This is the new AWS CloudFormation Template Reference Guide. Please update your bookmarks and links. For help getting started with CloudFormation, see the AWS CloudFormation User Guide.
AWS::SecurityHub::OrganizationConfiguration
The AWS::SecurityHub::OrganizationConfiguration resource specifies the way that your AWS
organization is configured in AWS Security Hub. Specifically, you can use this resource to specify the configuration type
for your organization and whether to automatically Security Hub and security standards in new member accounts. For more information,
see Managing administrator
and member accounts in the AWS Security Hub User Guide.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::SecurityHub::OrganizationConfiguration", "Properties" : { "AutoEnable" :Boolean, "AutoEnableStandards" :String, "ConfigurationType" :String} }
YAML
Type: AWS::SecurityHub::OrganizationConfiguration Properties: AutoEnable:BooleanAutoEnableStandards:StringConfigurationType:String
Properties
AutoEnable-
Whether to automatically enable Security Hub in new member accounts when they join the organization.
If set to
true, then Security Hub is automatically enabled in new accounts. If set tofalse, then Security Hub isn't enabled in new accounts automatically. The default value isfalse.If the
ConfigurationTypeof your organization is set toCENTRAL, then this field is set tofalseand can't be changed in the home Region and linked Regions. However, in that case, the delegated administrator can create a configuration policy in which Security Hub is enabled and associate the policy with new organization accounts.Required: Yes
Type: Boolean
Update requires: No interruption
AutoEnableStandards-
Whether to automatically enable Security Hub default standards in new member accounts when they join the organization.
The default value of this parameter is equal to
DEFAULT.If equal to
DEFAULT, then Security Hub default standards are automatically enabled for new member accounts. If equal toNONE, then default standards are not automatically enabled for new member accounts.If the
ConfigurationTypeof your organization is set toCENTRAL, then this field is set toNONEand can't be changed in the home Region and linked Regions. However, in that case, the delegated administrator can create a configuration policy in which specific security standards are enabled and associate the policy with new organization accounts.Required: No
Type: String
Allowed values:
DEFAULT | NONEUpdate requires: No interruption
ConfigurationType-
Indicates whether the organization uses local or central configuration.
If you use local configuration, the Security Hub delegated administrator can set
AutoEnabletotrueandAutoEnableStandardstoDEFAULT. This automatically enables Security Hub and default security standards in new organization accounts. These new account settings must be set separately in each AWS Region, and settings may be different in each Region.If you use central configuration, the delegated administrator can create configuration policies. Configuration policies can be used to configure Security Hub, security standards, and security controls in multiple accounts and Regions. If you want new organization accounts to use a specific configuration, you can create a configuration policy and associate it with the root or specific organizational units (OUs). New accounts will inherit the policy from the root or their assigned OU.
Required: No
Type: String
Allowed values:
CENTRAL | LOCALUpdate requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the organization configuration identifier, formatted as AccountId/Region/securityhub-organization-configuration.
For example, 123456789012/us-east-1/securityhub-organization-configuration.
For more information about using the Ref function, see Ref.
Fn::GetAtt
The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.
MemberAccountLimitReached-
Whether the maximum number of allowed member accounts are already associated with the Security Hub administrator account.
OrganizationConfigurationIdentifier-
The organization configuration identifier, formatted as
AccountId/Region/securityhub-organization-configuration. For example,123456789012/us-east-1/securityhub-organization-configuration. Status-
Describes whether central configuration could be enabled as the
ConfigurationTypefor the organization. If yourConfigurationTypeis local configuration, then the value ofStatusis alwaysENABLED. StatusMessage-
Provides an explanation if the value of
Statusis equal toFAILEDwhenConfigurationTypeis equal toCENTRAL.
Examples
Configuring your organization in Security Hub
The following example configures organization settings in Security Hub.
JSON
{ "Description": "Example template to configure an organization in Security Hub", "Resources": { "SecurityHubOrganizationConfiguration": { "Type": "AWS::SecurityHub::OrganizationConfiguration", "Properties": { "AutoEnable": false, "AutoEnableStandards": "NONE", "ConfigurationType": "CENTRAL" } } } }
YAML
Description: Example template to configure an organization in Security Hub Resources: SecurityHubOrganizationConfiguration: Type: 'AWS::SecurityHub::OrganizationConfiguration' Properties: AutoEnable: false AutoEnableStandards: "NONE" ConfigurationType: "CENTRAL"
