Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Disassociating member accounts from your
organization
To stop receiving and viewing findings from an Amazon Security Hub member account, you can
disassociate the member account from your organization.
If you use central
configuration, disassociation works differently. You can create a configuration policy that disables Security Hub in one or more centrally managed member accounts.
After that, these accounts are still part of the organization, but won't generate Security Hub findings. If you use central configuration but
also have manually-invited member accounts, you can disassociate one or more manually-invited accounts.
Member accounts that are managed using Amazon Organizations can't disassociate their accounts from the administrator account. Only the
administrator account can disassociate a member account.
Disassociating a member account does not close the account. Instead, it removes the member account from the organization.
The disassociated member account becomes a standalone Amazon Web Services account that is no longer managed by the Security Hub integration with Amazon Organizations.
Choose your preferred method, and follow the steps to disassociate a member account from the organization.
- Security Hub console
-
To disassociate a member account from the organization
Open the Amazon Security Hub console at https://console.amazonaws.cn/securityhub/.
Sign in using the credentials of the delegated administrator account.
-
In the navigation pane, under Settings, choose Configuration.
-
In the Accounts section, select the accounts that you want to
disassociate. If you use central configuration, you can select a manually-invited account to disassociate from the Invitation accounts
tab. This tab is visible only if you use central configuration.
-
Choose Actions, and then choose
Disassociate account.
- Security Hub API
-
To disassociate a member account from the organization
Invoke the DisassociateMembers
API from the delegated administrator account. You must
provide the Amazon Web Services account IDs for the member accounts to disassociate. To
view a list of member accounts, invoke the ListMembers
API.
- Amazon CLI
-
To disassociate a member account from the organization
Run the
>disassociate-members
command from the delegated administrator account. You must
provide the Amazon Web Services account IDs for the member accounts to disassociate. To
view a list of member accounts, run the
>list-members
command.
aws securityhub disassociate-members --account-ids "<accountIds>
"
Example
aws securityhub disassociate-members --account-ids "123456789111" "123456789222"
You can also use the Amazon Organizations console, Amazon CLI, or Amazon SDKs to disassociate a member account from your organization. For more information, see
Removing a member account from your organization in the Amazon Organizations User Guide.