Responding to an invitation to be a member account - AWS Security Hub

Responding to an invitation to be a member account

You can accept or decline an invitation to be a member account.

After you accept an invitation, your account becomes an AWS Security Hub member account. The account that sent the invitation becomes your Security Hub administrator account. The administrator account user can view findings for your member account in Security Hub.

If you decline the invitation, then your account is marked as Resigned on the administrator account's list of member accounts.

You can only accept one invitation to be a member account.

Before you can accept or decline an invitation, you must enable Security Hub. For information on how to enable Security Hub, see Enabling Security Hub manually.

Remember that all Security Hub accounts must have AWS Config enabled and configured to record all resources. For details on the requirement for AWS Config, see Enabling and configuring AWS Config.

Accepting an invitation (console)

On the Accounts page, Administrator account contains the invitation and membership information for an account.

To accept an invitation to be a member account

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. In the navigation pane, choose Settings, and then choose Accounts.

  3. Under Administrator account, toggle Accept to the on position, and then choose Accept invitation.

Accepting an invitation (Security Hub API, AWS CLI)

To accept an invitation to be a member account, you can use an API call or the AWS Command Line Interface. You must use the credentials for the member account that received the invitation.

To accept an invitation (Security Hub API, AWS CLI)

  • Security Hub API – Use the AcceptAdministratorInvitation operation. You must provide the invitation identifier and the AWS account ID of the administrator account. To retrieve details about the invitation, use the ListInvitations operation.

  • AWS CLI – At the command line, run the accept-administrator-invitation command.

    aws securityhub accept-administrator-invitation --administrator-id <administratorAccountID> --invitation-id <invitationID>

    Example

    aws securityhub accept-administrator-invitation --administrator-id 123456789012 --invitation-id 7ab938c5d52d7904ad09f9e7c20cc4eb
Note

The Security Hub console continues to use AcceptInvitation. It will eventually change to use AcceptAdministratorInvitation. Any IAM policies that specifically control access to this function must continue to use AcceptInvitation. You should also add AcceptAdministratorInvitation to your policies to ensure that the correct permissions are in place after the console begins to use AcceptAdministratorInvitation.

Declining an invitation (console)

You can decline an invitation to be a member account. When you decline an invitation, your account is marked as Resigned on the administrator account's list of member accounts.

To decline an invitation to be a member account

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. In the navigation pane, choose Settings, and then choose Accounts.

  3. Under Administrator account, choose Decline invitation.

Declining an invitation (Security Hub API, AWS CLI)

To decline an invitation, you can use an API call or the AWS Command Line Interface.

To decline an invitation (Security Hub API, AWS CLI)

  • Security Hub API – Use the DeclineInvitations operation. You must provide the AWS account ID of the administrator account that issued the invitation. To view information about your invitations, use the ListInvitations operation.

  • AWS CLI – At the command line, run the decline-invitations command.

    aws securityhub decline-invitations --account-ids "<administratorAccountId>"

    Example

    aws securityhub decline-invitations --account-ids "123456789012"