Managing member accounts that belong to an organization - AWS Security Hub

Managing member accounts that belong to an organization

For organization accounts, the Security Hub administrator account can perform the following actions:

  • Enable organization accounts as Security Hub member accounts.

  • Automatically enable new organization accounts as they are added to the organization.

  • Disassociate accounts that belong to the organization. They cannot delete organization accounts.

To ensure that the Security Hub administrator account has the required permissions to manage the organization accounts, attach the following managed policies to the associated IAM principal.

If the Security Hub administrator account has not enabled the option to automatically enable new organization accounts, then the Accounts page displays a message at the top of the page. The message contains an Enable option.

When you choose Enable, Security Hub performs the following actions:

  • Enables all of the current organization accounts as member accounts.

  • For organization accounts that do not have Security Hub enabled, enables Security Hub, and enables the CIS AWS Foundations Benchmark standard and the AWS Foundational Best Practices standard.

    For organization accounts that already have Security Hub enabled, Security Hub does not make any other changes to those accounts. It does not change their enabled standards or controls.

  • Enables the option to automatically enable new accounts as they are added to the organization.