Allowed actions by administrator and member accounts in Security Hub
Administrator and member accounts have access to AWS Security Hub actions noted in the following tables. In the tables, the values have the following meanings:
-
Any – The account can perform the action for any member account under the same administrator.
-
Current – The account can perform the action only for itself (the account that you're currently signed in to).
-
Dash – Indicates that the account cannot perform the action.
As noted in the tables, allowed actions differ based on whether you integrate with AWS Organizations and which configuration type your organization uses. For information about the difference between central and local configuration, see Managing accounts with AWS Organizations.
Security Hub doesn't copy member account findings into the administrator account. In Security Hub, all findings are ingested into a specific Region for a specific account. In each Region, the administrator account can view and manage findings for their member accounts in that Region.
If you set an aggregation Region, the administrator account can view and manage member account findings from linked Regions that are replicated to the aggregation Region. For more information about cross-Region aggregation, see Cross-Region aggregation.
This table reflects the default permissions for administrator and member accounts. You can
use custom IAM policies to further restrict access to Security Hub features and functions. For
guidance and examples, see the blog post Aligning
IAM policies to user personas for AWS Security Hub
Administrator and member accounts can access Security Hub actions as follows if you integrate with Organizations and use central configuration.
|
Action |
Security Hub delegated administrator account |
Centrally managed member account |
Self-managed member account |
|---|---|---|---|
|
Create and manage Security Hub configuration policies |
For self and centrally managed accounts |
– |
– |
|
View organization accounts |
Any |
– |
– |
|
Disassociate member account |
Any |
– |
– |
|
Delete member account |
Any non-organization account |
– |
– |
|
Disable Security Hub |
For current account and centrally managed accounts |
– |
Current (must be disassociated from the administrator account) |
|
View findings and finding history |
Any |
Current |
Current |
|
Update findings |
Any |
Current |
Current |
|
View insight results |
Any |
Current |
Current |
|
View control details |
Any |
Current |
Current |
|
Turn consolidated control findings on or off |
Any |
– |
– |
|
Enable and disable standards |
For current account and centrally managed accounts |
– |
Current |
|
Enable and disable controls |
For current account and centrally managed accounts |
– |
Current |
|
Enable and disable integrations |
Current |
Current |
Current |
|
Configure cross-Region aggregation |
Any |
– |
– |
|
Select home Region and linked Regions |
Any (must stop and restart central configuration to change home Region) |
– |
– |
|
Configure custom actions |
Current |
Current |
Current |
|
Configure automation rules |
Any |
– |
– |
|
Configure custom insights |
Current |
Current |
Current |
Administrator and member accounts can access Security Hub actions as follows if you integrate with Organizations and use local configuration.
|
Action |
Security Hub delegated administrator account |
Member account |
|---|---|---|
|
Create and manage Security Hub configuration policies |
– |
– |
|
View organization accounts |
Any |
– |
|
Disassociate member account |
Any |
– |
|
Delete member account |
– |
– |
|
Disable Security Hub |
– |
Current (if account is disassociated from delegated administrator) |
|
View findings and finding history |
Any |
Current |
|
Update findings |
Any |
Current |
|
View insight results |
Any |
Current |
|
View control details |
Any |
Current |
|
Turn consolidated control findings on or off |
Any |
– |
|
Enable and disable standards |
Current |
Current |
|
Automatically enable Security Hub and default standards in new organization accounts |
For current account and new organization accounts |
– |
|
Enable and disable controls |
Current |
Current |
|
Enable and disable integrations |
Current |
Current |
|
Configure cross-Region aggregation |
Any |
– |
|
Configure custom actions |
Current |
Current |
|
Configure automation rules |
Any |
– |
|
Configure custom insights |
Current |
Current |
Administrator and member accounts can access Security Hub actions as follows if you use the invitation-based method to manually manage accounts instead of integrating with AWS Organizations.
|
Action |
Security Hub administrator account |
Member account |
|---|---|---|
|
Create and manage Security Hub configuration policies |
– |
– |
|
View organization accounts |
Any |
– |
|
Disassociate member account |
Any |
Current |
|
Delete member account |
Any |
– |
|
Disable Security Hub |
Current (if there are no enabled member accounts) |
Current (if account is disassociated from administrator account) |
|
View findings and finding history |
Any |
Current |
|
Update findings |
Any |
Current |
|
View insight results |
Any |
Current |
|
View control details |
Any |
Current |
|
Turn consolidated control findings on or off |
Any |
– |
|
Enable and disable standards |
Current |
Current |
|
Automatically enable Security Hub and default standards in new organization accounts |
– |
– |
|
Enable and disable controls |
Current |
Current |
|
Enable and disable integrations |
Current |
Current |
|
Configure cross-Region aggregation |
Any |
– |
|
Configure custom actions |
Current |
Current |
|
Configure automation rules |
Any |
– |
|
Configure custom insights |
Current |
Current |
