Responding to an invitation to be a Security Hub member account

You can accept or decline an invitation to be an AWS Security Hub member account.

If you accept an invitation, your account becomes a Security Hub member account. The account that sent the invitation becomes your Security Hub administrator account. The administrator account user can view findings for your member account in Security Hub.

If you decline the invitation, then your account is marked as Resigned on the administrator account's list of member accounts.

You can only accept one invitation to be a member account.

Before you can accept or decline an invitation, you must enable Security Hub.

Remember that all Security Hub accounts must have AWS Config enabled and configured to record all resources. For details on the requirement for AWS Config, see Enabling and configuring AWS Config.

Accepting an invitation

You can send an invitation to be a Security Hub member account from the administrator account. You can then accept the invitation after signing in to the member account.

Choose your preferred method, and follow the steps to accept an invitation to be a member account.

Security Hub console

To accept a membership invitation

1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

2. In the navigation pane, choose Settings, and then choose Accounts.

3. In the Administrator account section, turn on Accept, and then choose Accept invitation.

Security Hub API

To accept a membership invitation

Invoke the AcceptAdministratorInvitation API. You must provide the invitation identifier and the AWS account ID of the administrator account. To retrieve details about the invitation, use the ListInvitations operation.

AWS CLI

To accept a membership invitation

Run the accept-administrator-invitation command. You must provide the invitation identifier and the AWS account ID of the administrator account. To retrieve details about the invitation, run the list-invitations command.

aws securityhub accept-administrator-invitation --administrator-id <administratorAccountID> --invitation-id <invitationID>

Example

aws securityhub accept-administrator-invitation --administrator-id 123456789012 --invitation-id 7ab938c5d52d7904ad09f9e7c20cc4eb

Declining an invitation

You can decline an invitation to be a Security Hub member account. When you decline an invitation in the Security Hub console, your account is marked as Resigned on the administrator account's list of member accounts. The Resigned status appears only when you sign in to the Security Hub console using the administrator account. However, the invitation remains unchanged in the console for the member account until you sign in to the administrator account and delete the invitation.

To decline an invitation, you must sign in to the member account that received the invitation.

Choose your preferred method, and follow the steps to decline an invitation to be a member account.

Security Hub console

To decline a membership invitation

1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

2. In the navigation pane, choose Settings, and then choose Accounts.

3. In the Administrator account section, choose Decline invitation.

Security Hub API

To decline a membership invitation

Invoke the DeclineInvitations API. You must provide the AWS account ID of the administrator account that issued the invitation. To view information about your invitations, use the ListInvitations operation.

AWS CLI

To decline a membership invitation

Run the decline-invitations command. You must provide the AWS account ID of the administrator account that issued the invitation. To view information about your invitations, run the list-invitations command.

aws securityhub decline-invitations --account-ids "<administratorAccountId>"

Example

aws securityhub decline-invitations --account-ids "123456789012"