Skip to main content

policy_associations

Creates, updates, deletes or gets a policy_association resource or lists policy_associations in a region

Overview

Namepolicy_associations
TypeResource
DescriptionThe AWS::SecurityHub::PolicyAssociation resource represents the AWS Security Hub Central Configuration Policy associations in your Target. Only the AWS Security Hub delegated administrator can create the resouce from the home region.
Idaws.securityhub.policy_associations

Fields

NameDatatypeDescription
configuration_policy_idstringThe universally unique identifier (UUID) of the configuration policy or a value of SELF_MANAGED_SECURITY_HUB for a self-managed configuration
association_statusstringThe current status of the association between the specified target and the configuration
association_typestringIndicates whether the association between the specified target and the configuration was directly applied by the Security Hub delegated administrator or inherited from a parent
association_status_messagestringAn explanation for a FAILED value for AssociationStatus
target_idstringThe identifier of the target account, organizational unit, or the root
target_typestringIndicates whether the target is an AWS account, organizational unit, or the organization root
updated_atstringThe date and time, in UTC and ISO 8601 format, that the configuration policy association was last updated
association_identifierstringA unique identifier to indicates if the target has an association
regionstringAWS region.

Methods

NameAccessible byRequired Params
create_resourceINSERTTargetId, TargetType, ConfigurationPolicyId, region
delete_resourceDELETEdata__Identifier, region
update_resourceUPDATEdata__Identifier, data__PatchDocument, region
list_resourcesSELECTregion
get_resourceSELECTdata__Identifier, region

SELECT examples

Gets all policy_associations in a region.

SELECT
region,
configuration_policy_id,
association_status,
association_type,
association_status_message,
target_id,
target_type,
updated_at,
association_identifier
FROM aws.securityhub.policy_associations
WHERE region = 'us-east-1';

Gets all properties from an individual policy_association.

SELECT
region,
configuration_policy_id,
association_status,
association_type,
association_status_message,
target_id,
target_type,
updated_at,
association_identifier
FROM aws.securityhub.policy_associations
WHERE region = 'us-east-1' AND data__Identifier = '<AssociationIdentifier>';

INSERT example

Use the following StackQL query and manifest file to create a new policy_association resource, using stack-deploy.

/*+ create */
INSERT INTO aws.securityhub.policy_associations (
 ConfigurationPolicyId,
 TargetId,
 TargetType,
 region
)
SELECT 
'{{ ConfigurationPolicyId }}',
 '{{ TargetId }}',
 '{{ TargetType }}',
'{{ region }}';

DELETE example

/*+ delete */
DELETE FROM aws.securityhub.policy_associations
WHERE data__Identifier = '<AssociationIdentifier>'
AND region = 'us-east-1';

Permissions

To operate on the policy_associations resource, the following permissions are required:

Create

securityhub:StartConfigurationPolicyAssociation,
securityhub:GetConfigurationPolicyAssociation

Read

securityhub:GetConfigurationPolicyAssociation,
securityhub:GetConfigurationPolicyAssociation

Update

securityhub:StartConfigurationPolicyAssociation,
securityhub:GetConfigurationPolicyAssociation

Delete

securityhub:StartConfigurationPolicyDisassociation,
securityhub:GetConfigurationPolicyAssociation

List

securityhub:ListConfigurationPolicyAssociations