Responding to an invitation to be a member account - AWS Security Hub
Accept an invitationDecline an invitation

Responding to an invitation to be a member account

You can accept or decline an invitation to be a member account.

After you accept an invitation, your account becomes an AWS Security Hub member account. The account that sent the invitation becomes your Security Hub administrator account. The administrator account user can view findings for your member account in Security Hub.

If you decline the invitation, then your account is marked as Resigned on the administrator account's list of member accounts.

You can only accept one invitation to be a member account.

Before you can accept or decline an invitation, you must enable Security Hub.

Remember that all Security Hub accounts must have AWS Config enabled and configured to record all resources. For details on the requirement for AWS Config, see Enabling and configuring AWS Config.

Accept an invitation

Choose your preferred method, and follow the steps to accept an invitation to be a member account.

Security Hub console
To accept a membership invitation

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. In the navigation pane, choose Settings, and then choose Accounts.

  3. In the Administrator account section, turn on Accept, and then choose Accept invitation.

Security Hub API

To accept a membership invitation

Invoke the AcceptAdministratorInvitation API. You must provide the invitation identifier and the AWS account ID of the administrator account. To retrieve details about the invitation, use the ListInvitations operation.

AWS CLI

To accept a membership invitation

Run the accept-administrator-invitation command. You must provide the invitation identifier and the AWS account ID of the administrator account. To retrieve details about the invitation, run the list-invitations command.

aws securityhub accept-administrator-invitation --administrator-id <administratorAccountID> --invitation-id <invitationID>

Example

aws securityhub accept-administrator-invitation --administrator-id 123456789012 --invitation-id 7ab938c5d52d7904ad09f9e7c20cc4eb
Note

The Security Hub console continues to use AcceptInvitation. It will eventually change to use AcceptAdministratorInvitation. Any IAM policies that specifically control access to this function must continue to use AcceptInvitation. You should also add AcceptAdministratorInvitation to your policies to ensure that the correct permissions are in place after the console begins to use AcceptAdministratorInvitation.

Decline an invitation

You can decline an invitation to be a member account. When you decline an invitation in the Security Hub console, your account is marked as Resigned on the administrator account's list of member accounts.

When you decline an invitation, you must be signed in to the member account that received the invitation.

Choose your preferred method, and follow the steps to decline an invitation to be a member account.

Security Hub console
To decline a membership invitation

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. In the navigation pane, choose Settings, and then choose Accounts.

  3. In the Administrator account section, choose Decline invitation.

Security Hub API

To decline a membership invitation

Invoke the DeclineInvitations API. You must provide the AWS account ID of the administrator account that issued the invitation. To view information about your invitations, use the ListInvitations operation.

AWS CLI

To decline a membership invitation

Run the decline-invitations command. You must provide the AWS account ID of the administrator account that issued the invitation. To view information about your invitations, run the list-invitations command.

aws securityhub decline-invitations --account-ids "<administratorAccountId>"

Example

aws securityhub decline-invitations --account-ids "123456789012"