Comparing centrally managed and self-managed targets
When you enable central configuration, the delegated AWS Security Hub administrator can designate each organization account, organizational unit (OU), and the root as centrally managed or self-managed. The management type of a target determines how you can specify its Security Hub settings.
For background information about the benefits of central configuration and how it works, see Understanding central configuration in Security Hub.
This section explains the differences between a centrally managed and self-managed designation and how to choose the management type of an account, OU, or the root.
- Self-managed
The owner of a self-managed account, OU, or root must configure its settings separately in each AWS Region. The delegated administrator can't create configuration policies for self-managed targets.
- Centrally managed
Only the delegated Security Hub administrator can configure settings for centrally managed accounts, OUs, or the root across the home Region and linked Regions. Configuration policies can be associated with centrally managed accounts and OUs.
The delegated administrator can switch the status of a target between self-managed and centrally managed. By default, all accounts and OU are self-managed when you start central configuration through the Security Hub API. In the console, management type depends on your first configuration policy. Accounts and OUs that you associate with your first policy are centrally managed. Other accounts and OUs are self-managed by default.
If you associate a configuration policy with a self-managed account, the policy settings override the self-managed designation. The account becomes centrally managed and adopts the settings reflected in the configuration policy.
Child accounts and OUs can inherit self-managed behavior from a self-managed parent, in the same way that child accounts and OUs can inherit configuration policies from a centrally managed parent. For more information, see Policy association through application and inheritance.
A self-managed account or OU can't inherit a configuration policy from a parent node or from the root. For example, if you want all accounts and OUs in your organization to inherit a configuration policy from the root, you must change the management type of self-managed nodes to centrally managed.
Options to configure settings in self-managed accounts
Self-managed accounts must configure their own settings separately in each Region.
Owners of self-managed accounts can invoke the following operations of the Security Hub API in each Region to configure their settings:
EnableSecurityHub
andDisableSecurityHub
to enable or disable the Security Hub serviceBatchEnableStandards
andBatchDisableStandards
to enable or disable standardsBatchUpdateStandardsControlAssociations
orUpdateStandardsControl
to enable or disable controls
Self-managed accounts can also use *Invitations
and *Members
operations.
However, we recommend that self-managed accounts don't use these operations. Policy associations can fail if a member account
has its own members that are part of a different organization than the delegated administrator's.
For descriptions of Security Hub API actions, see the AWS Security Hub API Reference.
Self-managed accounts can also use the Security Hub console or AWS CLI to configure their settings in each Region.
Self-managed accounts can't invoke any APIs related to Security Hub configuration policies and policy associations. Only the delegated administrator can invoke central configuration APIs and use configuration policies to configure centrally managed accounts.
Choosing the management type of a target
Choose your preferred method, and follow the steps to designate an account or OU as centrally managed or self-managed in AWS Security Hub.