Comparing centrally managed and self-managed targets - AWS Security Hub

Comparing centrally managed and self-managed targets

When you enable central configuration, the delegated AWS Security Hub administrator can designate each organization account, organizational unit (OU), and the root as centrally managed or self-managed. The management type of a target determines how you can specify its Security Hub settings.

For background information about the benefits of central configuration and how it works, see Understanding central configuration in Security Hub.

This section explains the differences between a centrally managed and self-managed designation and how to choose the management type of an account, OU, or the root.

Self-managed

The owner of a self-managed account, OU, or root must configure its settings separately in each AWS Region. The delegated administrator can't create configuration policies for self-managed targets.

Centrally managed

Only the delegated Security Hub administrator can configure settings for centrally managed accounts, OUs, or the root across the home Region and linked Regions. Configuration policies can be associated with centrally managed accounts and OUs.

The delegated administrator can switch the status of a target between self-managed and centrally managed. By default, all accounts and OU are self-managed when you start central configuration through the Security Hub API. In the console, management type depends on your first configuration policy. Accounts and OUs that you associate with your first policy are centrally managed. Other accounts and OUs are self-managed by default.

If you associate a configuration policy with a self-managed account, the policy settings override the self-managed designation. The account becomes centrally managed and adopts the settings reflected in the configuration policy.

Child accounts and OUs can inherit self-managed behavior from a self-managed parent, in the same way that child accounts and OUs can inherit configuration policies from a centrally managed parent. For more information, see Policy association through application and inheritance.

A self-managed account or OU can't inherit a configuration policy from a parent node or from the root. For example, if you want all accounts and OUs in your organization to inherit a configuration policy from the root, you must change the management type of self-managed nodes to centrally managed.

Options to configure settings in self-managed accounts

Self-managed accounts must configure their own settings separately in each Region.

Owners of self-managed accounts can invoke the following operations of the Security Hub API in each Region to configure their settings:

  • EnableSecurityHub and DisableSecurityHub to enable or disable the Security Hub service

  • BatchEnableStandards and BatchDisableStandards to enable or disable standards

  • BatchUpdateStandardsControlAssociations or UpdateStandardsControl to enable or disable controls

Self-managed accounts can also use *Invitations and *Members operations. However, we recommend that self-managed accounts don't use these operations. Policy associations can fail if a member account has its own members that are part of a different organization than the delegated administrator's.

For descriptions of Security Hub API actions, see the AWS Security Hub API Reference.

Self-managed accounts can also use the Security Hub console or AWS CLI to configure their settings in each Region.

Self-managed accounts can't invoke any APIs related to Security Hub configuration policies and policy associations. Only the delegated administrator can invoke central configuration APIs and use configuration policies to configure centrally managed accounts.

Choosing the management type of a target

Choose your preferred method, and follow the steps to designate an account or OU as centrally managed or self-managed in AWS Security Hub.

Security Hub console
To choose the management type of an account or OU
  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

    Sign in using the credentials of the delegated Security Hub administrator account in the home Region.

  2. Choose Configuration.

  3. On the Organization tab, select the target account or OU. Choose Edit.

  4. On the Define configuration page, for Management type, choose Centrally managed if you want the delegated administrator to configure the target account or OU. Then, choose Apply a specific policy if you want to associate an existing configuration policy with the target. Choose Inherit from my organization if you want the target to inherit the configuration of its closest parent. Choose Self-managed if you want the account or OU to configure its own settings.

  5. Choose Next. Review your changes, and choose Save.

Security Hub API
To choose the management type of an account or OU
  1. Invoke the StartConfigurationPolicyAssociation API from the Security Hub delegated administrator account in the home Region.

  2. For the ConfigurationPolicyIdentifier field, provide SELF_MANAGED_SECURITY_HUB if you want the account or OU to control its own settings. Provide the Amazon Resource Name (ARN) or ID of the relevant configuration policy if you want the delegated administrator to control settings for the account or OU.

  3. For the Target field, provide the AWS account ID, OU ID, or root ID of the target whose management type you want to change. This associates the self-managed behavior or specified configuration policy with the target. Child accounts of the target may inherit the self-managed behavior or configuration policy.

Example API request to designate a self-managed account:

{ "ConfigurationPolicyIdentifier": "SELF_MANAGED_SECURITY_HUB", "Target": {"AccountId": "123456789012"} }
AWS CLI
To choose the management type of an account or OU
  1. Run the start-configuration-policy-association command from the Security Hub delegated administrator account in the home Region.

  2. For configuration-policy-identifier field, provide SELF_MANAGED_SECURITY_HUB if you want the account or OU to control its own settings. Provide the Amazon Resource Name (ARN) or ID of the relevant configuration policy if you want the delegated administrator to control settings for the account or OU..

  3. For the target field, provide the AWS account ID, OU ID, or root ID of the target whose management type you want to change. This associates the self-managed behavior or specified configuration policy with the target. Child accounts of the target may inherit the self-managed behavior or configuration policy.

Example command to designate a self-managed account:

aws securityhub --region us-east-1 start-configuration-policy-association \ --configuration-policy-identifier "SELF_MANAGED_SECURITY_HUB" \ --target '{"AccountId": "123456789012"}'