Managing administrator and member accounts

An administrator account can view data from its member accounts. The administrator-member relationship is established differently based on whether you use the integration with AWS Organizations.

If you are integrated with Organizations, the organization management account designates the Security Hub administrator account. See Designating a Security Hub administrator account. The Security Hub administrator account automatically has access to all of the accounts in the organization. The Security Hub administrator account determines which organization accounts to enable as member accounts. See Managing member accounts that belong to an organization. These member accounts cannot disassociate themselves from the administrator account.

Otherwise, member accounts accept an invitation from an administrator account. The Security Hub administrator account can also invite member accounts that are not part of the organization. See Managing member accounts by invitation. Accounts that are added by invitation can disassociate themselves from their administrator account.

Topics

• Effects of an administrator-member relationship
• Restrictions and recommendations
• Making the transition to AWS Organizations for account management
• Allowed actions for accounts
• Designating a Security Hub administrator account
• Managing member accounts that belong to an organization
• Managing member accounts by invitation
• Effect of account actions on Security Hub data