Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Security Hub and Amazon Organizations

Amazon Security Hub provides you with a comprehensive view of your security state in Amazon and helps you check your environment against security industry standards and best practices.

Security Hub collects security data from across your Amazon Web Services accounts, the Amazon services you use, and supported third-party partner products. It helps you to analyze your security trends and identify the highest priority security issues.

When you use both Security Hub and Amazon Organizations together, you can automatically enable Security Hub for all of your accounts, including new accounts as they are added. This increases the coverage for Security Hub checks and findings, which provides a more comprehensive and accurate picture of your overall security posture.

For more information about Security Hub, see the Amazon Security Hub User Guide.

Use the following information to help you integrate Amazon Security Hub with Amazon Organizations.

Service-linked roles created when you enable integration

The following service-linked role is automatically created in your organization's management account when you enable trusted access. This role allows Security Hub to perform supported operations within your organization's accounts in your organization.

You can delete or modify this role only if you disable trusted access between Security Hub and Organizations, or if you remove the member account from the organization.

Service principals used by the service-linked roles

The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Security Hub grant access to the following service principals:

Enabling trusted access with Security Hub

For information about the permissions needed to enable trusted access, see Permissions required to enable trusted access.

When you designate a delegated administrator for Security Hub, Security Hub automatically enables trusted access for Security Hub in your organization.

Disabling trusted access with Security Hub

For information about the permissions needed to disable trusted access, see Permissions required to disable trusted access in the Amazon Organizations User Guide.

Before you disable trusted access, we recommend working with the delegated administrator for your organization to disable Security Hub in member accounts and to clean up Security Hub resources in those accounts.

You can disable trusted access by using the Amazon Organizations console, Organizations API, or the Amazon CLI. Only an administrator of the Organizations management account can disable trusted access with Security Hub.

For instructions on disabling trusted access with Security Hub, see Disabling Security Hub integration with Amazon Organizations.

Enabling a delegated administrator for Security Hub

When you designate a member account as a delegated administrator for the organization, users and roles from that account can perform administrative actions for Security Hub that otherwise can be performed only by users or roles in the organization's management account. This helps you to separate management of the organization from management of Security Hub.

For information, see Designating a Security Hub administrator account in the Amazon Security Hub User Guide.

Disabling a delegated administrator for Security Hub

Only the organization management account can remove the delegated Security Hub administrator account.

To change the delegated Security Hub administrator, you must first remove the current delegated administrator account and then designate a new one.

If you use the Security Hub console to remove the delegated administrator in one Region, it is automatically removed in all Regions.

The Security Hub API only removes the delegated Security Hub administrator account from the Region where the API call or command is issued. You must repeat the action in other Regions.

If you use the Organizations API to remove the delegated Security Hub administrator account, it is automatically removed in all Regions.

For instructions on disabling the delegated Security Hub administrator, see Removing or changing the delegated administrator.