Modify an existing AWS connection when your AWS environment configuration
changes. For example, you want to monitor different AWS regions, or change the
list of AWS accounts that Security Command Center uses. You can't modify the names of
the delegated role and the collector role. If you need to change these role
names, you must delete your AWS connector and set up a new connection.
In the Google Cloud console, go to the Security Command Center page.
Select the organization that you activated Security Command Center Enterprise on.
Click settings Settings.
Click the Connectors tab.
Click Edit beside the connection that you want to update.
In the Edit Amazon Web Services connector page, make your changes. The
following table describes the options.
Option
Description
Add AWS connector accounts
Select an option, depending on your preference:
Add accounts automatically (recommended): Select this option to let Security Command Center
discover the AWS accounts automatically.
Add accounts individually: Select this option to manually add AWS accounts yourself.
Exclude AWS connector accounts
If you selected Add accounts automatically under the
Add AWS connector accounts section, provide a list of AWS accounts that
Security Command Center should not use to find resources.
Enter AWS connector accounts
If you selected Add accounts individually under the
Add AWS connector accounts section, provide a list of AWS accounts that
Security Command Center can use to find resources.
Select regions to collect data
Select one or more AWS regions for Security Command Center to collect data from. Leave the
AWS regions field empty to collect data from all regions.
Maximum queries per second (QPS) for AWS services
You can change the QPS to control the quota limit for
Security Command Center. Set the override to a value that is less than the
default value for that service, and greater than or equal to 1.
The default value is the maximum value. If you do change the QPS, Security Command Center might encounter issues
fetching data. Therefore, we don't recommend changing this value.
Endpoint for AWS Security Token Service
You can specify a specific endpoint for the AWS
Security Token Service (for example, https://sts.us-east-2.amazonaws.com).
Leave the AWS Security Token Service field empty to use
the default global endpoint (https://sts.amazonaws.com).
If you changed the delegated account ID or the list of AWS accounts to
include or exclude, you must update your AWS environment. A change to the
delegated account ID requires that you set up your AWS configuration again. A
change to the list of AWS accounts requires that you add or remove collector
roles. Removing AWS accounts from the exclude list, because you want to
include them, requires you to add the collector roles to those accounts.
Complete the following:
Click Continue.
In the Create connection with AWS page, complete one of the
following:
If you want to change the AWS configuration manually, select
Use the AWS console. Copy the service agent ID, delegated role
name, and the collector role name. For instructions on updating AWS
manually, see
Configure AWS accounts manually.
If you added an AWS account to the list of AWS accounts to exclude, we
recommend that you remove the collector role from the account.
Click Test connector to verify that Security Command Center can connect to
your AWS environment. If the connection is successful, the Google Cloud
service agent can assume the delegated role and the delegated role has all
the required permissions to assume the collector role. If the connection
isn't successful, see
Troubleshooting errors when testing the connection.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Update AWS connection settings\n\n| Enterprise [service tier](/security-command-center/docs/service-tiers)\n\nAfter you connect\n[Security Command Center to Amazon Web Services (AWS)](/security-command-center/docs/connect-scc-to-aws)\nfor configuration and resource data collection, you can modify the connection\nsettings.\n\nBefore you begin\n----------------\n\nComplete these tasks before you complete the remaining tasks on this page.\n\n### Set up permissions in Google Cloud\n\n\nTo get the permissions that\nyou need to use the AWS connector,\n\nask your administrator to grant you the\n\n\n[Cloud Asset Owner](/iam/docs/roles-permissions/cloudasset#cloudasset.owner) (`roles/cloudasset.owner`)\nIAM role.\n\n\nFor more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\nYou might also be able to get\nthe required permissions through [custom\nroles](/iam/docs/creating-custom-roles) or other [predefined\nroles](/iam/docs/roles-overview#predefined).\n\n### Create AWS accounts\n\nEnsure that you have the following AWS resources:\n\n- An [AWS IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html)\n with [AWS IAM access](https://aws.amazon.com/iam/getting-started/?nc=sn&loc=3)\n for the delegated and collector AWS account consoles.\n\n- The [AWS account ID](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-identifiers.html#FindAccountId)\n for an AWS account that you can use as the delegated account.\n The delegated account must meet the following requirements:\n\n - The delegated account must be attached to an\n [AWS organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#orgs_getting-started_concepts-orgs).\n To attached an account to an AWS organization do the following:\n\n 1. [Create](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_create.html) or identify an organization where you will attach the delegated account.\n 2. Invite the delegated account to [join the organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_invites.html).\n - The delegated account must be one of the following:\n\n - An [AWS management account](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html).\n - An [AWS delegated administrator](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_delegate_policies.html).\n - An AWS account with a [resource-based delegation policy](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_delegate_policies.html#orgs-policy-delegate) that provides the `organizations:ListAccounts` permission. For an example policy, see [Create a resource-based delegation policy with AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs-policy-delegate.html) in the AWS documentation.\n\nModify the AWS connection\n-------------------------\n\nModify an existing AWS connection when your AWS environment configuration\nchanges. For example, you want to monitor different AWS regions, or change the\nlist of AWS accounts that Security Command Center uses. You can't modify the names of\nthe delegated role and the collector role. If you need to change these role\nnames, you must delete your AWS connector and set up a new connection.\n\n1. In the Google Cloud console, go to the Security Command Center page.\n\n [Go to Security Command Center](https://console.cloud.google.com/security/command-center/config/services)\n2. Select the organization that you activated Security Command Center Enterprise on.\n\n3. Click **settings Settings**.\n\n4. Click the **Connectors** tab.\n\n5. Click **Edit** beside the connection that you want to update.\n\n6. In the **Edit Amazon Web Services connector** page, make your changes. The\n following table describes the options.\n\n7. If you changed the delegated account ID or the list of AWS accounts to\n include or exclude, you must update your AWS environment. A change to the\n delegated account ID requires that you set up your AWS configuration again. A\n change to the list of AWS accounts requires that you add or remove collector\n roles. Removing AWS accounts from the exclude list, because you want to\n include them, requires you to add the collector roles to those accounts.\n Complete the following:\n\n 1. Click **Continue**.\n 2. In the **Create connection with AWS** page, complete one of the\n following:\n\n - Download the CloudFormation templates for the delegated role and the\n collector role. For instructions on using the templates, see\n [Use CloudFormation templates to set up your AWS environment](/security-command-center/docs/connect-scc-to-aws#cloudformation).\n\n - If you want to change the AWS configuration manually, select\n **Use the AWS console** . Copy the service agent ID, delegated role\n name, and the collector role name. For instructions on updating AWS\n manually, see\n [Configure AWS accounts manually](/security-command-center/docs/connect-scc-to-aws#configure-aws-manually).\n\n8. If you added an AWS account to the list of AWS accounts to exclude, we\n recommend that you remove the collector role from the account.\n\n9. Click **Test connector** to verify that Security Command Center can connect to\n your AWS environment. If the connection is successful, the Google Cloud\n service agent can assume the delegated role and the delegated role has all\n the required permissions to assume the collector role. If the connection\n isn't successful, see\n [Troubleshooting errors when testing the connection](/security-command-center/docs/connect-scc-to-aws#troubleshooting-connection).\n\n10. Click **Save**.\n\nWhat's next\n-----------\n\n- For troubleshooting information, see [Connect Security Command Center to AWS](/security-command-center/docs/connect-scc-to-aws)."]]