Transitioning to Organizations to manage accounts in Security Hub
When you manage accounts manually in AWS Security Hub, you must invite prospective member accounts and configure each member account separately in each AWS Region.
By integrating Security Hub and AWS Organizations, you can eliminate the need to send invitations and gain more control over how Security Hub is configured and customized in your organization. For this reason, we recommend using AWS Organizations instead of Security Hub invitations to manage your member accounts. For information, see Managing Security Hub administrator and member accounts with Organizations.
It's possible to use a combined approach in which you use the AWS Organizations integration, but also manually invite accounts outside of your organization. However, we recommend exclusively using the Organizations integration. Central configuration, a feature which helps you manage Security Hub across multiple accounts and Regions, is only available when you integrate with Organizations.
This section covers how you can transition from manual invitation-based account management to managing accounts with AWS Organizations.
Integrating Security Hub with AWS Organizations
First, you must integrate Security Hub and AWS Organizations.
You can integrate these services by completing the following steps:
Create an organization in AWS Organizations. For instructions, see Create an organization in the AWS Organizations User Guide.
From the Organizations management account, designate a Security Hub delegated administrator account.
Note
The organization management account cannot be set as the DA account.
For detailed instructions, see Integrating Security Hub with AWS Organizations.
By completing the preceding steps, you grant trusted access for Security Hub in AWS Organizations. This also enables Security Hub in the current AWS Region for the delegated administrator account.
The delegated administrator can manage the organization in Security Hub, primarily by adding the organization’s accounts as Security Hub member accounts. The administrator can also access certain Security Hub settings, data, and resources for those accounts.
When you transition to account management using Organizations, invitation-based accounts don't automatically become Security Hub members. Only the accounts that you add to your new organization can become Security Hub members.
After activating the integration, you can manage accounts with Organizations. For information, see Managing Security Hub administrator and member accounts with Organizations. Account management varies based on your organization's configuration type.
