Disassociating member accounts from your organization - Amazon Security Hub
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Disassociating member accounts from your organization

To stop receiving and viewing findings from an Amazon Security Hub member account, you can disassociate the member account from your organization.

Note

If you use central configuration, disassociation works differently. You can create a configuration policy that disables Security Hub in one or more centrally managed member accounts. After that, these accounts are still part of the organization, but won't generate Security Hub findings. If you use central configuration but also have manually-invited member accounts, you can disassociate one or more manually-invited accounts.

Member accounts that are managed using Amazon Organizations can't disassociate their accounts from the administrator account. Only the administrator account can disassociate a member account.

Disassociating a member account does not close the account. Instead, it removes the member account from the organization. The disassociated member account becomes a standalone Amazon Web Services account that is no longer managed by the Security Hub integration with Amazon Organizations.

Choose your preferred method, and follow the steps to disassociate a member account from the organization.

Security Hub console
To disassociate a member account from the organization

  1. Open the Amazon Security Hub console at https://console.amazonaws.cn/securityhub/.

    Sign in using the credentials of the delegated administrator account.

  2. In the navigation pane, under Settings, choose Configuration.

  3. In the Accounts section, select the accounts that you want to disassociate. If you use central configuration, you can select a manually-invited account to disassociate from the Invitation accounts tab. This tab is visible only if you use central configuration.

  4. Choose Actions, and then choose Disassociate account.

Security Hub API

To disassociate a member account from the organization

Invoke the DisassociateMembers API from the delegated administrator account. You must provide the Amazon Web Services account IDs for the member accounts to disassociate. To view a list of member accounts, invoke the ListMembers API.

Amazon CLI

To disassociate a member account from the organization

Run the >disassociate-members command from the delegated administrator account. You must provide the Amazon Web Services account IDs for the member accounts to disassociate. To view a list of member accounts, run the >list-members command.

aws securityhub disassociate-members --account-ids "<accountIds>"

Example

aws securityhub disassociate-members --account-ids "123456789111" "123456789222"

You can also use the Amazon Organizations console, Amazon CLI, or Amazon SDKs to disassociate a member account from your organization. For more information, see Removing a member account from your organization in the Amazon Organizations User Guide.