Transitioning to Organizations to manage accounts in Security Hub - Amazon Security Hub
Integrating Security Hub with Amazon Organizations
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Transitioning to Organizations to manage accounts in Security Hub

When you manage accounts manually in Amazon Security Hub, you must invite prospective member accounts and configure each member account separately in each Amazon Web Services Region.

By integrating Security Hub and Amazon Organizations, you can eliminate the need to send invitations and gain more control over how Security Hub is configured and customized in your organization. For this reason, we recommend using Amazon Organizations instead of Security Hub invitations to manage your member accounts. For information, see Managing Security Hub administrator and member accounts with Organizations.

It's possible to use a combined approach in which you use the Amazon Organizations integration, but also manually invite accounts outside of your organization. However, we recommend exclusively using the Organizations integration. Central configuration, a feature which helps you manage Security Hub across multiple accounts and Regions, is only available when you integrate with Organizations.

This section covers how you can transition from manual invitation-based account management to managing accounts with Amazon Organizations.

Integrating Security Hub with Amazon Organizations

First, you must integrate Security Hub and Amazon Organizations.

You can integrate these services by completing the following steps:

  • Create an organization in Amazon Organizations. For instructions, see Create an organization in the Amazon Organizations User Guide.

  • From the Organizations management account, designate a Security Hub delegated administrator account.

Note

The organization management account cannot be set as the DA account.

For detailed instructions, see Integrating Security Hub with Amazon Organizations.

By completing the preceding steps, you grant trusted access for Security Hub in Amazon Organizations. This also enables Security Hub in the current Amazon Web Services Region for the delegated administrator account.

The delegated administrator can manage the organization in Security Hub, primarily by adding the organization’s accounts as Security Hub member accounts. The administrator can also access certain Security Hub settings, data, and resources for those accounts.

When you transition to account management using Organizations, invitation-based accounts don't automatically become Security Hub members. Only the accounts that you add to your new organization can become Security Hub members.

After activating the integration, you can manage accounts with Organizations. For information, see Managing Security Hub administrator and member accounts with Organizations. Account management varies based on your organization's configuration type.