# Managing administrator and member accounts in Security Hub CSPM
If your AWS environment has multiple accounts, you can treat the accounts that use AWS Security Hub CSPM as member accounts and associate them with a single administrator account. The administrator can monitor your overall security posture and take [allowed actions](securityhub-accounts-allowed-actions.md) on member accounts. The administrator can also perform various account management and administration tasks at scale, such as monitoring estimated usage costs and assessing account quotas.
You can associate member accounts with an administrator in two ways, by integrating Security Hub CSPM with AWS Organizations or by manually sending and accepting membership invitations in Security Hub CSPM.
## Managing accounts with AWS Organizations
AWS Organizations is a global account management service that lets AWS administrators to consolidate and manage multiple AWS accounts. It provides account management and consolidated billing features that are designed to support budgetary, security, and compliance needs. It's offered at no additional charge, and it integrates with multiple AWS services, including AWS Security Hub CSPM, Amazon Macie, and Amazon GuardDuty. For more information, see the [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html).
When you integrate Security Hub CSPM and AWS Organizations, the Organizations management account designates a Security Hub CSPM delegated administrator. Security Hub CSPM is automatically enabled in the delegated administrator account in the AWS Region in which it was designated.
After designating a delegated administrator, we recommend managing accounts in Security Hub CSPM with [central configuration](central-configuration-intro.md). This is the most efficient way to customize Security Hub CSPM and ensure adequate security coverage for your organization.
Central configuration lets the delegated administrator customize Security Hub CSPM across multiple organization accounts and Regions rather than configuring Region-by-Region. You can create a configuration policy for your entire organization, or create different configuration policies for different accounts and OUs. The policies specify whether Security Hub CSPM is enabled or disabled in associated accounts and which security standards and controls are enabled.
The delegated administrator can designate accounts as centrally managed or self-managed. Centrally managed accounts are configurable only by the delegated administrator. Self-managed accounts can specify their own settings.
If you don't opt in to central configuration, the delegated administrator has a more limited ability to configure Security Hub CSPM, called *local configuration*. Under local configuration, the delegated administrator can automatically enable Security Hub CSPM and [default security standards](securityhub-auto-enabled-standards.md) in new organization accounts in the current Region. However, existing accounts don't use these settings, so configuration drift can occur after an account joins the organization.
Aside from these new account settings, local configuration is account-specific and Region-specific. Each organization account must configure the Security Hub CSPM service, standards, and controls separately in each Region. Local configuration also doesn't support the use of configuration policies.
## Managing accounts manually by invitation
You must manually manage member accounts by invitation in Security Hub CSPM if you have a standalone account or if you don't integrate with Organizations. A standalone account can't integrate with Organizations, so it's necessary to manage it manually. We recommend integrating with AWS Organizations and using central configuration if you add additional accounts in the future.
When you use manual account management, you designate an account to be the Security Hub CSPM administrator. The administrator account can view data in member accounts and take certain actions on member account findings. The Security Hub CSPM administrator invites other accounts to be member accounts, and the administrator-member relationship is established when a prospective member account accepts the invitation.
Manual account management doesn't support the use of configuration policies. Without configuration policies, the administrator can't centrally customize Security Hub CSPM by configuring variable settings for different accounts. Instead, each organization account must enable and configure Security Hub CSPM for itself separately in each Region. This can make it more difficult and time consuming to ensure adequate security coverage across all of the accounts and Regions in which you use Security Hub CSPM. It can also cause configuration drift as member accounts can specify their own settings without input from the administrator.
To manage accounts by invitation, see [Managing accounts by invitation in Security Hub CSPM](account-management-manual.md).
# Recommendations for managing multiple accounts in Security Hub CSPM
The following section summarizes some restrictions and recommendations to keep in mind when managing member accounts in AWS Security Hub CSPM.
## Maximum number of member accounts
If you use the integration with AWS Organizations, Security Hub CSPM supports up to 10,000 member accounts per delegated administrator account in each AWS Region. If you enable and manage Security Hub CSPM manually, Security Hub CSPM supports up to 1,000 member account invitations per administrator account in each Region.
## Creating administrator-member relationships
**Note**
If you use the Security Hub CSPM integration with AWS Organizations, and haven't manually invited any member accounts, this section doesn't apply to you.
An account can't be an administrator account and a member account at the same time.
A member account can only be associated with one administrator account. If an organization account is enabled by the Security Hub CSPM administrator account, the account cannot accept an invitation from another account. If an account has already accepted an invitation, the account cannot be enabled by the Security Hub CSPM administrator account for the organization. It also cannot receive invitations from other accounts.
For the manual invitation process, accepting a membership invitation is optional.
### Membership through AWS Organizations
If you integrate Security Hub CSPM with AWS Organizations, the Organizations management account can designate a delegated administrator (DA) account for Security Hub CSPM. The organization management account can't be set as the DA in Organizations. While this is permitted in Security Hub CSPM, we recommend that the Organizations management account should *not* be the DA.
We recommend that you choose the same DA account in all Regions. If you use [central configuration](central-configuration-intro.md), then Security Hub CSPM sets the same DA account in all Regions in which you configure Security Hub CSPM for your organization.
We also recommend that you choose the same DA account across AWS security and compliance services to help you manage security-related issues in a single pane of glass.
### Membership by invitation
For member accounts created by invitation, the administrator-member account association is created only in the Region that the invitation is sent from. The administrator account must enable Security Hub CSPM in each Region that you want to use it in. The administrator account then invites each account to become a member account in that Region.
**Note**
We recommend using AWS Organizations instead of Security Hub CSPM invitations to manage your member accounts.
## Coordinating administrator accounts across services
Security Hub CSPM aggregates findings from various AWS services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie. Security Hub CSPM also allows users to pivot from a GuardDuty finding to start an investigation in Amazon Detective.
However, the administrator-member relationships that you set up in these other services do not automatically apply to Security Hub CSPM. Security Hub CSPM recommends that you use the same account as the administrator account for all of these services. This administrator account should be an account that is responsible for security tools. The same account should also be the aggregator account for AWS Config.
For example, a user from the GuardDuty administrator account A can see findings for GuardDuty member accounts B and C on the GuardDuty console. If account A then enables Security Hub CSPM, users from account A do *not* automatically see GuardDuty findings for accounts B and C in Security Hub CSPM. A Security Hub CSPM administrator-member relationship is also required for these accounts.
To do this, make account A the Security Hub CSPM administrator account and enable accounts B and C to become Security Hub CSPM member accounts.
# Managing Security Hub CSPM for multiple accounts with AWS Organizations
You can integrate AWS Security Hub CSPM with AWS Organizations, and then manage Security Hub CSPM for accounts in your organization.
To integrate Security Hub CSPM with AWS Organizations, you create an organization in AWS Organizations. The Organizations management account designates one account as the Security Hub CSPM delegated administrator for the organization. The delegated administrator can then enable Security Hub CSPM for other accounts in the organization, add those accounts as Security Hub CSPM member accounts, and take allowed actions on the member accounts. The Security Hub CSPM delegated administrator can enable and manage Security Hub CSPM for up to 10,000 member accounts.
The extent of the delegated administrator's configuration abilities depend on whether you use [central configuration](central-configuration-intro.md). With central configuration enabled, you don't need to configure Security Hub CSPM separately in each member account and AWS Region. The delegated administrator can enforce specific Security Hub CSPM settings in specified member accounts and organizational units (OUs) across Regions.
The Security Hub CSPM delegated administrator account can perform the following actions on member accounts:
+ If using central configuration, centrally configure Security Hub CSPM for member accounts and OUs by creating Security Hub CSPM configuration policies. Configuration policies can be used to enable and disable Security Hub CSPM, enable and disable standards, and enable and disable controls.
+ Automatically treat *new* accounts as Security Hub CSPM member accounts when they join the organization. If you use central configuration, a configuration policy that is associated with an OU includes existing and new accounts that are part of the OU.
+ Treat *existing* organization accounts as Security Hub CSPM member accounts. This happens automatically if you use central configuration.
+ Disassociate member accounts that belong to the organization. If you use central configuration, you can disassociate a member account only after designating it as self-managed. Alternatively, you can associate a configuration policy that disables Security Hub CSPM with specific centrally managed member accounts.
If you don't opt in to central configuration, your organization uses the default configuration type called local configuration. Under local configuration, the delegated administrator has a more limited ability to enforce settings in member accounts. For more information, see [Understanding local configuration in Security Hub CSPM](local-configuration.md).
For a full list of actions that the delegated administrator can perform on member accounts, see [Allowed actions by administrator and member accounts in Security Hub CSPM](securityhub-accounts-allowed-actions.md).
The topics in this section explain how to integrate Security Hub CSPM with AWS Organizations and how to manage Security Hub CSPM for accounts in an organization. Where relevant, each section identifies management benefits and differences for users of central configuration.
**Topics**
+ [Integrating Security Hub CSPM with AWS Organizations](designate-orgs-admin-account.md)
+ [Automatically enabling Security Hub CSPM in new organization accounts](accounts-orgs-auto-enable.md)
+ [Manually enabling Security Hub CSPM in new organization accounts](orgs-accounts-enable.md)
+ [Disassociating Security Hub CSPM member accounts from your organization](accounts-orgs-disassociate.md)
# Integrating Security Hub CSPM with AWS Organizations
To integrate AWS Security Hub CSPM and AWS Organizations, you create an organization in Organizations and use the organization management account to designate a delegated Security Hub CSPM administrator account. This enables Security Hub CSPM as a trusted service in Organizations. It also enables Security Hub CSPM in the current AWS Region for the delegated administrator account, and it allows the delegated administrator to enable Security Hub CSPM for member accounts, view data in member accounts, and perform other [allowed actions](securityhub-accounts-allowed-actions.md) on member accounts.
If you use [central configuration](central-configuration-intro.md), then the delegated administrator can also create Security Hub CSPM configuration policies that specify how the Security Hub CSPM service, standards, and controls should be configured in organization accounts.
## Creating an organization
An organization is an entity that you create to consolidate your AWS accounts so that you can administer them as a single unit.
You can create an organization by using either the AWS Organizations console or by using a command from the AWS CLI or one of the SDK APIs. For detailed instructions, see [Create an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_create.html) in the *AWS Organizations User Guide*.
You can use AWS Organizations to centrally view and manage all of the accounts within your organization. An organization has one management account along with zero or more member accounts. You can organize the accounts in a hierarchical, tree-like structure with a root at the top and organizational units (OUs) nested under the root. Each account can be directly under the root, or placed in one of the OUs in the hierarchy. An OU is a container for specific accounts. For example, you can create a finance OU that includes all accounts related to financial operations.
## Recommendations for choosing the delegated Security Hub CSPM administrator
If you have an administrator account in place from the manual invitation process and are transitioning to account management with AWS Organizations, we recommend designating that account as the delegated Security Hub CSPM administrator.
Although the Security Hub CSPM APIs and console allow the organization management account to be the delegated Security Hub CSPM administrator, we recommend choosing two different accounts. This is because users who have access to the organization management account to manage billing are likely to be different from users who need access to Security Hub CSPM for security management.
We recommend using the same delegated administrator across Regions. If you opt in to central configuration, Security Hub CSPM automatically designates the same delegated administrator in your home Region and any linked Regions.
## Verify permissions to configure the delegated administrator
To designate and remove a delegated Security Hub CSPM administrator account, the organization management account must have permissions for the `EnableOrganizationAdminAccount` and `DisableOrganizationAdminAccount` actions in Security Hub CSPM. The Organizations management account must also have administrative permissions for Organizations.
To grant all of the required permissions, attach the following Security Hub CSPM managed policies to the IAM principal for the organization management account:
+ [https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhubfullaccess](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhubfullaccess)
+ [https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhuborganizationsaccess](https://docs.aws.amazon.com/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhuborganizationsaccess)
## Designating the delegated administrator
To designate the delegated Security Hub CSPM administrator account, you can use the Security Hub CSPM console, Security Hub CSPM API, or AWS CLI. Security Hub CSPM sets the delegated administrator in the current AWS Region only, and you must repeat the action in other Regions. If you start using central configuration, then Security Hub CSPM automatically sets the same delegated administrator in the home Region and linked Regions.
The organization management account doesn't have to enable Security Hub CSPM in order to designate the delegated Security Hub CSPM administrator account.
We recommend that the organization management account is not the delegated Security Hub CSPM administrator account. However, if you do choose the organization management account as the Security Hub CSPM delegated administrator, the management account must have Security Hub CSPM enabled. If the management account does not have Security Hub CSPM enabled, you must enable Security Hub CSPM for it manually. Security Hub CSPM can't be enabled automatically for the organization management account.
You must designate the delegated Security Hub CSPM administrator using one of the following methods. Designating the delegated Security Hub CSPM administrator with Organizations APIs doesn't reflect in Security Hub CSPM.
Choose your preferred method, and follow the steps to designate the delegated Security Hub CSPM administrator account.
------
#### [ Security Hub CSPM console ]
**To designate the delegated administrator while onboarding**
1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).
1. Choose **Go to Security Hub CSPM**. You're prompted to sign in to the organization management account.
1. On the **Designate delegated administrator** page, in the **Delegated administrator account** section, specify the delegated administrator account. We recommend choosing the same delegated administrator that you have set for other AWS security and compliance services.
1. Choose **Set delegated administrator**. You're prompted to sign in to the delegated administrator account (if you're not already) to continue onboarding with central configuration. If you don't want to start central configuration, choose **Cancel**. Your delegated administrator is set, but you aren't yet using central configuration.
**To designate the delegated administrator from the **Settings** page**
1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).
1. In the Security Hub CSPM navigation pane, choose **Settings**. Then choose **General**.
1. If a Security Hub CSPM administrator account is currently assigned, then before you can designate a new account, you must remove the current account.
Under **Delegated Administrator**, to remove the current account, choose **Remove**.
1. Enter the account ID of the account you want to designate as the **Security Hub CSPM** administrator account.
You must designate the same Security Hub CSPM administrator account in all Regions. If you designate an account that is different from the account designated in other Regions, the console returns an error.
1. Choose **Delegate**.
------
#### [ Security Hub CSPM API, AWS CLI ]
From the organization management account, use the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_EnableOrganizationAdminAccount.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_EnableOrganizationAdminAccount.html) operation of the Security Hub CSPM API. If you're using the AWS CLI, run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/enable-organization-admin-account.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/enable-organization-admin-account.html) command. Provide the AWS account ID of the delegated Security Hub CSPM administrator.
The following example designates the delegated Security Hub CSPM administrator. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability.
```
$ aws securityhub enable-organization-admin-account --admin-account-id 123456789012
```
------
# Removing or changing the delegated administrator
Only the organization management account can remove the delegated Security Hub CSPM administrator account.
To change the delegated Security Hub CSPM administrator, you must first remove the current delegated administrator account and then designate a new one.
**Warning**
When you use [central configuration](central-configuration-intro.md), you can't use the Security Hub CSPM console or Security Hub CSPM APIs to change or remove the delegated administrator account. If the organization management account uses the AWS Organizations console or AWS Organizations APIs to change or remove the delegated Security Hub CSPM administrator, Security Hub CSPM automatically stops central configuration, and deletes your configuration policies and policy associations. Member accounts retain the configurations they had before the delegated administrator was changed or removed.
If you use the Security Hub CSPM console to remove the delegated administrator in one Region, it is automatically removed in all Regions.
The Security Hub CSPM API only removes the delegated Security Hub CSPM administrator account from the Region where the API call or command is issued. You must repeat the action in other Regions.
If you use the Organizations API to remove the delegated Security Hub CSPM administrator account, it is automatically removed in all Regions.
## Removing the delegated administrator (Organizations API, AWS CLI)
You can use Organizations to remove the delegated Security Hub CSPM administrator in all Regions.
If you use central configuration to manage accounts, removing the delegated administrator account results in the deletion of your configuration policies and policy associations. Member accounts retain the configurations that they had before the delegated administrator was changed or removed. However, these accounts can't be managed by the removed delegated administrator account anymore. They become self-managed accounts that must be configured separately in each Region.
Choose your preferred method, and follow the instructions to remove the delegated Security Hub CSPM administrator account with AWS Organizations.
------
#### [ Organizations API, AWS CLI ]
**To remove the delegated Security Hub CSPM administrator**
From the organization management account, use the [https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeregisterDelegatedAdministrator.html](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeregisterDelegatedAdministrator.html) operation of the Organizations API. If you're using the AWS CLI, run the [deregister-delegated-administrator](https://docs.aws.amazon.com/cli/latest/reference/organizations/deregister-delegated-administrator.html) command. Provide the account ID of the delegated administrator, and the service principal for Security Hub CSPM, which is `securityhub.amazonaws.com`.
The following example removes the delegated Security Hub CSPM administrator. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability.
```
$ aws organizations deregister-delegated-administrator --account-id 123456789012 --service-principal securityhub.amazonaws.com
```
------
## Removing the delegated administrator (Security Hub CSPM console)
You can use the Security Hub CSPM console to remove the delegated Security Hub CSPM administrator in all Regions.
When the delegated Security Hub CSPM administrator account is removed, the member accounts are disassociated from the removed delegated Security Hub CSPM administrator account.
Security Hub CSPM is still enabled in the member accounts. They become standalone accounts until a new Security Hub CSPM administrator enables them as member accounts.
If the organization management account isn't an enabled account in Security Hub CSPM, then use the option on the **Welcome to Security Hub CSPM** page.
**To remove the delegated Security Hub CSPM administrator account from the **Welcome to Security Hub CSPM** page**
1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).
1. Choose **Go to Security Hub**.
1. Under **Delegated Administrator**, choose **Remove**.
If the organization management account is an enabled account in **Security Hub**, then use the option on the **General** tab of the **Settings** page.
**To remove the delegated Security Hub CSPM administrator account from the **Settings** page**
1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).
1. In the Security Hub CSPM navigation pane, choose **Settings**. Then choose **General**.
1. Under **Delegated Administrator**, choose **Remove**.
## Removing the delegated administrator (Security Hub CSPM API, AWS CLI)
You can use the Security Hub CSPM API or Security Hub CSPM operations for the AWS CLI to remove the delegated Security Hub CSPM administrator. When you remove the delegated administrator with one of these methods, it is only removed in the Region where the API call or command was issued. Security Hub CSPM doesn't update other Regions, and it doesn't remove the delegated administrator account in AWS Organizations.
Choose your preferred method, and follow these steps to remove the delegated Security Hub CSPM administrator account with Security Hub CSPM.
------
#### [ Security Hub CSPM API, AWS CLI ]
**To remove the delegated Security Hub CSPM administrator**
From the organization management account, use the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DisableOrganizationAdminAccount.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DisableOrganizationAdminAccount.html) operation of the Security Hub CSPM API. If you're using the AWS CLI, run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/disable-organization-admin-account.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/disable-organization-admin-account.html) command. Provide the account ID of the delegated Security Hub CSPM administrator.
The following example removes the delegated Security Hub CSPM administrator. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability.
```
$ aws securityhub disable-organization-admin-account --admin-account-id 123456789012
```
------
# Disabling Security Hub CSPM integration with AWS Organizations
After an AWS Organizations organization is integrated with AWS Security Hub CSPM, the Organizations management account can subsequently disable the integration. As a user of the Organizations management account, you can do this by disabling trusted access for Security Hub CSPM in AWS Organizations.
When you disable trusted access for Security Hub CSPM, the following occurs:
+ Security Hub CSPM loses its status as a trusted service in AWS Organizations.
+ The Security Hub CSPM delegated administrator account loses access to Security Hub CSPM settings, data, and resources for all Security Hub CSPM member accounts in all AWS Regions.
+ If you were using [central configuration](central-configuration-intro.md), Security Hub CSPM automatically stops using it for your organization. Your configuration policies and policy associations are deleted. Accounts retain the configurations that they had before you disabled trusted access.
+ All Security Hub CSPM member accounts become standalone accounts and retain their current settings. If Security Hub CSPM was enabled for a member account in one or more Regions, Security Hub CSPM continues to be enabled for the account in those Regions. Enabled standards and controls are also unchanged. You can change these settings separately in each account and Region. However, the account is no longer associated with a delegated administrator in any Region.
For additional information about the results of disabling trusted service access, see [Using AWS Organizations with other AWS services](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html) in the *AWS Organizations User Guide*.
To disable trusted access, you can use the AWS Organizations console, Organizations API, or the AWS CLI. Only a user of the Organizations management account can disable trusted service access for Security Hub CSPM. For details about the permissions that you need, see [Permissions required to disable trusted access](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html#orgs_trusted_access_disable_perms) in the *AWS Organizations User Guide*.
Before you disable trusted access, we recommend working with the delegated administrator for your organization to disable Security Hub CSPM in member accounts and to clean up Security Hub CSPM resources in those accounts.
Choose your preferred method, and follow the steps to disable trusted access for Security Hub CSPM.
------
#### [ Organizations console ]
**To disable trusted access for Security Hub CSPM**
1. Sign in to the AWS Management Console using the credentials of the AWS Organizations management account.
1. Open the Organizations console at [https://console.aws.amazon.com/organizations/](https://console.aws.amazon.com/organizations/).
1. In the navigation pane, choose **Services**.
1. Under **Integrated services**, choose **AWS Security Hub CSPM**.
1. Choose **Disable trusted access**.
1. Confirm that you want to disable trusted access.
------
#### [ Organizations API ]
**To disable trusted access for Security Hub CSPM**
Invoke the [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html) operation of the AWS Organizations API. For the `ServicePrincipal` parameter, specify the Security Hub CSPM service principal (`securityhub.amazonaws.com`).
------
#### [ AWS CLI ]
**To disable trusted access for Security Hub CSPM**
Run the [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html) command of the AWS Organizations API. For the `service-principal` parameter, specify the Security Hub CSPM service principal (`securityhub.amazonaws.com`).
**Example:**
```
aws organizations disable-aws-service-access --service-principal securityhub.amazonaws.com
```
------
# Automatically enabling Security Hub CSPM in new organization accounts
When new accounts join your organization, they are added to the list on the **Accounts** page of the AWS Security Hub CSPM console. For organization accounts, **Type** is **By organization**. By default, new accounts don't become Security Hub CSPM members when they join the organization. Their status is **Not a member**. The delegated administrator account can automatically add new accounts as members and enable Security Hub CSPM in these accounts when they join the organization.
**Note**
Although many AWS Regions are active by default for your AWS account, you must activate certain Regions manually. These Regions are called opt-in Regions in this document. To automatically enable Security Hub CSPM in a new account in an opt-in Region, the account must have that Region activated first. Only the account owner can activate the opt-in Region. For more information about opt-in Regions, see [Specify which AWS Regions your account can use](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html).
This process is different based on whether you use central configuration (recommended) or local configuration.
## Automatically enabling new organization accounts (central configuration)
If you use [central configuration](central-configuration-intro.md), you can automatically enable Security Hub CSPM in new and existing organization accounts by creating a configuration policy in which Security Hub CSPM is enabled. You can then associate the policy with the organization root or specific organizational units (OUs).
If you associate a configuration policy in which Security Hub CSPM is enabled with a specific OU, Security Hub CSPM is automatically enabled in all accounts (existing and new) that belong to that OU. New accounts that don't belong to the OU are self-managed and don't automatically have Security Hub CSPM enabled. If you associate a configuration policy in which Security Hub CSPM is enabled with the root, Security Hub CSPM is automatically enabled in all accounts (existing and new) that join the organization. The exceptions are if an account uses a different policy through application or inheritance, or is self-managed.
In your configuration policy, you can also define which security standards and controls should be enabled in the OU. To generate control findings for enabled standards, the accounts in the OU must have AWS Config enabled and configured to record required resources. For more information about AWS Config recording, see [Enabling and configuring AWS Config](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-prereq-config.html).
For instructions on creating a configuration policy, see [Creating and associating configuration policies](create-associate-policy.md).
## Automatically enabling new organization accounts (local configuration)
When you use local configuration and turn on automatic enablement of default standards, Security Hub CSPM adds *new* organization accounts as members and enables Security Hub CSPM in them in the current Region. Other Regions aren't affected. In addition, turning on automatic enablement doesn't enable Security Hub CSPM in *existing* organization accounts unless they were already added as member accounts.
After turning on automatic enablement, default security standards are enabled for new member accounts in the current Region when they join the organization. The default standards are AWS Foundational Security Best Practices (FSBP) and Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0. You can't change the default standards. If you want to enable other standards throughout your organization, or enable standards for select accounts and OUs, we recommend using central configuration.
To generate control findings for the default standards (and other enabled standards), accounts in your organization must have AWS Config enabled and configured to record required resources. For more information about AWS Config recording, see [Enabling and configuring AWS Config](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-prereq-config.html).
Choose your preferred method, and follow the steps to automatically enable Security Hub CSPM in new organization accounts. These instructions apply only if you use local configuration.
------
#### [ Security Hub CSPM console ]
**To automatically enable new organization accounts as Security Hub CSPM members**
1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).
Sign is using the credentials of the delegated administrator account.
1. In the Security Hub CSPM navigation pane, under **Settings**, choose **Configuration**.
1. In the **Accounts** section, turn on **Auto-enable accounts**.
------
#### [ Security Hub CSPM API ]
**To automatically enable new organization accounts as Security Hub CSPM members**
Invoke the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_UpdateOrganizationConfiguration.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_UpdateOrganizationConfiguration.html) API from the delegated administrator account. Set the `AutoEnable` field to `true` to automatically enable Security Hub CSPM in new organization accounts.
------
#### [ AWS CLI ]
**To automatically enable new organization accounts as Security Hub CSPM members**
Run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/update-organization-configuration.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/update-organization-configuration.html) command from the delegated administrator account. Include the `auto-enable` parameter to automatically enable Security Hub CSPM in new organization accounts.
```
aws securityhub update-organization-configuration --auto-enable
```
------
# Manually enabling Security Hub CSPM in new organization accounts
If you don't automatically enable Security Hub CSPM in new organization accounts when they join the organization, then you can add those accounts as members and enable Security Hub CSPM in them manually after they join the organization. You must also manually enable Security Hub CSPM in AWS accounts that you previously disassociated from an organization.
**Note**
This section doesn't apply to you if you use [central configuration](central-configuration-intro.md). If you use central configuration, you can create configuration policies that enable Security Hub CSPM in specified member accounts and organizational units (OUs). You can also enable specific standards and controls in those accounts and OUs.
You can't enable Security Hub CSPM in an account if it is already a member account within a different organization.
You also can't enable Security Hub CSPM in an account that is currently suspended. If you try to enable the service in a suspended account, the account status changes to **Account Suspended**.
+ If the account doesn't have Security Hub CSPM enabled, Security Hub CSPM is enabled in that account. The AWS Foundational Security Best Practices (FSBP) standard and CIS AWS Foundations Benchmark v1.2.0 also are enabled in the account unless your turn off default security standards.
The exception to this is the Organizations management account. Security Hub CSPM cannot be enabled automatically in the Organizations management account. You must manually enable Security Hub CSPM in the Organizations management account before you can add it as a member account.
+ If the account already has Security Hub CSPM enabled, Security Hub CSPM doesn't make any other changes to the account. It only enables the membership.
In order for Security Hub CSPM to generate control findings, member accounts must have AWS Config enabled and configured to record required resources. For more information, see [Enabling and configuring AWS Config](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-prereq-config.html).
Choose your preferred method, and follow the steps to enable an organization account as a Security Hub CSPM member account.
------
#### [ Security Hub CSPM console ]
**To manually enable organization accounts as Security Hub CSPM members**
1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).
Sign in using the credentials of the delegated administrator account.
1. In the Security Hub CSPM navigation pane, under **Settings**, choose **Configuration**.
1. In the **Accounts** list, select each organization account that you want to enable.
1. Choose **Actions**, and then choose **Add member**.
------
#### [ Security Hub CSPM API ]
**To manually enable organization accounts as Security Hub CSPM members**
Invoke the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_CreateMembers.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_CreateMembers.html) API from the delegated administrator account. For each account to enable, provide the account ID.
Unlike the manual invitation process, when you invoke `CreateMembers` to enable an organization account, you don't need to send an invitation.
------
#### [ AWS CLI ]
**To manually enable organization accounts as Security Hub CSPM members**
Run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/create-members.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/create-members.html) command from the delegated administrator account. For each account to enable, provide the account ID.
Unlike the manual invitation process, when you run `create-members` to enable an organization account, you don't need to send an invitation.
```
aws securityhub create-members --account-details '[{"AccountId": ""}]'
```
**Example**
```
aws securityhub create-members --account-details '[{"AccountId": "123456789111"}, {"AccountId": "123456789222"}]'
```
------
# Disassociating Security Hub CSPM member accounts from your organization
To stop receiving and viewing findings from an AWS Security Hub CSPM member account, you can disassociate the member account from your organization.
**Note**
If you use [central configuration](central-configuration-intro.md), disassociation works differently. You can create a configuration policy that disables Security Hub CSPM in one or more centrally managed member accounts. After that, these accounts are still part of the organization, but won't generate Security Hub CSPM findings. If you use central configuration but also have manually-invited member accounts, you can disassociate one or more manually-invited accounts.
Member accounts that are managed using AWS Organizations can't disassociate their accounts from the administrator account. Only the administrator account can disassociate a member account.
Disassociating a member account does not close the account. Instead, it removes the member account from the organization. The disassociated member account becomes a standalone AWS account that is no longer managed by the Security Hub CSPM integration with AWS Organizations.
Choose your preferred method, and follow the steps to disassociate a member account from the organization.
------
#### [ Security Hub CSPM console ]
**To disassociate a member account from the organization**
1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).
Sign in using the credentials of the delegated administrator account.
1. In the navigation pane, under **Settings**, choose **Configuration**.
1. In the **Accounts** section, select the accounts that you want to disassociate. If you use central configuration, you can select a manually-invited account to disassociate from the `Invitation accounts` tab. This tab is visible only if you use central configuration.
1. Choose **Actions**, and then choose **Disassociate account**.
------
#### [ Security Hub CSPM API ]
**To disassociate a member account from the organization**
Invoke the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DisassociateMembers.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DisassociateMembers.html) API from the delegated administrator account. You must provide the AWS account IDs for the member accounts to disassociate. To view a list of member accounts, invoke the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListMembers.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListMembers.html) API.
------
#### [ AWS CLI ]
**To disassociate a member account from the organization**
Run the [ >`disassociate-members`](https://docs.aws.amazon.com/cli/latest/reference/securityhub/disassociate-members.html) command from the delegated administrator account. You must provide the AWS account IDs for the member accounts to disassociate. To view a list of member accounts, run the [ >`list-members`](https://docs.aws.amazon.com/cli/latest/reference/securityhub/list-members.html) command.
```
aws securityhub disassociate-members --account-ids ""
```
**Example**
```
aws securityhub disassociate-members --account-ids "123456789111" "123456789222"
```
------
You can also use the AWS Organizations console, AWS CLI, or AWS SDKs to disassociate a member account from your organization. For more information, see [Removing a member account from your organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_remove.html) in the *AWS Organizations User Guide*.
# Managing accounts by invitation in Security Hub CSPM
You can centrally manage multiple AWS Security Hub CSPM accounts in two ways, by integrating Security Hub CSPM with AWS Organizations or by manually sending and accepting membership invitations. You must use the manual process if you have a standalone account or you don't integrate with AWS Organizations. In manual account management, the Security Hub CSPM administrator invites accounts to become members. The administrator-member relationship is established when a prospective member accepts the invitation. A Security Hub CSPM administrator account can manage Security Hub CSPM for up 1,000 invitation-based member accounts.
**Note**
If you create an invitation-based organization in Security Hub CSPM, you can subsequently [transition to using AWS Organizations](accounts-transition-to-orgs.md) instead. If you have more than one member account, we recommend using AWS Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see [Managing Security Hub CSPM for multiple accounts with AWS Organizations](securityhub-accounts-orgs.md).
Cross-Region aggregation of findings and other data is available for accounts that you invite through the manual invitation process. However, the administrator must invite the member account from the aggregation Region and all linked Regions in order for cross-Region aggregation to work. In addition, the member account must have Security Hub CSPM enabled in the aggregation Region and all linked Regions to give the administrator the ability to view findings from the member account.
Configuration policies aren't supported for manually-invited member accounts. Instead, you must configure Security Hub CSPM settings separately in each member account and AWS Region when you use the manual invitation process.
You must also use the manual invitation-based process for accounts that don't belong to your organization. For example, you might not include a test account in your organization. Or, you might want to consolidate accounts from multiple organizations under a single Security Hub CSPM administrator account. The Security Hub CSPM administrator account must send invitations to accounts that belong to other organizations.
On the **Configuration** page of the Security Hub CSPM console, accounts that were added by invitation are listed in the **Invitation accounts** tab. If you use [central configuration](central-configuration-intro.md), but also invite accounts outside of your organization, you can view findings from invitation-based accounts in this tab. However, the Security Hub CSPM administrator can't configure invitation-based accounts across Regions through the use of configuration policies.
The topics in this section explain how to manage member accounts through invitations.
**Topics**
+ [Adding and inviting member accounts in Security Hub CSPM](securityhub-accounts-add-invite.md)
+ [Responding to an invitation to be a Security Hub CSPM member account](securityhub-invitation-respond.md)
+ [Disassociating member accounts in Security Hub CSPM](securityhub-disassociate-members.md)
+ [Deleting member accounts in Security Hub CSPM](securityhub-delete-member-accounts.md)
+ [Disassociating from a Security Hub CSPM administrator account](securityhub-disassociate-from-admin.md)
+ [Transitioning to Organizations to manage accounts in Security Hub CSPM](accounts-transition-to-orgs.md)
# Adding and inviting member accounts in Security Hub CSPM
**Note**
We recommend using AWS Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see [Managing Security Hub CSPM for multiple accounts with AWS Organizations](securityhub-accounts-orgs.md).
Your account becomes the AWS Security Hub CSPM administrator for accounts that accept your invitation to become a Security Hub CSPM member account.
When you accept an invitation from another account, your account becomes a member account, and that account becomes your administrator.
If your account is an administrator account, you can't accept an invitation to become a member account.
Adding a member account consists of the following steps:
1. The administrator account adds the member account to their list of member accounts.
1. The administrator account sends an invitation to the member account.
1. The member account accepts the invitation.
## Adding member accounts
From the Security Hub CSPM console, you can add accounts to your list of member accounts. In the Security Hub CSPM console, you can select accounts individually, or upload a `.csv` file that contains the account information.
For each account, you must provide the account ID and an email address. The email address should be the email address to contact about security issues in the account. It is not used to verify the account.
Choose your preferred method, and follow the steps to add member accounts.
------
#### [ Security Hub CSPM console ]
**To add accounts to your list of member accounts**
1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).
Sign in using the credentials of the administrator account.
1. In the left pane, choose **Settings**.
1. On the **Settings** page, choose **Accounts** and then choose **Add accounts**. You can then either add accounts individually or upload a `.csv` file containing the list of accounts.
1. To select the accounts, do one of the following:
+ To add the accounts individually, under **Enter accounts**, enter the account ID and email address of the account to add, and then choose **Add**.
Repeat this process for each account.
+ To use a comma-separated values (.csv) file to add multiple accounts, first create the file. The file must contain the account ID and email address for each account to add.
In your `.csv` list, accounts must appear one per line. The first line of the `.csv` file must contain the header. In the header, the first column is **Account ID** and the second column is **Email**.
Each subsequent line must contain a valid account ID and email address for the account to add.
Here is an example of a `.csv` file when viewed in a text editor.
```
Account ID,Email
111111111111,user@example.com
```
In a spreadsheet program, the fields appear in separate columns. The underlying format is still comma-separated. You must format the account IDs as non-decimal numbers. For example, the account ID 444455556666 cannot be formatted as 444455556666.0. Also make sure that the number formatting does not remove any leading zeros from the account ID.
To select the file, on the console, choose **Upload list (.csv)**. Then choose **Browse**.
After you select the file, choose **Add accounts**.
1. After you finish adding accounts, under **Accounts to be added**, choose **Next**.
------
#### [ Security Hub CSPM API ]
**To add accounts to your list of member accounts**
Invoke the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_CreateMembers.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_CreateMembers.html) API from the administrator account. For each member account to add, you must provide the AWS account ID.
------
#### [ AWS CLI ]
**To add accounts to your list of member accounts**
Run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/create-members.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/create-members.html) command from the administrator account. For each member account to add, you must provide the AWS account ID.
```
aws securityhub create-members --account-details '[{"AccountId": ""}]'
```
**Example**
```
aws securityhub create-members --account-details '[{"AccountId": "123456789111"}, {"AccountId": "123456789222"}]'
```
------
## Inviting member accounts
After you add the member accounts, you send an invitation to the member account. You can also resend an invitation to an account that you disassociated from the administrator.
------
#### [ Security Hub CSPM console ]
**To invite prospective member accounts**
1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).
Sign in using the credentials of the administrator account.
1. In the navigation pane, choose **Settings**, and then choose **Accounts**.
1. For the account to invite, choose **Invite** in the **Status** column.
1. When prompted to confirm, choose **Invite**.
**Note**
To resend invitations to disassociated accounts, select each disassociated account on the **Accounts** page. For **Actions**, choose **Resend invitation**.
------
#### [ Security Hub CSPM API ]
**To invite prospective member accounts**
Invoke the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_InviteMembers.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_InviteMembers.html) API from the administrator account. For each account to invite, you must provide the AWS account ID.
------
#### [ AWS CLI ]
**To invite prospective member accounts**
Run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/invite-members.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/invite-members.html) command from the administrator account. For each account to invite, you must provide the AWS account ID.
```
aws securityhub invite-members --account-ids
```
**Example**
```
aws securityhub invite-members --account-ids "123456789111" "123456789222"
```
------
# Responding to an invitation to be a Security Hub CSPM member account
**Note**
We recommend using AWS Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see [Managing Security Hub CSPM for multiple accounts with AWS Organizations](securityhub-accounts-orgs.md).
You can accept or decline an invitation to be an AWS Security Hub CSPM member account.
If you accept an invitation, your account becomes a Security Hub CSPM member account. The account that sent the invitation becomes your Security Hub CSPM administrator account. The administrator account user can view findings for your member account in Security Hub CSPM.
If you decline the invitation, then your account is marked as **Resigned** on the administrator account's list of member accounts.
You can only accept one invitation to be a member account.
Before you can accept or decline an invitation, you must enable Security Hub CSPM.
Remember that all Security Hub CSPM accounts must have AWS Config enabled and configured to record all resources. For details on the requirement for AWS Config, see [Enabling and configuring AWS Config](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-prereq-config.html).
## Accepting an invitation
You can send an invitation to be a Security Hub CSPM member account from the administrator account. You can then accept the invitation after signing in to the member account.
Choose your preferred method, and follow the steps to accept an invitation to be a member account.
------
#### [ Security Hub CSPM console ]
**To accept a membership invitation**
1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).
1. In the navigation pane, choose **Settings**, and then choose **Accounts**.
1. In the **Administrator account** section, turn on **Accept**, and then choose **Accept invitation**.
------
#### [ Security Hub CSPM API ]
**To accept a membership invitation**
Invoke the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_AcceptAdministratortInvitation.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_AcceptAdministratortInvitation.html) API. You must provide the invitation identifier and the AWS account ID of the administrator account. To retrieve details about the invitation, use the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListInvitations.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListInvitations.html) operation.
------
#### [ AWS CLI ]
**To accept a membership invitation**
Run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/accept-administrator-invitation.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/accept-administrator-invitation.html) command. You must provide the invitation identifier and the AWS account ID of the administrator account. To retrieve details about the invitation, run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/list-invitations.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/list-invitations.html) command.
```
aws securityhub accept-administrator-invitation --administrator-id --invitation-id
```
**Example**
```
aws securityhub accept-administrator-invitation --administrator-id 123456789012 --invitation-id 7ab938c5d52d7904ad09f9e7c20cc4eb
```
------
**Note**
The Security Hub CSPM console continues to use `AcceptInvitation`. It will eventually change to use `AcceptAdministratorInvitation`. Any IAM policies that specifically control access to this function must continue to use `AcceptInvitation`. You should also add `AcceptAdministratorInvitation` to your policies to ensure that the correct permissions are in place after the console begins to use `AcceptAdministratorInvitation`.
## Declining an invitation
You can decline an invitation to be a Security Hub CSPM member account. When you decline an invitation in the Security Hub CSPM console, your account is marked as **Resigned** on the administrator account's list of member accounts. The **Resigned** status appears only when you sign in to the Security Hub CSPM console using the administrator account. However, the invitation remains unchanged in the console for the member account until you sign in to the administrator account and delete the invitation.
To decline an invitation, you must sign in to the member account that received the invitation.
Choose your preferred method, and follow the steps to decline an invitation to be a member account.
------
#### [ Security Hub CSPM console ]
**To decline a membership invitation**
1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).
1. In the navigation pane, choose **Settings**, and then choose **Accounts**.
1. In the **Administrator account** section, choose **Decline invitation**.
------
#### [ Security Hub CSPM API ]
**To decline a membership invitation**
Invoke the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DeclineInvitations.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DeclineInvitations.html) API. You must provide the AWS account ID of the administrator account that issued the invitation. To view information about your invitations, use the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListInvitations.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListInvitations.html) operation.
------
#### [ AWS CLI ]
**To decline a membership invitation**
Run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/decline-invitations.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/decline-invitations.html) command. You must provide the AWS account ID of the administrator account that issued the invitation. To view information about your invitations, run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/list-invitations.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/list-invitations.html) command.
```
aws securityhub decline-invitations --account-ids ""
```
**Example**
```
aws securityhub decline-invitations --account-ids "123456789012"
```
------
# Disassociating member accounts in Security Hub CSPM
**Note**
We recommend using AWS Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see [Managing Security Hub CSPM for multiple accounts with AWS Organizations](securityhub-accounts-orgs.md).
An AWS Security Hub CSPM administrator account can disassociate a member account to stop receiving and viewing findings from that account. You must disassociate a member account before you can delete it.
When you disassociate a member account, it remains in your list of member accounts with a status of **Removed (Disassociated)**. Your account is removed from the administrator account information for the member account.
To resume receiving findings for the account, you can resend the invitation. To remove the member account entirely, you can delete the member account.
Choose your preferred method, and follow the steps to disassociate a manually-invited member account from the administrator account.
------
#### [ Security Hub CSPM console ]
**To disassociate a manually-invited member account**
1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).
Sign in using the credentials of the administrator account.
1. In the navigation pane, under **Settings**, choose **Configuration**.
1. In the **Accounts** section, select the accounts that you want to disassociate.
1. Choose **Actions**, and then choose **Disassociate account**.
------
#### [ Security Hub CSPM API ]
**To disassociate a manually-invited member account**
Invoke the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DisassociateMembers.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DisassociateMembers.html) API from the administrator account. You must provide the AWS account IDs of the member accounts that you want to disassociate. To view a list of member accounts, use the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListMembers.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListMembers.html) operation.
------
#### [ AWS CLI ]
**To disassociate a manually-invited member account**
Run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/disassociate-members.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/disassociate-members.html) command from the administrator account. You must provide the AWS account IDs of the member accounts that you want to disassociate. To view a list of member accounts, run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/list-members.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/list-members.html) command.
```
aws securityhub disassociate-members --account-ids
```
**Example**
```
aws securityhub disassociate-members --account-ids "123456789111" "123456789222"
```
------
# Deleting member accounts in Security Hub CSPM
**Note**
We recommend using AWS Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see [Managing Security Hub CSPM for multiple accounts with AWS Organizations](securityhub-accounts-orgs.md).
As an AWS Security Hub CSPM administrator account, you can delete member accounts that were added by invitation. Before you can delete an enabled account, you must disassociate it.
When you delete a member account, it is completely removed from the list. To restore the account's membership, you must add and invite it again as if it were a completely new member account.
You can't delete accounts that belong to an organization and that are managed using the integration with AWS Organizations.
Choose your preferred method, and follow the steps to delete manually-invited member accounts.
------
#### [ Security Hub CSPM console ]
**To delete a manually-invited member account**
1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).
Sign in using the administrator account.
1. In the navigation pane, choose **Settings**, and then choose **Configuration**.
1. Choose the **Invitation accounts** tab. Then, select the accounts to delete.
1. Choose **Actions**, and then choose **Delete**. This option is available only if you have disassociated the account. You must disassociate a member account before it can be deleted.
------
#### [ Security Hub CSPM API ]
**To delete a manually-invited member account**
Invoke the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DeleteMembers.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DeleteMembers.html) API from the administrator account. You must provide the AWS account IDs of the member accounts that you want to delete. To retrieve the list of member accounts, invoke the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListMembers.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListMembers.html) API.
------
#### [ AWS CLI ]
**To delete a manually-invited member account**
Run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/delete-members.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/delete-members.html) command from the administrator account. You must provide the AWS account IDs of the member accounts that you want to delete. To retrieve the list of member accounts, run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/list-members.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/list-members.html) command.
```
aws securityhub delete-members --account-ids
```
**Example**
```
aws securityhub delete-members --account-ids "123456789111" "123456789222"
```
------
# Disassociating from a Security Hub CSPM administrator account
**Note**
We recommend using AWS Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see [Managing Security Hub CSPM for multiple accounts with AWS Organizations](securityhub-accounts-orgs.md).
If your account was added as an AWS Security Hub CSPM member account by invitation, you can disassociate the member account from the administrator account. After you disassociate a member account, Security Hub CSPM doesn't send findings from the account to the administrator account.
Member accounts that are managed using the integration with AWS Organizations can't disassociate their accounts from the administrator account. Only the Security Hub CSPM delegated administrator can disassociate member accounts that are managed with Organizations.
When you disassociate from your administrator account, your account remains in the administrator account's member list with a status of **Resigned**. However, the administrator account does not receive any findings for your account.
After you disassociate yourself from the administrator account, the invitation to be a member still remains. You can accept the invitation again in the future.
------
#### [ Security Hub CSPM console ]
**To disassociate from your administrator account**
1. Open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).
1. In the navigation pane, choose **Settings**, and then choose **Accounts**.
1. In the **Administrator account** section, turn off **Accept**, and then choose **Update**.
------
#### [ Security Hub CSPM API ]
**To disassociate from your administrator account**
Invoke the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DisassociateFromAdministratorAccount.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DisassociateFromAdministratorAccount.html) API.
------
#### [ AWS CLI ]
**To disassociate from your administrator account**
Run the [https://docs.aws.amazon.com/cli/latest/reference/securityhub/disassociate-from-administrator-account.html](https://docs.aws.amazon.com/cli/latest/reference/securityhub/disassociate-from-administrator-account.html) command.
```
aws securityhub disassociate-from-administrator-account
```
------
**Note**
The Security Hub CSPM console continues to use `DisassociateFromMasterAccount`. It will eventually change to use `DisassociateFromAdministratorAccount`. Any IAM policies that specifically control access to this function must continue to use `DisassociateFromMasterAccount`. You should also add `DisassociateFromAdministratorAccount` to your policies to ensure that the correct permissions are in place after the console begins to use `DisassociateFromAdministratorAccount`.
# Transitioning to Organizations to manage accounts in Security Hub CSPM
When you manage accounts manually in AWS Security Hub CSPM, you must invite prospective member accounts and configure each member account separately in each AWS Region.
By integrating Security Hub CSPM and AWS Organizations, you can eliminate the need to send invitations and gain more control over how Security Hub CSPM is configured and customized in your organization. For this reason, we recommend using AWS Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see [Managing Security Hub CSPM for multiple accounts with AWS Organizations](securityhub-accounts-orgs.md).
It's possible to use a combined approach in which you use the AWS Organizations integration, but also manually invite accounts outside of your organization. However, we recommend exclusively using the Organizations integration. [Central configuration](central-configuration-intro.md), a feature which helps you manage Security Hub CSPM across multiple accounts and Regions, is only available when you integrate with Organizations.
This section covers how you can transition from manual invitation-based account management to managing accounts with AWS Organizations.
## Integrating Security Hub CSPM with AWS Organizations
First, you must integrate Security Hub CSPM and AWS Organizations.
You can integrate these services by completing the following steps:
+ Create an organization in AWS Organizations. For instructions, see [Create an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_create.html#create-org) in the *AWS Organizations User Guide*.
+ From the Organizations management account, designate a Security Hub CSPM delegated administrator account.
**Note**
The organization management account *cannot* be set as the DA account.
For detailed instructions, see [Integrating Security Hub CSPM with AWS Organizations](designate-orgs-admin-account.md).
By completing the preceding steps, you grant [trusted access](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-securityhub.html#integrate-enable-ta-securityhub) for Security Hub CSPM in AWS Organizations. This also enables Security Hub CSPM in the current AWS Region for the delegated administrator account.
The delegated administrator can manage the organization in Security Hub CSPM, primarily by adding the organization’s accounts as Security Hub CSPM member accounts. The administrator can also access certain Security Hub CSPM settings, data, and resources for those accounts.
When you transition to account management using Organizations, invitation-based accounts don't automatically become Security Hub CSPM members. Only the accounts that you add to your new organization can become Security Hub CSPM members.
After activating the integration, you can manage accounts with Organizations. For information, see [Managing Security Hub CSPM for multiple accounts with AWS Organizations](securityhub-accounts-orgs.md). Account management varies based on your organization's configuration type.
# Allowed actions by administrator and member accounts in Security Hub CSPM
Administrator and member accounts have access to AWS Security Hub CSPM actions noted in the following tables. In the tables, the values have the following meanings:
+ **Any –** The account can perform the action for any member account under the same administrator.
+ **Current –** The account can perform the action only for itself (the account that you're currently signed in to).
+ **Dash –** Indicates that the account cannot perform the action.
As noted in the tables, allowed actions differ based on whether you integrate with AWS Organizations and which configuration type your organization uses. For information about the difference between central and local configuration, see [Managing accounts with AWS Organizations](securityhub-accounts.md#securityhub-orgs-account-management-overview).
Security Hub CSPM doesn't copy member account findings into the administrator account. In Security Hub CSPM, all findings are ingested into a specific Region for a specific account. In each Region, the administrator account can view and manage findings for their member accounts in that Region.
If you set an aggregation Region, the administrator account can view and manage member account findings from linked Regions that are replicated to the aggregation Region. For more information about cross-Region aggregation, see [Cross-Region aggregation](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation.html).
The following tables specify the default permissions for administrator and member accounts. You can use custom IAM policies to further restrict access to Security Hub CSPM features and functions. For guidance and examples, see the blog post[ Aligning IAM policies to user personas for AWS Security Hub CSPM](https://aws.amazon.com/blogs/security/aligning-iam-policies-to-user-personas-for-aws-security-hub/).
## Allowed actions if you integrate with Organizations and use central configuration
Administrator and member accounts can access Security Hub CSPM actions as follows if you integrate with Organizations and use central configuration.
| Action | Security Hub CSPM delegated administrator account | Centrally managed member account | Self-managed member account |
| --- | --- | --- | --- |
| Create and manage Security Hub CSPM configuration policies | For self and centrally managed accounts | – | – |
| View organization accounts | Any | – | – |
| Disassociate member account | Any | – | – |
| Delete member account | Any non-organization account | – | – |
| Disable Security Hub CSPM | For current account and centrally managed accounts | – | Current (must be disassociated from the administrator account) |
| View findings and finding history | Any | Current | Current |
| Update findings | Any | Current | Current |
| View insight results | Any | Current | Current |
| View control details | Any | Current | Current |
| Turn consolidated control findings on or off | Any | – | – |
| Enable and disable standards | For current account and centrally managed accounts | – | Current |
| Enable and disable controls | For current account and centrally managed accounts | – | Current |
| Enable and disable integrations | Current | Current | Current |
| Configure cross-Region aggregation | Any | – | – |
| Select home Region and linked Regions | Any (must stop and restart central configuration to change home Region) | – | – |
| Configure custom actions | Current | Current | Current |
| Configure automation rules | Any | – | – |
| Configure custom insights | Current | Current | Current |
## Allowed actions if you integrate with Organizations and use local configuration
Administrator and member accounts can access Security Hub CSPM actions as follows if you integrate with Organizations and use local configuration.
| Action | Security Hub CSPM delegated administrator account | Member account |
| --- | --- | --- |
| Create and manage Security Hub CSPM configuration policies | – | – |
| View organization accounts | Any | – |
| Disassociate member account | Any | – |
| Delete member account | – | – |
| Disable Security Hub CSPM | – | Current (if account is disassociated from delegated administrator) |
| View findings and finding history | Any | Current |
| Update findings | Any | Current |
| View insight results | Any | Current |
| View control details | Any | Current |
| Turn consolidated control findings on or off | Any | – |
| Enable and disable standards | Current | Current |
| Automatically enable Security Hub CSPM and default standards in new organization accounts | For current account and new organization accounts | – |
| Enable and disable controls | Current | Current |
| Enable and disable integrations | Current | Current |
| Configure cross-Region aggregation | Any | – |
| Configure custom actions | Current | Current |
| Configure automation rules | Any | – |
| Configure custom insights | Current | Current |
## Allowed actions for invitation-based accounts
Administrator and member accounts can access Security Hub CSPM actions as follows if you use the invitation-based method to manually manage accounts instead of integrating with AWS Organizations.
| Action | Security Hub CSPM administrator account | Member account |
| --- | --- | --- |
| Create and manage Security Hub CSPM configuration policies | – | – |
| View organization accounts | Any | – |
| Disassociate member account | Any | Current |
| Delete member account | Any | – |
| Disable Security Hub CSPM | Current (if there are no enabled member accounts) | Current (if account is disassociated from administrator account) |
| View findings and finding history | Any | Current |
| Update findings | Any | Current |
| View insight results | Any | Current |
| View control details | Any | Current |
| Turn consolidated control findings on or off | Any | – |
| Enable and disable standards | Current | Current |
| Automatically enable Security Hub CSPM and default standards in new organization accounts | – | – |
| Enable and disable controls | Current | Current |
| Enable and disable integrations | Current | Current |
| Configure cross-Region aggregation | Any | – |
| Configure custom actions | Current | Current |
| Configure automation rules | Any | – |
| Configure custom insights | Current | Current |
# Effect of account actions on Security Hub CSPM data
These account actions have the following effects on AWS Security Hub CSPM data.
## Security Hub CSPM disabled
If you use [central configuration](central-configuration-intro.md), the delegated administrator (DA) can create Security Hub CSPM configuration policies that disable AWS Security Hub CSPM in specific accounts and organizational units (OUs). In this case, Security Hub CSPM is disabled in the specified accounts and OUs in your home Region and any linked Regions. If you don't use central configuration, you must disable Security Hub CSPM separately in each account and Region where you enabled it. You can't use central configuration if Security Hub CSPM is disabled in the DA account.
No findings are generated or updated for the administrator account if Security Hub CSPM is disabled in the administrator account. Existing archived findings are deleted after 30 days. Existing active findings are deleted after 90 days.
Integrations with other AWS services are removed.
Enabled security standards and controls are disabled.
Other Security Hub CSPM data and settings, including custom actions, insights, and subscriptions to third-party products are retained for 90 days.
## Member account disassociated from administrator account
When a member account is disassociated from the administrator account, the administrator account loses permission to view findings in the member account. However, Security Hub CSPM is still enabled in both accounts.
If you use central configuration, the DA can't configure Security Hub CSPM for a member account that's disassociated from the DA account.
Custom settings or integrations that are defined for the administrator account are not applied to findings from the former member account. For example, after the accounts are disassociated, you might have a custom action in the administrator account used as the event pattern in an Amazon EventBridge rule. However, this custom action cannot be used in the member account.
In the **Accounts** list for the Security Hub CSPM administrator account, a removed account has a status of **Disassociated**.
## Member account is removed from an organization
When a member account is removed from an organization, the Security Hub CSPM administrator account loses permission to view findings in the member account. However, Security Hub CSPM is still enabled in both accounts with the same settings they had before removal.
If you use central configuration, you can't configure Security Hub CSPM for a member account after it's removed from the organization to which the delegated administrator belongs. However, the account retains the settings it had prior to removal unless you manually change them.
In the **Accounts** list for the Security Hub CSPM administrator account, a removed account has a status of **Deleted**.
## Account is suspended
When an AWS account is suspended, the account loses permission to view their findings in Security Hub CSPM. No findings are generated or updated for that account. The administrator account for a suspended account can view existing findings for the account.
For an organization account, the member account status can also change to **Account Suspended**. This happens if the account is suspended at the same time that the administrator account attempts to enable the account. The administrator account for an **Account Suspended** account cannot view findings for that account. Otherwise, the suspended status doesn't affect the member account status.
If you use central configuration, policy association fails if the delegated administrator tries to associate a configuration policy with a suspended account.
After 90 days, the account is either terminated or reactivated. When the account is reactivated, its Security Hub CSPM permissions are restored. If the member account status is **Account Suspended**, the administrator account must enable the account manually.
## Account is closed
When an AWS account is closed, Security Hub CSPM responds to the closure as follows.
If the account is a Security Hub CSPM administrator account, it is removed as an administrator account and all the member accounts are removed. If the account is a member account, it is disassociated and removed as a member from the Security Hub CSPM administrator account.
Security Hub CSPM retains existing archived findings in the account for 30 days. For a control finding, the calculation of 30 days is based on the value for the `UpdatedAt` field of the finding. For another type of finding, the calculation is based on the value for the `UpdatedAt` or `ProcessedAt` field of the finding, whichever date is latest. At the end of this 30-day period, Security Hub CSPM permanently deletes the finding from the account.
Security Hub CSPM retains existing active findings in the account for 90 days. For a control finding, the calculation of 90 days is based on the value for the `UpdatedAt` field of the finding. For another type of finding, the calculation is based on the value for the `UpdatedAt` or `ProcessedAt` field of the finding, whichever date is latest. At the end of this 90-day period, Security Hub CSPM permanently deletes the finding from the account.
For longer-term retention of existing findings, you can export the findings to an S3 bucket. You can do this by using a custom action with an Amazon EventBridge rule. For more information, see [Using EventBridge for automated response and remediation](securityhub-cloudwatch-events.md).
**Important**
For customers in AWS GovCloud (US) Regions, back up and then delete your policy data and other account resources before you close your account. You won't have access to the resources and data after you close your account.
For more information, see [Close an AWS account](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/close-account.html) in the *AWS Account Management Reference Guide*.