Managing Security Hub administrator and member accounts with Organizations

You can integrate AWS Security Hub with AWS Organizations, and then manage Security Hub for accounts in your organization.

To integrate Security Hub with AWS Organizations, you create an organization in AWS Organizations. The Organizations management account designates one account as the Security Hub delegated administrator for the organization. The delegated administrator can then enable Security Hub for other accounts in the organization, add those accounts as Security Hub member accounts, and take allowed actions on the member accounts. The Security Hub delegated administrator can enable and manage Security Hub for up to 10,000 member accounts.

The extent of the delegated administrator's configuration abilities depend on whether you use central configuration. With central configuration enabled, you don't need to configure Security Hub separately in each member account and AWS Region. The delegated administrator can enforce specific Security Hub settings in specified member accounts and organizational units (OUs) across Regions.

The Security Hub delegated administrator account can perform the following actions on member accounts:

If using central configuration, centrally configure Security Hub for member accounts and OUs by creating Security Hub configuration policies. Configuration policies can be used to enable and disable Security Hub, enable and disable standards, and enable and disable controls.
Automatically treat new accounts as Security Hub member accounts when they join the organization. If you use central configuration, a configuration policy that is associated with an OU includes existing and new accounts that are part of the OU.
Treat existing organization accounts as Security Hub member accounts. This happens automatically if you use central configuration.
Disassociate member accounts that belong to the organization. If you use central configuration, you can disassociate a member account only after designating it as self-managed. Alternatively, you can associate a configuration policy that disables Security Hub with specific centrally managed member accounts.

If you don't opt in to central configuration, your organization uses the default configuration type called local configuration. Under local configuration, the delegated administrator has a more limited ability to enforce settings in member accounts. For more information, see Understanding local configuration in Security Hub.

For a full list of actions that the delegated administrator can perform on member accounts, see Allowed actions by administrator and member accounts in Security Hub.

The topics in this section explain how to integrate Security Hub with AWS Organizations and how to manage Security Hub for accounts in an organization. Where relevant, each section identifies management benefits and differences for users of central configuration.

Topics

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Recommendations for multi-account environments

Integrating Security Hub with AWS Organizations