Disassociating from your administrator account
If your account was added as a AWS Security Hub member account by invitation, you can disassociate the member account from the administrator account. Once you disassociate a member account, Security Hub doesn't send findings from the account to the administrator account.
Member accounts that are managed using the integration with AWS Organizations can't disassociate their accounts from the administrator account. Only the Security Hub delegated administrator can disassociate member accounts that are managed with Organizations.
When you disassociate from your administrator account, your account remains in the administrator account's member list with a status of Resigned. However, the administrator account does not receive any findings for your account.
After you disassociate yourself from the administrator account, the invitation to be a member still remains. You can accept the invitation again in the future.
Note
The Security Hub console continues to use DisassociateFromMasterAccount
.
It will eventually change to use
DisassociateFromAdministratorAccount
. Any IAM policies that
specifically control access to this function must continue to use
DisassociateFromMasterAccount
. You should also add
DisassociateFromAdministratorAccount
to your policies to ensure
that the correct permissions are in place after the console begins to use
DisassociateFromAdministratorAccount
.