Manually enabling Security Hub in new organization accounts - AWS Security Hub

Manually enabling Security Hub in new organization accounts

If you don't automatically enable Security Hub in new organization accounts when they join the organization, then you can add those accounts as members and enable Security Hub in them manually after they join the organization. You must also manually enable Security Hub in AWS accounts that you previously disassociated from an organization.

Note

This section doesn't apply to you if you use central configuration. If you use central configuration, you can create configuration policies that enable Security Hub in specified member accounts and organizational units (OUs). You can also enable specific standards and controls in those accounts and OUs.

You can't enable Security Hub in an account if it is already a member account within a different organization.

You also can't enable Security Hub in an account that is currently suspended. If you try to enable the service in a suspended account, the account status changes to Account Suspended.

  • If the account doesn't have Security Hub enabled, Security Hub is enabled in that account. The AWS Foundational Security Best Practices (FSBP) standard and CIS AWS Foundations Benchmark v1.2.0 also are enabled in the account unless your turn off default security standards.

    The exception to this is the Organizations management account. Security Hub cannot be enabled automatically in the Organizations management account. You must manually enable Security Hub in the Organizations management account before you can add it as a member account.

  • If the account already has Security Hub enabled, Security Hub doesn't make any other changes to the account. It only enables the membership.

In order for Security Hub to generate control findings, member accounts must have AWS Config enabled and configured to record required resources. For more information, see Enabling and configuring AWS Config.

Choose your preferred method, and follow the steps to enable an organization account as a Security Hub member account.

Security Hub console
To manually enable organization accounts as Security Hub members
  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

    Sign in using the credentials of the delegated administrator account.

  2. In the Security Hub navigation pane, under Settings, choose Configuration.

  3. In the Accounts list, select each organization account that you want to enable.

  4. Choose Actions, and then choose Add member.

Security Hub API

To manually enable organization accounts as Security Hub members

Invoke the CreateMembers API from the delegated administrator account. For each account to enable, provide the account ID.

Unlike the manual invitation process, when you invoke CreateMembers to enable an organization account, you don't need to send an invitation.

AWS CLI

To manually enable organization accounts as Security Hub members

Run the create-members command from the delegated administrator account. For each account to enable, provide the account ID.

Unlike the manual invitation process, when you run create-members to enable an organization account, you don't need to send an invitation.

aws securityhub create-members --account-details '[{"AccountId": "<accountId>"}]'

Example

aws securityhub create-members --account-details '[{"AccountId": "123456789111"}, {"AccountId": "123456789222"}]'