Automatically enabling new organization accounts - AWS Security Hub

Automatically enabling new organization accounts

The Security Hub administrator account can configure Security Hub to automatically add new organization accounts as member accounts.

By default, new accounts are not enabled as member accounts. Their status is Not a member.

If you enable new organization accounts as member accounts, then when new accounts are added to your organization, they are automatically added to the list on the Accounts page. For organization accounts, Type is By organization.

When you enable the automatic enablement setting, Security Hub begins to enable new accounts as they are added to the organization. It does not enable existing organization accounts that are not yet enabled. Security Hub also cannot automatically enable accounts that already belong to another administrator account.

Remember that all Security Hub accounts must have AWS Config enabled and configured to record all resources. For details on the requirement for AWS Config, see Enabling and configuring AWS Config.

Enabling Security Hub automatically for new accounts (console)

The Accounts page includes a configuration option to automatically add new accounts.

To automatically enable new organization accounts as member accounts

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. In the Security Hub navigation pane, choose Settings.

  3. On the Settings page, choose Accounts.

  4. On the Accounts tab, toggle the automatic enablement setting to Auto-enable is on.

Enabling Security Hub automatically for new organization accounts (Security Hub API, AWS CLI)

To determine whether to automatically enable new organization accounts, the administrator account can use the Security Hub API or the AWS Command Line Interface.

To automatically enable new organization accounts