SecurityHub / Client / start_configuration_policy_disassociation



Disassociates a target account, organizational unit, or the root from a specified configuration. When you disassociate a configuration from its target, the target inherits the configuration of the closest parent. If there’s no configuration to inherit, the target retains its settings but becomes a self-managed account. A target can be disassociated from a configuration policy or self-managed behavior. Only the Security Hub delegated administrator can invoke this operation from the home Region.

See also: AWS API Documentation

Request Syntax

response = client.start_configuration_policy_disassociation(
        'AccountId': 'string',
        'OrganizationalUnitId': 'string',
        'RootId': 'string'
  • Target (dict) –

    The identifier of the target account, organizational unit, or the root to disassociate from the specified configuration.


    This is a Tagged Union structure. Only one of the following top level keys can be set: AccountId, OrganizationalUnitId, RootId.

    • AccountId (string) –

      The Amazon Web Services account ID of the target account.

    • OrganizationalUnitId (string) –

      The organizational unit ID of the target organizational unit.

    • RootId (string) –

      The ID of the organization root.

  • ConfigurationPolicyIdentifier (string) –


    The Amazon Resource Name (ARN) or universally unique identifier (UUID) of the configuration policy.

Return type:



Response Syntax


Response Structure

  • (dict) –


  • SecurityHub.Client.exceptions.InternalException

  • SecurityHub.Client.exceptions.InvalidAccessException

  • SecurityHub.Client.exceptions.InvalidInputException

  • SecurityHub.Client.exceptions.LimitExceededException

  • SecurityHub.Client.exceptions.ResourceNotFoundException

  • SecurityHub.Client.exceptions.AccessDeniedException