Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Removing or changing the delegated administrator

PDF
RSS
Focus mode
Removing or changing the delegated administrator - AWS Security Hub
Removing the delegated administrator (Organizations API, AWS CLI)Removing the delegated administrator (Security Hub console)Removing the delegated administrator (Security Hub API, AWS CLI)

Only the organization management account can remove the delegated Security Hub administrator account.

To change the delegated Security Hub administrator, you must first remove the current delegated administrator account and then designate a new one.

Warning

When you use central configuration, you can't use the Security Hub console or Security Hub APIs to change or remove the delegated administrator account. If the organization management account uses the AWS Organizations console or AWS Organizations APIs to change or remove the delegated Security Hub administrator, Security Hub automatically stops central configuration, and deletes your configuration policies and policy associations. Member accounts retain the configurations they had before the delegated administrator was changed or removed.

If you use the Security Hub console to remove the delegated administrator in one Region, it is automatically removed in all Regions.

The Security Hub API only removes the delegated Security Hub administrator account from the Region where the API call or command is issued. You must repeat the action in other Regions.

If you use the Organizations API to remove the delegated Security Hub administrator account, it is automatically removed in all Regions.

Removing the delegated administrator (Organizations API, AWS CLI)

You can use Organizations to remove the delegated Security Hub administrator in all Regions.

If you use central configuration to manage accounts, removing the delegated administrator account results in the deletion of your configuration policies and policy associations. Member accounts retain the configurations that they had before the delegated administrator was changed or removed. However, these accounts can't be managed by the removed delegated administrator account anymore. They become self-managed accounts that must be configured separately in each Region.

Choose your preferred method, and follow the instructions to remove the delegated Security Hub administrator account with AWS Organizations.

Organizations API, AWS CLI

To remove the delegated Security Hub administrator

From the organization management account, use the DeregisterDelegatedAdministrator operation of the Organizations API. If you're using the AWS CLI, run the deregister-delegated-administrator command. Provide the account ID of the delegated administrator, and the service principal for Security Hub, which is securityhub.amazonaws.com.

The following example removes the delegated Security Hub administrator. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.

$ aws organizations deregister-delegated-administrator --account-id 123456789012 --service-principal securityhub.amazonaws.com
anchor

To remove the delegated Security Hub administrator

From the organization management account, use the DeregisterDelegatedAdministrator operation of the Organizations API. If you're using the AWS CLI, run the deregister-delegated-administrator command. Provide the account ID of the delegated administrator, and the service principal for Security Hub, which is securityhub.amazonaws.com.

The following example removes the delegated Security Hub administrator. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.

$ aws organizations deregister-delegated-administrator --account-id 123456789012 --service-principal securityhub.amazonaws.com

Removing the delegated administrator (Security Hub console)

You can use the Security Hub console to remove the delegated Security Hub administrator in all Regions.

When the delegated Security Hub administrator account is removed, the member accounts are disassociated from the removed delegated Security Hub administrator account.

Security Hub is still enabled in the member accounts. They become standalone accounts until a new Security Hub administrator enables them as member accounts.

If the organization management account isn't an enabled account in Security Hub, then use the option on the Welcome to Security Hub page.

To remove the delegated Security Hub administrator account from the Welcome to Security Hub page

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. Choose Go to Security Hub.

  3. Under Delegated Administrator, choose Remove.

If the organization management account is an enabled account in Security Hub, then use the option on the General tab of the Settings page.

To remove the delegated Security Hub administrator account from the Settings page

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. In the Security Hub navigation pane, choose Settings. Then choose General.

  3. Under Delegated Administrator, choose Remove.

Removing the delegated administrator (Security Hub API, AWS CLI)

You can use the Security Hub API or Security Hub operations for the AWS CLI to remove the delegated Security Hub administrator. When you remove the delegated administrator with one of these methods, it is only removed in the Region where the API call or command was issued. Security Hub doesn't update other Regions, and it doesn't remove the delegated administrator account in AWS Organizations.

Choose your preferred method, and follow these steps to remove the delegated Security Hub administrator account with Security Hub.

Security Hub API, AWS CLI

To remove the delegated Security Hub administrator

From the organization management account, use the DisableOrganizationAdminAccount operation of the Security Hub API. If you're using the AWS CLI, run the disable-organization-admin-account command. Provide the account ID of the delegated Security Hub administrator.

The following example removes the delegated Security Hub administrator. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.

$ aws securityhub disable-organization-admin-account --admin-account-id 123456789012
anchor

To remove the delegated Security Hub administrator

From the organization management account, use the DisableOrganizationAdminAccount operation of the Security Hub API. If you're using the AWS CLI, run the disable-organization-admin-account command. Provide the account ID of the delegated Security Hub administrator.

The following example removes the delegated Security Hub administrator. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.

$ aws securityhub disable-organization-admin-account --admin-account-id 123456789012

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.