Responding to an invitation to be a member account
You can accept or decline an invitation to be a member account.
After you accept an invitation, your account becomes an AWS Security Hub member account. The account that sent the invitation becomes your Security Hub administrator account. The administrator account user can view findings for your member account in Security Hub.
If you decline the invitation, then your account is marked as Resigned on the administrator account's list of member accounts.
You can only accept one invitation to be a member account.
Before you can accept or decline an invitation, you must enable Security Hub. For information on how to enable Security Hub, see Enabling Security Hub manually.
Remember that all Security Hub accounts must have AWS Config enabled and configured to record all resources. For details on the requirement for AWS Config, see Enabling and configuring AWS Config.
Accepting an invitation (console)
On the Accounts page, Administrator account contains the invitation and membership information for an account.
To accept an invitation to be a member account
Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/
. -
In the navigation pane, choose Settings, and then choose Accounts.
-
Under Administrator account, toggle Accept to the on position, and then choose Accept invitation.
Accepting an invitation (Security Hub API, AWS CLI)
To accept an invitation to be a member account, you can use an API call or the AWS Command Line Interface. You must use the credentials for the member account that received the invitation.
To accept an invitation (Security Hub API, AWS CLI)
-
Security Hub API – Use the
AcceptAdministratorInvitationoperation. You must provide the invitation identifier and the AWS account ID of the administrator account. To retrieve details about the invitation, use theListInvitationsoperation. -
AWS CLI – At the command line, run the
accept-administrator-invitationcommand.aws securityhub accept-administrator-invitation --administrator-id<administratorAccountID>--invitation-id<invitationID>Example
aws securityhub accept-administrator-invitation --administrator-id 123456789012 --invitation-id 7ab938c5d52d7904ad09f9e7c20cc4eb
The Security Hub console continues to use AcceptInvitation. It will eventually
change to use AcceptAdministratorInvitation. Any IAM policies that specifically
control access to this function must continue to use AcceptInvitation. You should
also add AcceptAdministratorInvitation to your policies to ensure that the correct
permissions are in place after the console begins to use
AcceptAdministratorInvitation.
Declining an invitation (console)
You can decline an invitation to be a member account. When you decline an invitation, your account is marked as Resigned on the administrator account's list of member accounts.
To decline an invitation to be a member account
Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/
. -
In the navigation pane, choose Settings, and then choose Accounts.
-
Under Administrator account, choose Decline invitation.
Declining an invitation (Security Hub API, AWS CLI)
To decline an invitation, you can use an API call or the AWS Command Line Interface.
To decline an invitation (Security Hub API, AWS CLI)
-
Security Hub API – Use the
DeclineInvitationsoperation. You must provide the AWS account ID of the administrator account that issued the invitation. To view information about your invitations, use theListInvitationsoperation. -
AWS CLI – At the command line, run the
decline-invitationscommand.aws securityhub decline-invitations --account-ids "<administratorAccountId>"Example
aws securityhub decline-invitations --account-ids "123456789012"
