You're reading for free via Ekant Mate (AWS APN Ambassador)'s Friend Link. Become a member to access the best of Medium.

Member-only story

How to Disable Security Hub if it is Centrally Enabled?

Ekant Mate (AWS APN Ambassador)
AWS in Plain English
4 min readOct 25, 2024

Security Hub is a powerful AWS tool that helps you centralize security findings and streamline the security management of multiple AWS accounts. However, there may be cases where you want to disable Security Hub, especially when it’s centrally enabled across an organization. The process of disabling Security Hub in such scenarios can sometimes be tricky, particularly when you face errors like:

Error Message: “Error occurred while removing delegated admin: You must disassociate and delete your configuration policies, and disable central configuration, in order to remove or change the delegated Security Hub administrator.”

In this blog, we will walk you through the steps to properly disable Security Hub, resolve the error, and clean up any central configurations.

Understanding the Error

When Security Hub is centrally enabled, certain configuration policies are applied at the organizational level. These policies manage how Security Hub is set up across various AWS accounts, often through delegated administrators. Before you can remove or disable Security Hub, you need to ensure that these configuration policies are disassociated and deleted.

The error message indicates that you are attempting to remove the delegated administrator or disable Security Hub without first clearing out the existing configuration policies.

Step-by-Step Guide to Disable Security Hub

Step 1: List the Policy Associations

The first thing you need to do is identify which configuration policies are currently associated with your account. To do this, you’ll use the AWS CLI command . This will provide a list of all policy associations in your account.

Command:

Sample Output:

In this example, the policy is applied at the root level () and account “********”.

Step 2: Disassociate Policy Associations

Once you’ve identified the policies, the next step is to disassociate them from the target, which could be an individual account, an organizational unit (OU), or the root of your organization.

To do this, run the command, specifying the configuration policy and the target from which you want to disassociate the policy.

Command:

This command disassociates the policy from the root.

Repeat this process for all other associations listed in the output from Step 1.

Step 3: Switch to Local Configuration

After disassociating the policies, the next step is to switch your Security Hub configuration from centralized to local. This ensures that Security Hub no longer uses the centralized settings for automatic account enablement and instead relies on local configurations.

You can switch to local configuration using the command.

Command:

This command stops Security Hub from automatically enabling itself across new accounts in the organization and updates it to use local configurations.

Step 4: Disable Security Hub

Now that you’ve successfully disassociated policies and switched to local configurations, you can disable Security Hub. You can do this through the AWS Management Console or via CLI.

To disable Security Hub via the AWS CLI:

Command:

This command disables Security Hub for your account.

Common Issues and Troubleshooting

  1. Error: Failed to Disassociate Policies
  • If you face errors when trying to disassociate policies, ensure that you are specifying the correct and target details. Double-check the output of the command to confirm these details.

2. Configuration Policies Still Listed After Disassociation

  • It may take a few minutes for policy disassociations to propagate across your organization. Wait for a while and then recheck by running again.

3. Access Denied Errors

  • Ensure that you have the necessary permissions to disassociate policies and disable Security Hub. The IAM role or user you are using must have administrative privileges or specific permissions to manage Security Hub configurations across the organization.

4. Switching to Local Configuration Doesn’t Work

  • If switching to local configuration fails, ensure that you have disassociated all configuration policies as described in Step 2. Incomplete disassociations can prevent the transition to local settings.

Conclusion

By following these steps, you can successfully remove the centralized configuration of AWS Security Hub, disassociate all policies, and remove the delegated administrator. This allows for local management or full deactivation of Security Hub as required.

If you run into any issues or have further questions, feel free to reach out to AWS Support for assistance.

Please follow me for more such innovative blogs And if you find my blogs helpful, I’d really appreciate your claps — they motivate me to keep sharing more valuable insights.

Thank you for being awesome!

In Plain English 🚀

Thank you for being a part of the In Plain English community! Before you go:

Published in AWS in Plain English

New AWS, Cloud, and DevOps content every day. Follow to join our 3.5M+ monthly readers.

Written by Ekant Mate (AWS APN Ambassador)

Technologist, Cloud evangelist & Solution Architect specializing in Design, DevOps, Security, Network. Expert advisor, World Tech Enthusiast, Motivational Blog.

No responses yet

What are your thoughts?