Transitioning to AWS Organizations for account management
When you manage accounts manually in AWS Security Hub, you must invite prospective member accounts and configure each member account separately in each AWS Region.
By integrating Security Hub and AWS Organizations, you can eliminate the need to send invitations and gain more control over how Security Hub is configured and customized in your organization.
It's possible to use a combined approach in which you use the AWS Organizations integration, but also manually invite accounts outside of your organization. However, we recommend exclusively using the Organizations integration. Central configuration, a feature which helps you manage Security Hub across multiple accounts and Regions, is only available when you integrate with Organizations.
This section covers how you can transition from manual invitation-based account management to managing accounts with AWS Organizations.
Integrating Security Hub with AWS Organizations
First, you must integrate Security Hub and AWS Organizations.
You can integrate these services by completing the following steps:
Create an organization in AWS Organizations. For instructions, see Create an organization in the AWS Organizations User Guide.
From the Organizations management account, designate a Security Hub delegated administrator account.
Note
The organization management account cannot be set as the DA account.
For detailed instructions, see Integrating Security Hub with AWS Organizations.
By completing the preceding steps, you grant trusted access for Security Hub in AWS Organizations. This also enables Security Hub in the current AWS Region for the delegated administrator account.
The delegated administrator can manage the organization in Security Hub, primarily by adding the organization’s accounts as Security Hub member accounts. The administrator can also access certain Security Hub settings, data, and resources for those accounts.
When you transition to account management using Organizations, invitation-based accounts don't automatically become Security Hub members. Only the accounts that you add to your new organization can become Security Hub members.
Central configuration vs. local configuration
After activating the integration, you can manage accounts with Organizations. For information, see Managing accounts with AWS Organizations. Account management varies based on your organization's configuration type.
There are two possible configuration types for your organization, local and central. Your default configuration type is local configuration. To see
your current configuration type, choose Settings on the navigation pane of the Security Hub console and then Configuration. You can also
invoke the DescribeOrganizationConfiguration API to
view your configuration type.
Under local configuration, the delegated administrator account can choose to automatically enable Security Hub and default security standards in new accounts as they join the organization. These new account settings take effect in the current Region. Other Security Hub settings must be configured separately by each member account in each Region.
We recommend using central configuration instead of local configuration. Under central configuration, the delegated administrator account can create Security Hub configuration policies that take effect across multiple Regions and specify Security Hub capabilities in your organization's various accounts and organizational units (OUs). You can apply a single configuration policy to your entire organization, or different configuration policies to different accounts and OUs. For example, you can enable one set of standards and controls in production accounts and a different set of standards and controls in test accounts. The DA can edit configuration policies as needed.
For more information about how central configuration works, see Central configuration in Security Hub.
For instructions on switching from local to central configuration, see Start using central configuration.
