Disassociating from a Security Hub administrator account
Note
We recommend using AWS Organizations instead of Security Hub invitations to manage your member accounts. For information, see Managing Security Hub administrator and member accounts with Organizations.
If your account was added as an AWS Security Hub member account by invitation, you can disassociate the member account from the administrator account. After you disassociate a member account, Security Hub doesn't send findings from the account to the administrator account.
Member accounts that are managed using the integration with AWS Organizations can't disassociate their accounts from the administrator account. Only the Security Hub delegated administrator can disassociate member accounts that are managed with Organizations.
When you disassociate from your administrator account, your account remains in the administrator account's member list with a status of Resigned. However, the administrator account does not receive any findings for your account.
After you disassociate yourself from the administrator account, the invitation to be a member still remains. You can accept the invitation again in the future.
Note
The Security Hub console continues to use DisassociateFromMasterAccount.
It will eventually change to use
DisassociateFromAdministratorAccount. Any IAM policies that
specifically control access to this function must continue to use
DisassociateFromMasterAccount. You should also add
DisassociateFromAdministratorAccount to your policies to ensure
that the correct permissions are in place after the console begins to use
DisassociateFromAdministratorAccount.
