Skip to main content

organization_configurations

Creates, updates, deletes or gets an organization_configuration resource or lists organization_configurations in a region

Overview

Nameorganization_configurations
TypeResource
DescriptionThe AWS::SecurityHub::OrganizationConfiguration resource represents the configuration of your organization in Security Hub. Only the Security Hub administrator account can create Organization Configuration resource in each region and can opt-in to Central Configuration only in the aggregation region of FindingAggregator.
Idaws.securityhub.organization_configurations

Fields

NameDatatypeDescription
auto_enablebooleanWhether to automatically enable Security Hub in new member accounts when they join the organization.
auto_enable_standardsstringWhether to automatically enable Security Hub default standards in new member accounts when they join the organization.
configuration_typestringIndicates whether the organization uses local or central configuration.
statusstringDescribes whether central configuration could be enabled as the ConfigurationType for the organization.
status_messagestringProvides an explanation if the value of Status is equal to FAILED when ConfigurationType is equal to CENTRAL.
member_account_limit_reachedbooleanWhether the maximum number of allowed member accounts are already associated with the Security Hub administrator account.
organization_configuration_identifierstringThe identifier of the OrganizationConfiguration being created and assigned as the unique identifier.
regionstringAWS region.

Methods

NameAccessible byRequired Params
create_resourceINSERTAutoEnable, region
delete_resourceDELETEdata__Identifier, region
update_resourceUPDATEdata__Identifier, data__PatchDocument, region
list_resourcesSELECTregion
get_resourceSELECTdata__Identifier, region

SELECT examples

Gets all organization_configurations in a region.

SELECT
region,
auto_enable,
auto_enable_standards,
configuration_type,
status,
status_message,
member_account_limit_reached,
organization_configuration_identifier
FROM aws.securityhub.organization_configurations
WHERE region = 'us-east-1';

Gets all properties from an individual organization_configuration.

SELECT
region,
auto_enable,
auto_enable_standards,
configuration_type,
status,
status_message,
member_account_limit_reached,
organization_configuration_identifier
FROM aws.securityhub.organization_configurations
WHERE region = 'us-east-1' AND data__Identifier = '<OrganizationConfigurationIdentifier>';

INSERT example

Use the following StackQL query and manifest file to create a new organization_configuration resource, using stack-deploy.

/*+ create */
INSERT INTO aws.securityhub.organization_configurations (
 AutoEnable,
 region
)
SELECT 
'{{ AutoEnable }}',
'{{ region }}';

DELETE example

/*+ delete */
DELETE FROM aws.securityhub.organization_configurations
WHERE data__Identifier = '<OrganizationConfigurationIdentifier>'
AND region = 'us-east-1';

Permissions

To operate on the organization_configurations resource, the following permissions are required:

Create

securityhub:UpdateOrganizationConfiguration,
securityhub:DescribeOrganizationConfiguration,
organizations:DescribeOrganization

Read

securityhub:DescribeOrganizationConfiguration

Update

securityhub:UpdateOrganizationConfiguration,
securityhub:DescribeOrganizationConfiguration,
organizations:DescribeOrganization

Delete

securityhub:UpdateOrganizationConfiguration,
securityhub:DescribeOrganizationConfiguration,
securityhub:ListFindingAggregators,
organizations:DescribeOrganization

List

securityhub:DescribeOrganizationConfiguration