Managing accounts with Amazon Organizations - Amazon Security Hub
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Managing accounts with Amazon Organizations

You can integrate Amazon Security Hub with Amazon Organizations, and then manage Security Hub for accounts in your organization.

To integrate Security Hub with Amazon Organizations, you create an organization in Amazon Organizations. The Organizations management account designates one account as the Security Hub delegated administrator for the organization. The delegated administrator can then enable Security Hub for other accounts in the organization, add those accounts as Security Hub member accounts, and take allowed actions on the member accounts. The Security Hub delegated administrator can enable and manage Security Hub for up to 10,000 member accounts.

The extent of the delegated administrator's configuration abilities depend on whether you use central configuration. With central configuration enabled, you don't need to configure Security Hub separately in each member account and Amazon Web Services Region. The delegated administrator can enforce specific Security Hub settings in specified member accounts and organizational units (OUs) across Regions.

The Security Hub delegated administrator account can perform the following actions on member accounts:

  • If using central configuration, centrally configure Security Hub for member accounts and OUs by creating Security Hub configuration policies. Configuration policies can be used to enable and disable Security Hub, enable and disable standards, and enable and disable controls.

  • Automatically treat new accounts as Security Hub member accounts when they join the organization. If you use central configuration, a configuration policy that is associated with an OU includes existing and new accounts that are part of the OU.

  • Treat existing organization accounts as Security Hub member accounts. This happens automatically if you use central configuration.

  • Disassociate member accounts that belong to the organization. If you use central configuration, you can disassociate a member account only after designating it as self-managed. Alternatively, you can associate a configuration policy that disables Security Hub with specific centrally managed member accounts.

For a full list of actions that the delegated administrator can perform on member accounts, see Allowed actions for accounts.

The topics in this section explain how to integrate Security Hub with Amazon Organizations and how to manage Security Hub for accounts in an organization. Where relevant, each section identifies management benefits and differences for users of central configuration.

Topics