Choosing the management type of accounts and OUs - AWS Security Hub

Choosing the management type of accounts and OUs

When you use central configuration, the AWS Security Hub delegated administrator can designate each organization account and organizational unit (OU) as centrally managed or self-managed. The management type of an account or OU determines how you can specify and change its Security Hub settings.

A self-managed account or OU can configure its own Security Hub settings separately in each AWS Region. The delegated administrator can't configure Security Hub settings for a self-managed account or OU, and configuration policies can't be associated with them. In contrast, only the delegated administrator can configure Security Hub settings for centrally managed accounts and OUs across the home Region and linked Regions. Configuration policies can be associated with centrally managed accounts and OUs.

The delegated administrator can switch the status of an account or OU between self-managed and centrally managed. By default, all accounts and OU are self-managed when you start central configuration through the Security Hub API. In the console, management type depends on your first configuration policy. Accounts and OUs that you associate with your first policy are centrally managed. Other accounts and OUs are self-managed by default.

If you associate a configuration policy with a self-managed account, the policy overrides the self-managed designation. The account becomes centrally managed and adopts the settings reflected in the configuration policy.

Child accounts and OUs can inherit self-managed behavior from a self-managed parent, in the same way that child accounts and OUs can inherit configuration policies from a centrally managed parent. For more information, see Policy association through application and inheritance.

A self-managed account or OU can't inherit a configuration policy from a parent node or from the root. For example, if you want all accounts and OUs in your organization to inherit a configuration policy from the root, you must change the management type of self-managed nodes to centrally managed.

Specifying settings for self-managed accounts

Self-managed accounts must configure their own settings separately in each Region.

Owners of self-managed accounts can invoke the following operations of the Security Hub API in each Region to configure their settings:

  • EnableSecurityHub and DisableSecurityHub to enable or disable the Security Hub service

  • BatchEnableStandards and BatchDisableStandards to enable or disable standards

  • BatchUpdateStandardsControlAssociations or UpdateStandardsControl to enable or disable controls

Self-managed accounts can also use *Invitations and *Members operations. However, we recommend that self-managed accounts don't use these operations. Policy associations can fail if a member account has its own members that are part of a different organization than the delegated administrator's.

For descriptions of Security Hub API actions, see the AWS Security Hub API Reference.

Self-managed accounts can also use the Security Hub console or AWS CLI to configure their settings in each Region.

Self-managed accounts can't invoke any APIs related to Security Hub configuration policies and policy associations. Only the delegated administrator can invoke central configuration APIs and use configuration policies to configure centrally managed accounts.

Choosing the management type of accounts and OUs

Choose your preferred method, and follow the steps to designate an account or OU as centrally managed or self-managed.

Security Hub console
To choose the management type of an account or OU
  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

    Sign in using the credentials of the Security Hub delegated administrator account in the home Region.

  2. Choose Configuration.

  3. On the Organization tab, select the target account or OU. Choose Edit.

  4. On the Define configuration page, for Management type, choose Centrally managed if you want the delegated administrator to configure the target account or OU. Then, choose Apply a specific policy if you want to associate an existing configuration policy with the target. Choose Inherit from my organization if you want the target to inherit the configuration of its closest parent. Choose Self-managed if you want the account or OU to configure its own settings.

  5. Choose Next. Review your changes, and choose Save.

Security Hub API
To choose the management type of an account or OU
  1. Invoke the StartConfigurationPolicyAssociation API from the Security Hub delegated administrator account in the home Region.

  2. For the ConfigurationPolicyIdentifier field, provide SELF_MANAGED_SECURITY_HUB if you want the account or OU to control its own settings. Provide the Amazon Resource Name (ARN) or ID of the relevant configuration policy if you want the delegated administrator to control settings for the account or OU.

  3. For the Target field, provide the AWS account ID, OU ID, or root ID of the target whose management type you want to change. This associates the self-managed behavior or specified configuration policy with the target. Child accounts of the target may inherit the self-managed behavior or configuration policy.

Example API request to designate a self-managed account:

{ "ConfigurationPolicyIdentifier": "SELF_MANAGED_SECURITY_HUB", "Target": {"AccountId": "123456789012"} }
AWS CLI
To choose the management type of an account or OU
  1. Run the start-configuration-policy-association command from the Security Hub delegated administrator account in the home Region.

  2. For configuration-policy-identifier field, provide SELF_MANAGED_SECURITY_HUB if you want the account or OU to control its own settings. Provide the Amazon Resource Name (ARN) or ID of the relevant configuration policy if you want the delegated administrator to control settings for the account or OU..

  3. For the target field, provide the AWS account ID, OU ID, or root ID of the target whose management type you want to change. This associates the self-managed behavior or specified configuration policy with the target. Child accounts of the target may inherit the self-managed behavior or configuration policy.

Example command to designate a self-managed account:

aws securityhub --region us-east-1 start-configuration-policy-association \ --configuration-policy-identifier "SELF_MANAGED_SECURITY_HUB" \ --target '{"AccountId": "123456789012"}'