Choosing the management type of accounts and OUs
When you use central configuration, the Amazon Security Hub delegated administrator can designate each organization account and organizational unit (OU) as centrally managed or self-managed. The management type of an account or OU determines how you can specify and change its Security Hub settings.
A self-managed account or OU can configure its own Security Hub settings separately in each Amazon Web Services Region. The delegated administrator can't configure Security Hub settings for a self-managed account or OU, and configuration policies can't be associated with them. In contrast, only the delegated administrator can configure Security Hub settings for centrally managed accounts and OUs across the home Region and linked Regions. Configuration policies can be associated with centrally managed accounts and OUs.
The delegated administrator can switch the status of an account or OU between self-managed and centrally managed. By default, all accounts and OU are self-managed when you start central configuration through the Security Hub API. In the console, management type depends on your first configuration policy. Accounts and OUs that you associate with your first policy are centrally managed. Other accounts and OUs are self-managed by default.
If you associate a configuration policy with a self-managed account, the policy overrides the self-managed designation. The account becomes centrally managed and adopts the settings reflected in the configuration policy.
Child accounts and OUs can inherit self-managed behavior from a self-managed parent, in the same way that child accounts and OUs can inherit configuration policies from a centrally managed parent. For more information, see Policy association through application and inheritance.
A self-managed account or OU can't inherit a configuration policy from a parent node or from the root. For example, if you want all accounts and OUs in your organization to inherit a configuration policy from the root, you must change the management type of self-managed nodes to centrally managed.
Specifying settings for self-managed accounts
Self-managed accounts must configure their own settings separately in each Region.
Owners of self-managed accounts can invoke the following operations of the Security Hub API in each Region to configure their settings:
EnableSecurityHub
andDisableSecurityHub
to enable or disable the Security Hub serviceBatchEnableStandards
andBatchDisableStandards
to enable or disable standardsBatchUpdateStandardsControlAssociations
orUpdateStandardsControl
to enable or disable controls
Self-managed accounts can also use *Invitations
and *Members
operations.
However, we recommend that self-managed accounts don't use these operations. Policy associations can fail if a member account
has its own members that are part of a different organization than the delegated administrator's.
For descriptions of Security Hub API actions, see the Amazon Security Hub API Reference.
Self-managed accounts can also use the Security Hub console or Amazon CLI to configure their settings in each Region.
Self-managed accounts can't invoke any APIs related to Security Hub configuration policies and policy associations. Only the delegated administrator can invoke central configuration APIs and use configuration policies to configure centrally managed accounts.
Choosing the management type of accounts and OUs
Choose your preferred method, and follow the steps to designate an account or OU as centrally managed or self-managed.