Making the transition to AWS Organizations for account management - AWS Security Hub

Making the transition to AWS Organizations for account management

You might have an existing administrator account with member accounts that accepted a manual invitation. If you are enrolled in AWS Organizations, use the following steps to use Organizations to enable and manage member accounts instead of using the manual invitation process:

The following diagram shows an overview of the administrator and member account structure before the transition, the configuration in Organizations, and the account structure after the transition.


   Diagram that shows an administrator account that has member accounts by invitation. In
    Organizations, the administrator account becomes the Security Hub administrator account for the organization.
    The organization accounts are then member accounts by organization.

Designate a Security Hub administrator account for your organization

Your organization management account designates the Security Hub administrator account for your organization. See Designating a Security Hub administrator account. The Security Hub administrator account also becomes the delegated administrator account for Security Hub in Organizations.

To make the transition simpler, Security Hub recommends that you choose the current administrator account as the Security Hub administrator account for the organization. This is because a member account cannot belong to more than one administrator account. The administrator account for the organization cannot enable any organization accounts that are member accounts under another administrator account.

Enable organization accounts as member accounts

The Security Hub administrator account determines which organization accounts to enable as member accounts. See Managing member accounts that belong to an organization.

On the Accounts page, the Security Hub administrator account sees all of the accounts in the organization. Organization accounts have a type of By organization, even if they were previously member accounts by invitation.

If the Security Hub administrator account was already an administrator account, all of their existing member accounts are enabled as member accounts automatically. Existing member accounts that are not organization accounts have a type of By invitation.

The Accounts page also provides an option to automatically enable new accounts as they are added to an organization. See Automatically enabling new organization accounts. The option is initially turned off (Auto-enable is off).

Until you enable that option, the Accounts page displays a message that contains an Enable button. When you choose Enable, Security Hub performs the following actions:

  • Enables all of the organization accounts as member accounts, except for accounts that are member accounts under another administrator account.

    Before the Security Hub administrator account can enable those accounts, they must be disassociated from the other administrator account. See Disassociating member accounts.

    If an organization account does not have Security Hub enabled, then Security Hub and the default standards are enabled automatically for that account.

    For organization accounts that already have Security Hub enabled, Security Hub does not make any other changes to the account. It only enables the membership.

  • Toggles the setting to enable new accounts automatically (Auto-enable is on).