Disabling Security Hub CSPM integration with Amazon Organizations
After an Amazon Organizations organization is integrated with Amazon Security Hub Cloud Security Posture Management (CSPM), the Organizations management account can subsequently disable the integration. As a user of the Organizations management account, you can do this by disabling trusted access for Security Hub CSPM in Amazon Organizations.
When you disable trusted access for Security Hub CSPM, the following occurs:
-
Security Hub CSPM loses its status as a trusted service in Amazon Organizations.
-
The Security Hub CSPM delegated administrator account loses access to Security Hub CSPM settings, data, and resources for all Security Hub CSPM member accounts in all Amazon Web Services Regions.
-
If you were using central configuration, Security Hub CSPM automatically stops using it for your organization. Your configuration policies and policy associations are deleted. Accounts retain the configurations that they had before you disabled trusted access.
-
All Security Hub CSPM member accounts become standalone accounts and retain their current settings. If Security Hub CSPM was enabled for a member account in one or more Regions, Security Hub CSPM continues to be enabled for the account in those Regions. Enabled standards and controls are also unchanged. You can change these settings separately in each account and Region. However, the account is no longer associated with a delegated administrator in any Region.
For additional information about the results of disabling trusted service access, see Using Amazon Organizations with other Amazon Web Services services in the Amazon Organizations User Guide.
To disable trusted access, you can use the Amazon Organizations console, Organizations API, or the Amazon CLI. Only a user of the Organizations management account can disable trusted service access for Security Hub CSPM. For details about the permissions that you need, see Permissions required to disable trusted access in the Amazon Organizations User Guide.
Before you disable trusted access, we recommend working with the delegated administrator for your organization to disable Security Hub CSPM in member accounts and to clean up Security Hub CSPM resources in those accounts.
Choose your preferred method, and follow the steps to disable trusted access for Security Hub CSPM.