# Managing accounts by invitation in Security Hub CSPM
Managing accounts by invitation

You can centrally manage multiple AWS Security Hub CSPM accounts in two ways, by integrating Security Hub CSPM with AWS Organizations or by manually sending and accepting membership invitations. You must use the manual process if you have a standalone account or you don't integrate with AWS Organizations. In manual account management, the Security Hub CSPM administrator invites accounts to become members. The administrator-member relationship is established when a prospective member accepts the invitation. A Security Hub CSPM administrator account can manage Security Hub CSPM for up 1,000 invitation-based member accounts. 

**Note**  
If you create an invitation-based organization in Security Hub CSPM, you can subsequently [transition to using AWS Organizations](accounts-transition-to-orgs.md) instead. If you have more than one member account, we recommend using AWS Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see [Managing Security Hub CSPM for multiple accounts with AWS Organizations](securityhub-accounts-orgs.md).

Cross-Region aggregation of findings and other data is available for accounts that you invite through the manual invitation process. However, the administrator must invite the member account from the aggregation Region and all linked Regions in order for cross-Region aggregation to work. In addition, the member account must have Security Hub CSPM enabled in the aggregation Region and all linked Regions to give the administrator the ability to view findings from the member account.

Configuration policies aren't supported for manually-invited member accounts. Instead, you must configure Security Hub CSPM settings separately in each member account and AWS Region when you use the manual invitation process.

You must also use the manual invitation-based process for accounts that don't belong to your organization. For example, you might not include a test account in your organization. Or, you might want to consolidate accounts from multiple organizations under a single Security Hub CSPM administrator account. The Security Hub CSPM administrator account must send invitations to accounts that belong to other organizations.

On the **Configuration** page of the Security Hub CSPM console, accounts that were added by invitation are listed in the **Invitation accounts** tab. If you use [central configuration](central-configuration-intro.md), but also invite accounts outside of your organization, you can view findings from invitation-based accounts in this tab. However, the Security Hub CSPM administrator can't configure invitation-based accounts across Regions through the use of configuration policies.

The topics in this section explain how to manage member accounts through invitations.

**Topics**
+ [

# Adding and inviting member accounts in Security Hub CSPM
](securityhub-accounts-add-invite.md)
+ [

# Responding to an invitation to be a Security Hub CSPM member account
](securityhub-invitation-respond.md)
+ [

# Disassociating member accounts in Security Hub CSPM
](securityhub-disassociate-members.md)
+ [

# Deleting member accounts in Security Hub CSPM
](securityhub-delete-member-accounts.md)
+ [

# Disassociating from a Security Hub CSPM administrator account
](securityhub-disassociate-from-admin.md)
+ [

# Transitioning to Organizations to manage accounts in Security Hub CSPM
](accounts-transition-to-orgs.md)

# Adding and inviting member accounts in Security Hub CSPM
Adding and inviting member accounts

**Note**  
We recommend using AWS Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see [Managing Security Hub CSPM for multiple accounts with AWS Organizations](securityhub-accounts-orgs.md).

Your account becomes the AWS Security Hub CSPM administrator for accounts that accept your invitation to become a Security Hub CSPM member account.

When you accept an invitation from another account, your account becomes a member account, and that account becomes your administrator.

If your account is an administrator account, you can't accept an invitation to become a member account.

Adding a member account consists of the following steps:

1. The administrator account adds the member account to their list of member accounts.

1. The administrator account sends an invitation to the member account.

1. The member account accepts the invitation. 

## Adding member accounts


From the Security Hub CSPM console, you can add accounts to your list of member accounts. In the Security Hub CSPM console, you can select accounts individually, or upload a `.csv` file that contains the account information.

For each account, you must provide the account ID and an email address. The email address should be the email address to contact about security issues in the account. It is not used to verify the account.

Choose your preferred method, and follow the steps to add member accounts.

------
#### [ Security Hub CSPM console ]

**To add accounts to your list of member accounts**

1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).

   Sign in using the credentials of the administrator account.

1. In the left pane, choose **Settings**.

1. On the **Settings** page, choose **Accounts** and then choose **Add accounts**. You can then either add accounts individually or upload a `.csv` file containing the list of accounts.

1. To select the accounts, do one of the following:
   + To add the accounts individually, under **Enter accounts**, enter the account ID and email address of the account to add, and then choose **Add**.

     Repeat this process for each account.
   + To use a comma-separated values (.csv) file to add multiple accounts, first create the file. The file must contain the account ID and email address for each account to add.

     In your `.csv` list, accounts must appear one per line. The first line of the `.csv` file must contain the header. In the header, the first column is **Account ID** and the second column is **Email**.

     Each subsequent line must contain a valid account ID and email address for the account to add.

     Here is an example of a `.csv` file when viewed in a text editor.

     ```
     Account ID,Email
     111111111111,user@example.com
     ```

     In a spreadsheet program, the fields appear in separate columns. The underlying format is still comma-separated. You must format the account IDs as non-decimal numbers. For example, the account ID 444455556666 cannot be formatted as 444455556666.0. Also make sure that the number formatting does not remove any leading zeros from the account ID.

     To select the file, on the console, choose **Upload list (.csv)**. Then choose **Browse**.

     After you select the file, choose **Add accounts**.

1. After you finish adding accounts, under **Accounts to be added**, choose **Next**.

------
#### [ Security Hub CSPM API ]

**To add accounts to your list of member accounts**

Invoke the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_CreateMembers.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_CreateMembers.html) API from the administrator account. For each member account to add, you must provide the AWS account ID.

------
#### [ AWS CLI ]

**To add accounts to your list of member accounts**

Run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/create-members.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/create-members.html) command from the administrator account. For each member account to add, you must provide the AWS account ID.

```
aws securityhub create-members --account-details '[{"AccountId": "<accountID1>"}]'
```

**Example**

```
aws securityhub create-members --account-details '[{"AccountId": "123456789111"}, {"AccountId": "123456789222"}]'
```

------

## Inviting member accounts


After you add the member accounts, you send an invitation to the member account. You can also resend an invitation to an account that you disassociated from the administrator.

------
#### [ Security Hub CSPM console ]

**To invite prospective member accounts**

1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).

   Sign in using the credentials of the administrator account.

1. In the navigation pane, choose **Settings**, and then choose **Accounts**. 

1. For the account to invite, choose **Invite** in the **Status** column.

1. When prompted to confirm, choose **Invite**.

**Note**  
To resend invitations to disassociated accounts, select each disassociated account on the **Accounts** page. For **Actions**, choose **Resend invitation**.

------
#### [ Security Hub CSPM API ]

**To invite prospective member accounts**

Invoke the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_InviteMembers.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_InviteMembers.html) API from the administrator account. For each account to invite, you must provide the AWS account ID.

------
#### [ AWS CLI ]

**To invite prospective member accounts**

Run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/invite-members.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/invite-members.html) command from the administrator account. For each account to invite, you must provide the AWS account ID.

```
aws securityhub invite-members --account-ids <accountIDs>
```

**Example**

```
aws securityhub invite-members --account-ids "123456789111" "123456789222"
```

------

# Responding to an invitation to be a Security Hub CSPM member account
Responding to an invitation

**Note**  
We recommend using AWS Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see [Managing Security Hub CSPM for multiple accounts with AWS Organizations](securityhub-accounts-orgs.md).

You can accept or decline an invitation to be an AWS Security Hub CSPM member account.

If you accept an invitation, your account becomes a Security Hub CSPM member account. The account that sent the invitation becomes your Security Hub CSPM administrator account. The administrator account user can view findings for your member account in Security Hub CSPM.

If you decline the invitation, then your account is marked as **Resigned** on the administrator account's list of member accounts.

You can only accept one invitation to be a member account.

Before you can accept or decline an invitation, you must enable Security Hub CSPM.

Remember that all Security Hub CSPM accounts must have AWS Config enabled and configured to record all resources. For details on the requirement for AWS Config, see [Enabling and configuring AWS Config](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-prereq-config.html).

## Accepting an invitation


You can send an invitation to be a Security Hub CSPM member account from the administrator account. You can then accept the invitation after signing in to the member account.

Choose your preferred method, and follow the steps to accept an invitation to be a member account.

------
#### [ Security Hub CSPM console ]

**To accept a membership invitation**

1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).

1. In the navigation pane, choose **Settings**, and then choose **Accounts**.

1. In the **Administrator account** section, turn on **Accept**, and then choose **Accept invitation**.

------
#### [ Security Hub CSPM API ]

**To accept a membership invitation**

Invoke the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_AcceptAdministratortInvitation.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_AcceptAdministratortInvitation.html) API. You must provide the invitation identifier and the AWS account ID of the administrator account. To retrieve details about the invitation, use the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListInvitations.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListInvitations.html) operation.

------
#### [ AWS CLI ]

**To accept a membership invitation**

Run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/accept-administrator-invitation.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/accept-administrator-invitation.html) command. You must provide the invitation identifier and the AWS account ID of the administrator account. To retrieve details about the invitation, run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/list-invitations.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/list-invitations.html) command.

```
aws securityhub accept-administrator-invitation --administrator-id <administratorAccountID> --invitation-id <invitationID>
```

**Example**

```
aws securityhub accept-administrator-invitation --administrator-id 123456789012 --invitation-id 7ab938c5d52d7904ad09f9e7c20cc4eb
```

------

**Note**  
The Security Hub CSPM console continues to use `AcceptInvitation`. It will eventually change to use `AcceptAdministratorInvitation`. Any IAM policies that specifically control access to this function must continue to use `AcceptInvitation`. You should also add `AcceptAdministratorInvitation` to your policies to ensure that the correct permissions are in place after the console begins to use `AcceptAdministratorInvitation`.

## Declining an invitation


You can decline an invitation to be a Security Hub CSPM member account. When you decline an invitation in the Security Hub CSPM console, your account is marked as **Resigned** on the administrator account's list of member accounts. The **Resigned** status appears only when you sign in to the Security Hub CSPM console using the administrator account. However, the invitation remains unchanged in the console for the member account until you sign in to the administrator account and delete the invitation.

To decline an invitation, you must sign in to the member account that received the invitation.

Choose your preferred method, and follow the steps to decline an invitation to be a member account.

------
#### [ Security Hub CSPM console ]

**To decline a membership invitation**

1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).

1. In the navigation pane, choose **Settings**, and then choose **Accounts**.

1. In the **Administrator account** section, choose **Decline invitation**.

------
#### [ Security Hub CSPM API ]

**To decline a membership invitation**

Invoke the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DeclineInvitations.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DeclineInvitations.html) API. You must provide the AWS account ID of the administrator account that issued the invitation. To view information about your invitations, use the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListInvitations.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListInvitations.html) operation.

------
#### [ AWS CLI ]

**To decline a membership invitation**

Run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/decline-invitations.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/decline-invitations.html) command. You must provide the AWS account ID of the administrator account that issued the invitation. To view information about your invitations, run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/list-invitations.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/list-invitations.html) command.

```
aws securityhub decline-invitations --account-ids "<administratorAccountId>"
```

**Example**

```
aws securityhub decline-invitations --account-ids "123456789012"
```

------

# Disassociating member accounts in Security Hub CSPM
Disassociating member accounts

**Note**  
We recommend using AWS Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see [Managing Security Hub CSPM for multiple accounts with AWS Organizations](securityhub-accounts-orgs.md).

An AWS Security Hub CSPM administrator account can disassociate a member account to stop receiving and viewing findings from that account. You must disassociate a member account before you can delete it.

When you disassociate a member account, it remains in your list of member accounts with a status of **Removed (Disassociated)**. Your account is removed from the administrator account information for the member account.

To resume receiving findings for the account, you can resend the invitation. To remove the member account entirely, you can delete the member account.

Choose your preferred method, and follow the steps to disassociate a manually-invited member account from the administrator account.

------
#### [ Security Hub CSPM console ]

**To disassociate a manually-invited member account**

1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).

   Sign in using the credentials of the administrator account.

1. In the navigation pane, under **Settings**, choose **Configuration**.

1. In the **Accounts** section, select the accounts that you want to disassociate.

1. Choose **Actions**, and then choose **Disassociate account**.

------
#### [ Security Hub CSPM API ]

**To disassociate a manually-invited member account**

Invoke the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DisassociateMembers.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DisassociateMembers.html) API from the administrator account. You must provide the AWS account IDs of the member accounts that you want to disassociate. To view a list of member accounts, use the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListMembers.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListMembers.html) operation.

------
#### [ AWS CLI ]

**To disassociate a manually-invited member account**

Run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/disassociate-members.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/disassociate-members.html) command from the administrator account. You must provide the AWS account IDs of the member accounts that you want to disassociate. To view a list of member accounts, run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/list-members.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/list-members.html) command.

```
aws securityhub disassociate-members --account-ids <accountIds>
```

**Example**

```
aws securityhub disassociate-members --account-ids "123456789111" "123456789222"
```

------

# Deleting member accounts in Security Hub CSPM
Deleting member accounts

**Note**  
We recommend using AWS Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see [Managing Security Hub CSPM for multiple accounts with AWS Organizations](securityhub-accounts-orgs.md).

As an AWS Security Hub CSPM administrator account, you can delete member accounts that were added by invitation. Before you can delete an enabled account, you must disassociate it.

When you delete a member account, it is completely removed from the list. To restore the account's membership, you must add and invite it again as if it were a completely new member account.

You can't delete accounts that belong to an organization and that are managed using the integration with AWS Organizations.

Choose your preferred method, and follow the steps to delete manually-invited member accounts.

------
#### [ Security Hub CSPM console ]

**To delete a manually-invited member account**

1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).

   Sign in using the administrator account.

1. In the navigation pane, choose **Settings**, and then choose **Configuration**.

1. Choose the **Invitation accounts** tab. Then, select the accounts to delete.

1. Choose **Actions**, and then choose **Delete**. This option is available only if you have disassociated the account. You must disassociate a member account before it can be deleted.

------
#### [ Security Hub CSPM API ]

**To delete a manually-invited member account**

Invoke the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DeleteMembers.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DeleteMembers.html) API from the administrator account. You must provide the AWS account IDs of the member accounts that you want to delete. To retrieve the list of member accounts, invoke the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListMembers.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListMembers.html) API.

------
#### [ AWS CLI ]

**To delete a manually-invited member account**

Run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/delete-members.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/delete-members.html) command from the administrator account. You must provide the AWS account IDs of the member accounts that you want to delete. To retrieve the list of member accounts, run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/list-members.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/list-members.html) command.

```
aws securityhub delete-members --account-ids <memberAccountIDs>
```

**Example**

```
aws securityhub delete-members --account-ids "123456789111" "123456789222"
```

------

# Disassociating from a Security Hub CSPM administrator account
Disassociating from an administrator account

**Note**  
We recommend using AWS Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see [Managing Security Hub CSPM for multiple accounts with AWS Organizations](securityhub-accounts-orgs.md).

If your account was added as an AWS Security Hub CSPM member account by invitation, you can disassociate the member account from the administrator account. After you disassociate a member account, Security Hub CSPM doesn't send findings from the account to the administrator account.

Member accounts that are managed using the integration with AWS Organizations can't disassociate their accounts from the administrator account. Only the Security Hub CSPM delegated administrator can disassociate member accounts that are managed with Organizations.

When you disassociate from your administrator account, your account remains in the administrator account's member list with a status of **Resigned**. However, the administrator account does not receive any findings for your account.

After you disassociate yourself from the administrator account, the invitation to be a member still remains. You can accept the invitation again in the future.

------
#### [ Security Hub CSPM console ]

**To disassociate from your administrator account**

1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).

1. In the navigation pane, choose **Settings**, and then choose **Accounts**.

1. In the **Administrator account** section, turn off **Accept**, and then choose **Update**.

------
#### [ Security Hub CSPM API ]

**To disassociate from your administrator account**

Invoke the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DisassociateFromAdministratorAccount.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DisassociateFromAdministratorAccount.html) API.

------
#### [ AWS CLI ]

**To disassociate from your administrator account**

Run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/disassociate-from-administrator-account.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/disassociate-from-administrator-account.html) command.

```
aws securityhub disassociate-from-administrator-account
```

------

**Note**  
The Security Hub CSPM console continues to use `DisassociateFromMasterAccount`. It will eventually change to use `DisassociateFromAdministratorAccount`. Any IAM policies that specifically control access to this function must continue to use `DisassociateFromMasterAccount`. You should also add `DisassociateFromAdministratorAccount` to your policies to ensure that the correct permissions are in place after the console begins to use `DisassociateFromAdministratorAccount`.

# Transitioning to Organizations to manage accounts in Security Hub CSPM
Transitioning to AWS Organizations

When you manage accounts manually in AWS Security Hub CSPM, you must invite prospective member accounts and configure each member account separately in each AWS Region.

By integrating Security Hub CSPM and AWS Organizations, you can eliminate the need to send invitations and gain more control over how Security Hub CSPM is configured and customized in your organization. For this reason, we recommend using AWS Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see [Managing Security Hub CSPM for multiple accounts with AWS Organizations](securityhub-accounts-orgs.md).

It's possible to use a combined approach in which you use the AWS Organizations integration, but also manually invite accounts outside of your organization. However, we recommend exclusively using the Organizations integration. [Central configuration](central-configuration-intro.md), a feature which helps you manage Security Hub CSPM across multiple accounts and Regions, is only available when you integrate with Organizations.

This section covers how you can transition from manual invitation-based account management to managing accounts with AWS Organizations.

## Integrating Security Hub CSPM with AWS Organizations


First, you must integrate Security Hub CSPM and AWS Organizations.

You can integrate these services by completing the following steps:
+ Create an organization in AWS Organizations. For instructions, see [Create an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_create.html#create-org) in the *AWS Organizations User Guide*.
+ From the Organizations management account, designate a Security Hub CSPM delegated administrator account.

**Note**  
The organization management account *cannot* be set as the DA account.

For detailed instructions, see [Integrating Security Hub CSPM with AWS Organizations](designate-orgs-admin-account.md).

By completing the preceding steps, you grant [trusted access](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-securityhub.html#integrate-enable-ta-securityhub) for Security Hub CSPM in AWS Organizations. This also enables Security Hub CSPM in the current AWS Region for the delegated administrator account.

The delegated administrator can manage the organization in Security Hub CSPM, primarily by adding the organization’s accounts as Security Hub CSPM member accounts. The administrator can also access certain Security Hub CSPM settings, data, and resources for those accounts.

When you transition to account management using Organizations, invitation-based accounts don't automatically become Security Hub CSPM members. Only the accounts that you add to your new organization can become Security Hub CSPM members.

After activating the integration, you can manage accounts with Organizations. For information, see [Managing Security Hub CSPM for multiple accounts with AWS Organizations](securityhub-accounts-orgs.md). Account management varies based on your organization's configuration type.