Managing accounts by invitation in Security Hub - AWS Security Hub

Managing accounts by invitation in Security Hub

You can centrally manage multiple AWS Security Hub accounts in two ways, by integrating Security Hub with AWS Organizations or by manually sending and accepting membership invitations. You must use the manual process if you have a standalone account or if you don't integrate with Organizations. In manual account management, the Security Hub administrator invites accounts to become members. The administrator-member relationship is established when a prospective member accepts the invitation. A Security Hub administrator account can manage Security Hub for up 1,000 invitation-based member accounts.

Note

If you create an invitation-based organization in Security Hub, you can subsequently transition to using AWS Organizations instead. If you have more than one member account, we recommend using AWS Organizations instead of Security Hub invitations to manage your member accounts. For information, see Managing Security Hub administrator and member accounts with Organizations.

Cross-Region aggregation of findings and other data is available for accounts that you invite through the manual invitation process. However, the administrator must invite the member account from the aggregation Region and all linked Regions in order for cross-Region aggregation to work. In addition, the member account must have Security Hub enabled in the aggregation Region and all linked Regions to give the administrator the ability to view findings from the member account.

Configuration policies aren't supported for manually-invited member accounts. Instead, you must configure Security Hub settings separately in each member account and AWS Region when you use the manual invitation process.

You must also use the manual invitation-based process for accounts that don't belong to your organization. For example, you might not include a test account in your organization. Or, you might want to consolidate accounts from multiple organizations under a single Security Hub administrator account. The Security Hub administrator account must send invitations to accounts that belong to other organizations.

On the Configuration page of the Security Hub console, accounts that were added by invitation are listed in the Invitation accounts tab. If you use Understanding central configuration in Security Hub, but also invite accounts outside of your organization, you can view findings from invitation-based accounts in this tab. However, the Security Hub administrator can't configure invitation-based accounts across Regions through the use of configuration policies.

The topics in this section explain how to manage member accounts through invitations.