess – Update to an existing policy | Security Hub CSPM updated this managed policy by adding a Sid field.
|
February 22, 2024 |
| AWSSecurityHubFullAccess – Update to an existing policy | Security Hub CSPM updated the policy so it can determine if Amazon GuardDuty and Amazon Inspector are enabled in an account. This helps customers bring together security-related information from multiple AWS services. | November 16, 2023 |
| AWSSecurityHubOrganizationsAccess – Update to an existing policy | Security Hub CSPM updated the policy to grant additional permissions to allow read-only access to AWS Organizations delegated administrator functionality. This includes details like the root, organizational units (OUs), accounts, organizational structure, and service access. | November 16, 2023 |
| AWSSecurityHubServiceRolePolicy – Update to an existing policy | Security Hub CSPM added the BatchGetSecurityControls, DisassociateFromAdministratorAccount, and
UpdateSecurityControl permissions to read and update customizable security control properties.
|
November 26, 2023 |
| AWSSecurityHubServiceRolePolicy – Update to an existing policy | Security Hub CSPM added the tag:GetResources permission to read resource tags related to findings.
|
November 7, 2023 |
| AWSSecurityHubServiceRolePolicy – Update to an existing policy | Security Hub CSPM added the BatchGetStandardsControlAssociations permission to get information about the
enablement status of a control in a standard.
|
September 27, 2023 |
| AWSSecurityHubServiceRolePolicy – Update to an existing policy | Security Hub CSPM added new permissions to get AWS Organizations data and read and update Security Hub CSPM configurations, including standards and controls. | September 20, 2023 |
| AWSSecurityHubServiceRolePolicy – Update to an existing policy | Security Hub CSPM moved the existing config:DescribeConfigRuleEvaluationStatus permission to
a different statement within the policy. The config:DescribeConfigRuleEvaluationStatus permission is now applied to all
resources.
|
March 17, 2023 |
| AWSSecurityHubServiceRolePolicy – Update to an existing policy |
Security Hub CSPM moved the existing config:PutEvaluations permission to
a different statement within the policy. The config:PutEvaluations permission
is now applied to all resources.
|
July 14, 2021 |
| AWSSecurityHubServiceRolePolicy – Update to an existing policy | Security Hub CSPM added a new permission to allow the service-linked role to deliver evaluation results to AWS Config. | June 29, 2021 |
| AWSSecurityHubServiceRolePolicy – Added to the list of managed policies | Added information about the managed policy AWSSecurityHubServiceRolePolicy, which is used by the Security Hub CSPM service-linked role. | June 11, 2021 |
| AWSSecurityHubOrganizationsAccess – New policy | Security Hub CSPM added a new policy that grants permissions that are needed for the Security Hub CSPM integration with Organizations. | March 15, 2021 |
| Security Hub CSPM started tracking changes | Security Hub CSPM started tracking changes for its AWS managed policies. | March 15, 2021 |
