Disassociating Security Hub member accounts from your organization

To stop receiving and viewing findings from an AWS Security Hub member account, you can disassociate the member account from your organization.

Note

If you use central configuration, disassociation works differently. You can create a configuration policy that disables Security Hub in one or more centrally managed member accounts. After that, these accounts are still part of the organization, but won't generate Security Hub findings. If you use central configuration but also have manually-invited member accounts, you can disassociate one or more manually-invited accounts.

Member accounts that are managed using AWS Organizations can't disassociate their accounts from the administrator account. Only the administrator account can disassociate a member account.

Disassociating a member account does not close the account. Instead, it removes the member account from the organization. The disassociated member account becomes a standalone AWS account that is no longer managed by the Security Hub integration with AWS Organizations.

Choose your preferred method, and follow the steps to disassociate a member account from the organization.

Security Hub console

To disassociate a member account from the organization

Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

Sign in using the credentials of the delegated administrator account.
In the navigation pane, under Settings, choose Configuration.
In the Accounts section, select the accounts that you want to disassociate. If you use central configuration, you can select a manually-invited account to disassociate from the Invitation accounts tab. This tab is visible only if you use central configuration.
Choose Actions, and then choose Disassociate account.

Security Hub API

To disassociate a member account from the organization

Invoke the DisassociateMembers API from the delegated administrator account. You must provide the AWS account IDs for the member accounts to disassociate. To view a list of member accounts, invoke the ListMembers API.

AWS CLI

To disassociate a member account from the organization

Run the >disassociate-members command from the delegated administrator account. You must provide the AWS account IDs for the member accounts to disassociate. To view a list of member accounts, run the >list-members command.


aws securityhub disassociate-members --account-ids "<accountIds>"

Example


aws securityhub disassociate-members --account-ids "123456789111" "123456789222"

You can also use the AWS Organizations console, AWS CLI, or AWS SDKs to disassociate a member account from your organization. For more information, see Removing a member account from your organization in the AWS Organizations User Guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Manually enabling Security Hub in new accounts

Managing accounts by invitation in Security Hub