Disabling Security Hub CSPM integration with Amazon Organizations - Amazon Security Hub
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Disabling Security Hub CSPM integration with Amazon Organizations

After an Amazon Organizations organization is integrated with Amazon Security Hub Cloud Security Posture Management (CSPM), the Organizations management account can subsequently disable the integration. As a user of the Organizations management account, you can do this by disabling trusted access for Security Hub CSPM in Amazon Organizations.

When you disable trusted access for Security Hub CSPM, the following occurs:

  • Security Hub CSPM loses its status as a trusted service in Amazon Organizations.

  • The Security Hub CSPM delegated administrator account loses access to Security Hub CSPM settings, data, and resources for all Security Hub CSPM member accounts in all Amazon Web Services Regions.

  • If you were using central configuration, Security Hub CSPM automatically stops using it for your organization. Your configuration policies and policy associations are deleted. Accounts retain the configurations that they had before you disabled trusted access.

  • All Security Hub CSPM member accounts become standalone accounts and retain their current settings. If Security Hub CSPM was enabled for a member account in one or more Regions, Security Hub CSPM continues to be enabled for the account in those Regions. Enabled standards and controls are also unchanged. You can change these settings separately in each account and Region. However, the account is no longer associated with a delegated administrator in any Region.

For additional information about the results of disabling trusted service access, see Using Amazon Organizations with other Amazon Web Services services in the Amazon Organizations User Guide.

To disable trusted access, you can use the Amazon Organizations console, Organizations API, or the Amazon CLI. Only a user of the Organizations management account can disable trusted service access for Security Hub CSPM. For details about the permissions that you need, see Permissions required to disable trusted access in the Amazon Organizations User Guide.

Before you disable trusted access, we recommend working with the delegated administrator for your organization to disable Security Hub CSPM in member accounts and to clean up Security Hub CSPM resources in those accounts.

Choose your preferred method, and follow the steps to disable trusted access for Security Hub CSPM.

Organizations console
To disable trusted access for Security Hub CSPM
  1. Sign in to the Amazon Web Services Management Console using the credentials of the Amazon Organizations management account.

  2. Open the Organizations console at https://console.amazonaws.cn/organizations/.

  3. In the navigation pane, choose Services.

  4. Under Integrated services, choose Amazon Security Hub Cloud Security Posture Management (CSPM).

  5. Choose Disable trusted access.

  6. Confirm that you want to disable trusted access.

Organizations API

To disable trusted access for Security Hub CSPM

Invoke the DisableAWSServiceAccess operation of the Amazon Organizations API. For the ServicePrincipal parameter, specify the Security Hub CSPM service principal (securityhub.amazonaws.com).

Amazon CLI

To disable trusted access for Security Hub CSPM

Run the disable-aws-service-access command of the Amazon Organizations API. For the service-principal parameter, specify the Security Hub CSPM service principal (securityhub.amazonaws.com).

Example:

aws organizations disable-aws-service-access --service-principal securityhub.amazonaws.com