Enabling member accounts from your organization - AWS Security Hub

Enabling member accounts from your organization

If you do not automatically enable new organization accounts, then you can enable those accounts manually. You must also manually enable accounts that you disassociated.

You cannot enable an account if it is already a member account for a different administrator account.

When you enable an organization account, Security Hub is enabled automatically for that account. The account does not receive an invitation.

Remember that all Security Hub accounts must have AWS Config enabled and configured to record all resources. For details on the requirement for AWS Config, see Enabling and configuring AWS Config.

Enabling an organization account as a member account (console)

In the Accounts list, an organization account that was either never enabled or that was disassociated from the Security Hub administrator account has a status of Not a member.

To enable an organization account as a member account

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. In the Security Hub navigation pane, choose Settings. Then choose Accounts.

  3. In the Accounts list, select the check box for each organization account that you want to enable.

  4. Choose Actions, then choose Add member.

Enabling an organization account as a member account (Security Hub API, AWS CLI)

The Security Hub administrator account can use the Security Hub API or AWS Command Line Interface to enable organization accounts. Unlike the manual invitation process, when you use CreateMembers to enable an organization account, you do not need to send an invitation.

To enable organization accounts as member accounts

  • Security Hub API – Use the CreateMembers operation. For each account to enable, you provide the account ID.

  • AWS CLI – At the command line, run the create-members command.

    aws securityhub create-members --account-details [{"AccountId": <account ID>"}]


    aws securityhub create-members --account-details '[{"AccountId": "123456789111"}, {"AccountId": "123456789222"}]'