Managing member accounts that belong to an organization - AWS Security Hub

Managing member accounts that belong to an organization

For organization accounts, the Security Hub administrator account can perform the following actions:

  • Enable organization accounts as Security Hub member accounts.

  • Automatically enable new organization accounts as they are added to the organization.

  • Disassociate accounts that belong to the organization. They cannot delete organization accounts.

To ensure that the administrator account has the required permissions to manage the organization accounts, attach the following managed policies to the associated IAM principal.

If the administrator account has not enabled the option to automatically enable new organization accounts, then the Accounts page displays a message at the top of the page. The message contains an Enable option.

When you choose Enable, Security Hub performs the following actions:

  • Enables all of the current organization accounts as member accounts.

  • For those accounts, enables the CIS AWS Foundations Benchmark standard and the AWS Foundational Best Practices standard.

  • Enables the option to automatically enable new accounts as they are added to the organization.