Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Manually enabling Security Hub in new organization accounts

PDF
RSS
Focus mode
Manually enabling Security Hub in new organization accounts - AWS Security Hub

If you don't automatically enable Security Hub in new organization accounts when they join the organization, then you can add those accounts as members and enable Security Hub in them manually after they join the organization. You must also manually enable Security Hub in AWS accounts that you previously disassociated from an organization.

Note

This section doesn't apply to you if you use central configuration. If you use central configuration, you can create configuration policies that enable Security Hub in specified member accounts and organizational units (OUs). You can also enable specific standards and controls in those accounts and OUs.

You can't enable Security Hub in an account if it is already a member account within a different organization.

You also can't enable Security Hub in an account that is currently suspended. If you try to enable the service in a suspended account, the account status changes to Account Suspended.

  • If the account doesn't have Security Hub enabled, Security Hub is enabled in that account. The AWS Foundational Security Best Practices (FSBP) standard and CIS AWS Foundations Benchmark v1.2.0 also are enabled in the account unless your turn off default security standards.

    The exception to this is the Organizations management account. Security Hub cannot be enabled automatically in the Organizations management account. You must manually enable Security Hub in the Organizations management account before you can add it as a member account.

  • If the account already has Security Hub enabled, Security Hub doesn't make any other changes to the account. It only enables the membership.

In order for Security Hub to generate control findings, member accounts must have AWS Config enabled and configured to record required resources. For more information, see Enabling and configuring AWS Config.

Choose your preferred method, and follow the steps to enable an organization account as a Security Hub member account.

Security Hub console
To manually enable organization accounts as Security Hub members

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

    Sign in using the credentials of the delegated administrator account.

  2. In the Security Hub navigation pane, under Settings, choose Configuration.

  3. In the Accounts list, select each organization account that you want to enable.

  4. Choose Actions, and then choose Add member.

Security Hub API

To manually enable organization accounts as Security Hub members

Invoke the CreateMembers API from the delegated administrator account. For each account to enable, provide the account ID.

Unlike the manual invitation process, when you invoke CreateMembers to enable an organization account, you don't need to send an invitation.

AWS CLI

To manually enable organization accounts as Security Hub members

Run the create-members command from the delegated administrator account. For each account to enable, provide the account ID.

Unlike the manual invitation process, when you run create-members to enable an organization account, you don't need to send an invitation.

aws securityhub create-members --account-details '[{"AccountId": "<accountId>"}]'

Example

aws securityhub create-members --account-details '[{"AccountId": "123456789111"}, {"AccountId": "123456789222"}]'
anchoranchoranchor
To manually enable organization accounts as Security Hub members

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

    Sign in using the credentials of the delegated administrator account.

  2. In the Security Hub navigation pane, under Settings, choose Configuration.

  3. In the Accounts list, select each organization account that you want to enable.

  4. Choose Actions, and then choose Add member.

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.