Disabling Security Hub integration with Amazon Organizations - Amazon Security Hub
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Disabling Security Hub integration with Amazon Organizations

After an Amazon Organizations organization is integrated with Amazon Security Hub, the Organizations management account can subsequently disable the integration. As a user of the Organizations management account, you can do this by disabling trusted access for Security Hub in Amazon Organizations.

When you disable trusted access for Security Hub, the following occurs:

  • Security Hub loses its status as a trusted service in Amazon Organizations.

  • The Security Hub delegated administrator account loses access to Security Hub settings, data, and resources for all Security Hub member accounts in all Amazon Web Services Regions.

  • If you were using central configuration, Security Hub automatically stops using it for your organization. Your configuration policies and policy associations are deleted. Accounts retain the configurations that they had before you disabled trusted access.

  • All Security Hub member accounts become standalone accounts and retain their current settings. If Security Hub was enabled for a member account in one or more Regions, Security Hub continues to be enabled for the account in those Regions. Enabled standards and controls are also unchanged. You can change these settings separately in each account and Region. However, the account is no longer associated with a delegated administrator in any Region.

For additional information about the results of disabling trusted service access, see Using Amazon Organizations with other Amazon Web Services in the Amazon Organizations User Guide.

To disable trusted access, you can use the Amazon Organizations console, Organizations API, or the Amazon CLI. Only a user of the Organizations management account can disable trusted service access for Security Hub. For details about the permissions that you need, see Permissions required to disable trusted access in the Amazon Organizations User Guide.

Before you disable trusted access, we recommend working with the delegated administrator for your organization to disable Security Hub in member accounts and to clean up Security Hub resources in those accounts.

Choose your preferred method, and follow the steps to disable trusted access for Security Hub.

Organizations console
To disable trusted access for Security Hub

  1. Sign in to the Amazon Web Services Management Console using the credentials of the Amazon Organizations management account.

  2. Open the Organizations console at https://console.amazonaws.cn/organizations/.

  3. In the navigation pane, choose Services.

  4. Under Integrated services, choose Amazon Security Hub.

  5. Choose Disable trusted access.

  6. Confirm that you want to disable trusted access.

Organizations API

To disable trusted access for Security Hub

Invoke the DisableAWSServiceAccess operation of the Amazon Organizations API. For the ServicePrincipal parameter, specify the Security Hub service principal (securityhub.amazonaws.com).

Amazon CLI

To disable trusted access for Security Hub

Run the disable-aws-service-access command of the Amazon Organizations API. For the service-principal parameter, specify the Security Hub service principal (securityhub.amazonaws.com).

Example:

aws organizations disable-aws-service-access --service-principal securityhub.amazonaws.com