policy_associations
Creates, updates, deletes or gets a policy_association resource or lists policy_associations in a region
Overview
| Name | policy_associations |
| Type | Resource |
| Description | The AWS::SecurityHub::PolicyAssociation resource represents the AWS Security Hub Central Configuration Policy associations in your Target. Only the AWS Security Hub delegated administrator can create the resouce from the home region. |
| Id | awscc.securityhub.policy_associations |
Fields
- get (all properties)
- list (identifiers only)
| Name | Datatype | Description |
|---|---|---|
configuration_policy_id | string | The universally unique identifier (UUID) of the configuration policy or a value of SELF_MANAGED_SECURITY_HUB for a self-managed configuration |
association_status | string | The current status of the association between the specified target and the configuration |
association_type | string | Indicates whether the association between the specified target and the configuration was directly applied by the Security Hub delegated administrator or inherited from a parent |
association_status_message | string | An explanation for a FAILED value for AssociationStatus |
target_id | string | The identifier of the target account, organizational unit, or the root |
target_type | string | Indicates whether the target is an AWS account, organizational unit, or the organization root |
updated_at | string | The date and time, in UTC and ISO 8601 format, that the configuration policy association was last updated |
association_identifier | string | A unique identifier to indicates if the target has an association |
region | string | AWS region. |
| Name | Datatype | Description |
|---|---|---|
association_identifier | string | A unique identifier to indicates if the target has an association |
region | string | AWS region. |
For more information, see AWS::SecurityHub::PolicyAssociation.
Methods
| Name | Resource | Accessible by | Required Params |
|---|---|---|---|
create_resource | policy_associations | INSERT | TargetId, TargetType, ConfigurationPolicyId, region |
delete_resource | policy_associations | DELETE | Identifier, region |
update_resource | policy_associations | UPDATE | Identifier, PatchDocument, region |
list_resources | policy_associations_list_only | SELECT | region |
get_resource | policy_associations | SELECT | Identifier, region |
SELECT examples
- get (all properties)
- list (identifiers only)
Gets all properties from an individual policy_association.
SELECT
region,
configuration_policy_id,
association_status,
association_type,
association_status_message,
target_id,
target_type,
updated_at,
association_identifier
FROM awscc.securityhub.policy_associations
WHERE
region = 'us-east-1' AND
Identifier = '{{ association_identifier }}';
Lists all policy_associations in a region.
SELECT
region,
association_identifier
FROM awscc.securityhub.policy_associations_list_only
WHERE
region = 'us-east-1';
INSERT example
Use the following StackQL query and manifest file to create a new policy_association resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO awscc.securityhub.policy_associations (
ConfigurationPolicyId,
TargetId,
TargetType,
region
)
SELECT
'{{ configuration_policy_id }}',
'{{ target_id }}',
'{{ target_type }}',
'{{ region }}';
/*+ create */
INSERT INTO awscc.securityhub.policy_associations (
ConfigurationPolicyId,
TargetId,
TargetType,
region
)
SELECT
'{{ configuration_policy_id }}',
'{{ target_id }}',
'{{ target_type }}',
'{{ region }}';
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: policy_association
props:
- name: configuration_policy_id
value: '{{ configuration_policy_id }}'
- name: target_id
value: '{{ target_id }}'
- name: target_type
value: '{{ target_type }}'
UPDATE example
Use the following StackQL query and manifest file to update a policy_association resource, using stack-deploy.
/*+ update */
UPDATE awscc.securityhub.policy_associations
SET PatchDocument = string('{{ {
"ConfigurationPolicyId": configuration_policy_id
} | generate_patch_document }}')
WHERE
region = '{{ region }}' AND
Identifier = '{{ association_identifier }}';
DELETE example
/*+ delete */
DELETE FROM awscc.securityhub.policy_associations
WHERE
Identifier = '{{ association_identifier }}' AND
region = 'us-east-1';
Permissions
To operate on the policy_associations resource, the following permissions are required:
- Create
- Read
- Update
- Delete
- List
securityhub:StartConfigurationPolicyAssociation,
securityhub:GetConfigurationPolicyAssociation
securityhub:GetConfigurationPolicyAssociation,
securityhub:GetConfigurationPolicyAssociation
securityhub:StartConfigurationPolicyAssociation,
securityhub:GetConfigurationPolicyAssociation
securityhub:StartConfigurationPolicyDisassociation,
securityhub:GetConfigurationPolicyAssociation
securityhub:ListConfigurationPolicyAssociations