AWS Security Hub
User Guide

Master and Member Accounts in AWS Security Hub

You can invite other AWS accounts to enable AWS Security Hub and become associated with your AWS account. If the owner of the account that you invite enables Security Hub and then accepts the invitation, your account is designated as the master Security Hub account, and the invited accounts become associated as member accounts. When the invited account accepts the invitation, permission is granted to the master account to view the findings from the member account. The master account can also perform actions on findings in a member account.

Security Hub supports up to 1000 member account per master account per Region. The master-member account association is created in only the one Region that the invitation was sent from. You must enable Security Hub in each Region that you want to use it in, and then invite each account to associate as a member account in each Region.

Security Hub aggregates findings from Amazon GuardDuty, Amazon Inspector, and Amazon Macie. However, the master-member relationships that you set up for your accounts in which GuardDuty, Amazon Inspector, or Amazon Macie are enabled don't automatically apply to Security Hub.

For example, suppose that as a user from a GuardDuty master account A you can see the findings of accounts B and C (GuardDuty member accounts) on the GuardDuty console. If you then enable Security Hub in account A, as a user from account A, you do not automatically see the findings generated by GuardDuty for accounts B and C in Security Hub. You need to create a master-member relationship between these accounts in Security Hub as well. You must first enable Security Hub in all three accounts (A, B, and C). Then make account A the Security Hub master account and then invite accounts B and C to become member accounts in Security Hub.

An account can't be a Security Hub master account and member account at the same time. An account can accept only one Security Hub membership invitation. Accepting a membership invitation is optional.

Designating Master and Member Accounts on the Security Hub Console

In Security Hub, your account becomes the master account when the account that you invite accepts your invitation. When you accept an invitation from another account, your account becomes a member account. If your account is the master account, you can't accept an invitation to become a member account.

Use the following procedures to add an account, invite an account, or accept an invitation from another account.

  • Procedure 1: Adding an account

  • Procedure 2: Inviting an account

  • Procedure 3: Accepting an invitation

Procedure 1: Adding an account

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. In the left pane, choose Settings.

  3. On the Settings page choose Accounts, choose Add accounts, and then do one of the following:

  4. Under Enter accounts, enter the Account ID and the Email address of the account to add, then choose Add.

    To add more accounts, enter the account ID and email address for an account and then choose Add for each account.

    You can add multiple accounts at the same time by using a comma-separated values (CSV) file. Add the account ID and email for each account to add, and then choose Upload list (.csv) to bulk-add accounts.

    Important

    In your .csv list, accounts must appear one per line. The first line of the .csv file must contain the following header, as shown in the following example: Account ID,Email. Each subsequent line must contain a valid account ID and email address for the account to add. Separate the account ID and email address with a comma.

    Account ID,Email 111111111111,user@example.com
  5. After you finish adding accounts, choose Add. Then in the Accounts to be added section, choose Next.

Procedure 2: Inviting an account

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. In the navigation pane, under Settings, choose Accounts.

  3. For the account to invite, choose Invite in the Status column.

  4. In the Invitation to Security Hub dialog box, choose Invite.

    The value in the Status column for the invited account changes to Invited.

Procedure 3: Accepting an invitation

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. Do one of the following:

    • If Security Hub isn't enabled, on the Security Hub first-run experience page, in the AWS Security Hub Setup section, choose Enable Security Hub. On the Welcome to AWS Security Hub page, choose Enable AWS Security Hub. Back on the first-run experience page, choose Go to Security Hub.

      After Security Hub is enabled, choose Settings, then choose Accounts. Locate the invitation to accept. Use the Accept widget and the Accept invitation button to accept the membership invitation.

      Important

      You must enable Security Hub before you can accept a membership invitation.

    • If Security Hub is already enabled, use the Accept widget and the Accept invitation button to accept the membership invitation.

    After you accept the invitation, your account becomes a Security Hub member account. The account used to send the invitation becomes the Security Hub master account. The master account user can now view Security Hub aggregated findings for your member account.

Designating Master and Member Accounts Through Security Hub API Operations

You can also designate Security Hub master and member accounts with operations in the Security Hub API. Use the following Security Hub API operations in the order listed to create master and member accounts.

Use these operations to designate a master account and then send an invitation to become a member account.

  1. Run CreateMembers using the credentials of the account that has Security Hub enabled. This is the account that you want to be the master Security Hub account.

  2. Run InviteMembers using the master account.

Use these operations to enable Security Hub and then accept an invitation. Use the credentials for the account you invited to become the member account.

  1. Run EnableSecurityHub for each account that you invited. Security Hub must be enabled in the account before the account owner can accept the invitation.

  2. Run AcceptInvitation for each account you invited to accept your invitation.

Accounts and Data Retention in Security Hub

When you disable Security Hub for an account, either master or member, it is disabled only for that account in the AWS Region that is selected when you disable it. You must disable Security Hub separately in each Region where you enabled it.

When you disable Security Hub for a master account, the default company and product settings are removed. Integrations with Macie, GuardDuty, and Amazon Inspector are removed. The CIS AWS Foundations compliance standard is disabled. Other Security Hub data and settings, including member account associations, custom actions, insights, and subscriptions to third-party products are not removed. No new findings are generated for the master account while Security Hub isn't enabled, and existing findings are deleted after 90 days. If you enable Security Hub again later, the default company and product settings, compliance standards that you had enabled, and integrations with AWS services are restored. This lets you use Security Hub as you did before you disabled it without having to reconfigure it.

When you disable Security Hub for a member account, no new findings are generated for the member account in the Region, but the master account can still view existing findings in the member account. Findings are deleted 90 days after the last update, or 90 days after they are created if no update is made. The relationship of master and member account is maintained. You can enable Security Hub in the member account and use it as you did before you disabled it, except that there are no findings for the period of time when Security Hub was not enabled.

When a member account is disassociated from the master account, the master account loses permission to view findings in the member account. Security Hub continues to run in both accounts. Custom settings or integrations defined for the master account are not applied to findings from the former member account. For example, a custom action in the master account used as the event pattern in a CloudWatch Events rule can't be used in the member account after the accounts are disassociated.

When your AWS account is deleted or suspended, all Security Hub–related data for that account is deleted after 90 days. The data can't be retrieved after it's deleted. To retain findings for more than 90 days, you can archive them or use a custom action with a CloudWatch Events rule to store findings in your Amazon S3 bucket.