Managing member accounts that belong to an organization - AWS Security Hub

Managing member accounts that belong to an organization

For organization accounts, the Security Hub administrator account can perform the following actions:

  • Enable organization accounts as Security Hub member accounts.

  • Automatically enable new organization accounts as they are added to the organization.

  • Disassociate accounts that belong to the organization. They cannot delete organization accounts.

To grant the required permissions for the administrator account to manage the organization accounts, attach the following managed policies to the principal.

For the administrator account, the Accounts page displays a message that contains an Enable option. The message displays if the administrator account has not enabled the option to automatically enable new organization accounts.

When you choose Enable, Security Hub performs the following actions:

  • Enables all of the current organization accounts as member accounts.

  • For those accounts, enables the CIS AWS Foundations Benchmark standard and the AWS Foundational Best Practices standard.

  • Enables the option to automatically enable new accounts as they are added to the organization.