Automatically enabling Security Hub in new organization accounts
When new accounts join your organization, they are added to the list on the Accounts page of the Amazon Security Hub console. For organization accounts, Type is By organization. By default, new accounts don't become Security Hub members when they join the organization. Their status is Not a member. The delegated administrator account can automatically add new accounts as members and enable Security Hub in these accounts when they join the organization.
Note
Although many Amazon Web Services Regions are active by default for your Amazon Web Services account, you must activate certain Regions manually. These Regions are called opt-in Regions in this document. To automatically enable Security Hub in a new account in an opt-in Region, the account must have that Region activated first. Only the account owner can activate the opt-in Region. For more information about opt-in Regions, see Specify which Amazon Web Services Regions your account can use.
This process is different based on whether you use central configuration (recommended) or local configuration.
Automatically enabling new organization accounts (central configuration)
If you use central configuration, you can automatically enable Security Hub in new and existing organization accounts by creating a configuration policy in which Security Hub is enabled. You can then associate the policy with the organization root or specific organizational units (OUs).
If you associate a configuration policy in which Security Hub is enabled with a specific OU, Security Hub is automatically enabled in all accounts (existing and new) that belong to that OU. New accounts that don't belong to the OU are self-managed and don't automatically have Security Hub enabled. If you associate a configuration policy in which Security Hub is enabled with the root, Security Hub is automatically enabled in all accounts (existing and new) that join the organization. The exceptions are if an account uses a different policy through application or inheritance, or is self-managed.
In your configuration policy, you can also define which security standards and controls should be enabled in the OU. To generate control findings for enabled standards, the accounts in the OU must have Amazon Config enabled and configured to record required resources. For more information about Amazon Config recording, see Enabling and configuring Amazon Config.
For instructions on creating a configuration policy, see Creating and associating Security Hub configuration policies.
Automatically enabling new organization accounts (local configuration)
When you use local configuration and turn on automatic enablement, Security Hub adds new organization accounts as members and enables Security Hub in them in the current Region. Other Regions aren't affected. In addition, turning on automatic enablement doesn't enable Security Hub in existing organization accounts unless they were already added as member accounts.
After turning on automatic enablement, default security standards are also enabled automatically for new accounts in the current Region when they join the organization. The default standards are Amazon Foundational Security Best Practices (FSBP) and Center for Internet Security (CIS) Amazon Foundations Benchmark v1.2.0. You can't change the default standards. If you want to enable other standards throughout your organization, or enable standards for select accounts and OUs, we recommend using central configuration.
To generate control findings for the default standards (and other enabled standards), accounts in your organization must have Amazon Config enabled and configured to record required resources. For more information about Amazon Config recording, see Enabling and configuring Amazon Config.
Choose your preferred method, and follow the steps to automatically enable Security Hub in new organization accounts. These instructions apply only if you use local configuration.