Security Hub disabled Member account disassociated from administrator account Member account is removed from an organization Account is suspended Account is closed

Effect of account actions on Security Hub data

These account actions have the following effects on AWS Security Hub data.

Security Hub disabled

If you use central configuration, the delegated administrator (DA) can create Security Hub configuration policies that disable AWS Security Hub in specific accounts and organizational units (OUs). In this case, Security Hub is disabled in the specified accounts and OUs in your home Region and any linked Regions.

If don't use central configuration, you must disable Security Hub separately in each account and Region where you enabled it.

No new findings are generated for the administrator account if Security Hub is disabled in the administrator account. You also can't use central configuration if Security Hub is disabled in the DA account. Existing findings are deleted after 90 days.

Integrations with other AWS services are removed.

Enabled security standards and controls are disabled.

Other Security Hub data and settings, including custom actions, insights, and subscriptions to third-party products are retained.

Member account disassociated from administrator account

When a member account is disassociated from the administrator account, the administrator account loses permission to view findings in the member account.However, Security Hub is still enabled in both accounts.

If you use central configuration, the DA can't configure Security Hub for a member account that's disassociated from the DA account.

Custom settings or integrations that are defined for the administrator account are not applied to findings from the former member account. For example, after the accounts are disassociated, you might have a custom action in the administrator account used as the event pattern in an Amazon EventBridge rule. However, this custom action cannot be used in the member account.

In the Accounts list for the Security Hub administrator account, a removed account has a status of Disassociated.

Member account is removed from an organization

When a member account is removed from an organization, the Security Hub administrator account loses permission to view findings in the member account. However, Security Hub is still enabled in both accounts with the same settings they had before removal.

If you use central configuration, you can't configure Security Hub for a member account after it's removed from the organization to which the delegated administrator belongs. However, the account retains the settings it had prior to removal unless you manually change them.

In the Accounts list for the Security Hub administrator account, a removed account has a status of Deleted.

Account is suspended

When an account is suspended in AWS, the account loses permission to view their findings in Security Hub. No new findings are generated for that account. The administrator account for a suspended account can view the existing account findings.

For an organization account, the member account status can also change to Account Suspended. This happens if the account is suspended at the same time that the administrator account attempts to enable the account. The administrator account for an Account Suspended account cannot view findings for that account. Otherwise, the suspended status doesn't affect the member account status.

If you use central configuration, policy association fails if the delegated administrator tries to associate a configuration policy with a suspended account.

After 90 days, the account is either terminated or reactivated. When the account is reactivated, its Security Hub permissions are restored. If the member account status is Account Suspended, the administrator account must enable the account manually.

Account is closed

When an AWS account is closed, Security Hub responds to the closure as follows.

Security Hub retains the findings for the account for 90 days from the effective date of the account closure. At the end of the 90 day period, Security Hub permanently deletes all findings for the account.

To retain findings for more than 90 days, you can use a custom action with an EventBridge rule to store the findings in an Amazon S3 bucket. As long as Security Hub retains the findings, when you reopen the closed account, Security Hub restores the findings for the account.
If the account is a Security Hub administrator account, it is removed as an administrator and all the member accounts are removed. If the account is a member account, it is disassociated and removed as a member from the Security Hub administrator account.
For more information, see Closing an account in the AWS Billing and Cost Management User Guide.

Important

For customers in the AWS GovCloud (US) Regions:

Before closing your account, back up and then delete your policy data and other account resources. You will no longer have access to them after you close the account.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Restrictions and recommendations

Cross-Region aggregation