Not able to disable Security Hub (AWS Bug?)
I have multiple AWS accounts
- (A) a orga account
- (B) a security account
- and some other accounts
I enabled Security Hub in all accounts. Within the orga account (A) I enabled the delegated administrator which is the security account (B) In the security account (B) I created a policy, I enabled central configuration and I accociated this policy to all my accounts. Great, after successfull testing I want to disable Security Hub in all accounts.
So, I have
- disassociated the policy from all accounts (
aws securityhub start-configuration-policy-disassociation --configuration-policy-identifier "arn:aws:securityhub:eu-central-1:XXXXXXX:configuration-policy/XXXXXXXX" --target '{"RootId": "r-XXXXXX"}' - deleted the policy (
aws securityhub delete-configuration-policy --identifier "arn:aws:securityhub:eu-central-1:XXXXXXX:configuration-policy/XXXXXXXX") - disassociated all members (
aws securityhub disassociate-members --account-ids XXXXX XXXXX ...)
In the security account inside Security Hub, under "Configuration" I see all Organizations with "Self-managed" policy.
In "General" settings, the "Disabled Security Hub" button is still disabled. So I think I need to disable the delegated admin first. I switched to the orga account (A) and in Security Hub I try to delete the delegated admin, I got an error: "You must disassociate and delete your configuration policies, and disable central configuration, in order to remove or change the delegated Security Hub administrator."
Ok, disassociate and delete configuration policies is already done, so I just need to disable central configuration. Switched back to the security account (B) and try to disable central configuration (aws securityhub update-organization-configuration --no-auto-enable --organization-configuration '{"ConfigurationType": "LOCAL"}', or within AWS Web Console) I go the error "Configuration policies must be disassociated from all accounts and OUs and deleted before you can stop using central configuration."
But, I have disassociated and deleted all policies already. What now? Any ideas?
- Newest
- Most votes
- Most comments
Hello,
I'd like to mention that the above error message indicates the account still has configuration policies or policy associations due to which you cannot switch from central configuration to local configuration. Before you can stop using central configuration, you must first disassociate your accounts and OUs from their current configuration, whether that's a configuration policy or self-managed behavior.
Here, you have deleted the configuration policies but not the self managed associations due to the error persists.
RESOLUTION:
- To check the policy associations in the account, please run the list-configuration-policy-associations command to list all associations in the account .
$ aws securityhub list-configuration-policy-associations
sample output: { "ConfigurationPolicyAssociationSummaries": [ { "ConfigurationPolicyId": "SELF_MANAGED_SECURITY_HUB", "TargetId": "r-nlf3", "TargetType": "ROOT", "AssociationType": "APPLIED", "UpdatedAt": "2024-04-03T20:01:57.208000+00:00", "AssociationStatus": "SUCCESS" } ] }
- Next, you must run the start-configuration-policy-disassociation command to disassociate all policy associations from the accounts/OUs/Root as required.
$ aws securityhub start-configuration-policy-disassociation —configuration-policy-identifier "SELF_MANAGED_SECURITY_HUB" —target '{"RootId": "r-nlf3"}'
- Once you run the above command for all the associations, you can switch to local configuration using the below command:
$ aws securityhub update-organization-configuration —no-auto-enable —organization-configuration '{"ConfigurationType": "LOCAL"}'
- After executing the above command successfully, you can go ahead disable SecurityHub.
Hope this information helps. Please feel free to reach out for any further queries.
Relevant content
- asked 2 months ago
- asked 2 years ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
