Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Responding to an invitation to be a
member account
You can accept or decline an invitation to be a member account.
After you accept an invitation, your account becomes an Amazon Security Hub member account. The
account that sent the invitation becomes your Security Hub administrator account. The
administrator account user can view findings for your member account in Security Hub.
If you decline the invitation, then your account is marked as
Resigned on the administrator account's list of member
accounts.
You can only accept one invitation to be a member account.
Before you can accept or decline an invitation, you must enable Security Hub.
Remember that all Security Hub accounts must have Amazon Config enabled and configured to record all
resources. For details on the requirement for Amazon Config, see Enabling and configuring Amazon Config.
Accept an invitation
Choose your preferred method, and follow the steps to accept an invitation to be a member account.
- Security Hub console
-
To accept a membership invitation
Open the Amazon Security Hub console at https://console.amazonaws.cn/securityhub/.
-
In the navigation pane, choose Settings, and then
choose Accounts.
-
In the Administrator account section, turn on
Accept, and then choose
Accept invitation.
- Security Hub API
-
To accept a membership invitation
Invoke the AcceptAdministratorInvitation
API. You
must provide the invitation identifier and the Amazon Web Services account ID of the
administrator account. To retrieve details about the invitation, use the
ListInvitations
operation.
- Amazon CLI
-
To accept a membership invitation
Run
the accept-administrator-invitation
command. You
must provide the invitation identifier and the Amazon Web Services account ID of the
administrator account. To retrieve details about the invitation, run the
list-invitations
command.
aws securityhub accept-administrator-invitation --administrator-id <administratorAccountID>
--invitation-id <invitationID>
Example
aws securityhub accept-administrator-invitation --administrator-id 123456789012 --invitation-id 7ab938c5d52d7904ad09f9e7c20cc4eb
The Security Hub console continues to use AcceptInvitation
. It will
eventually change to use AcceptAdministratorInvitation
. Any IAM
policies that specifically control access to this function must continue to use
AcceptInvitation
. You should also add
AcceptAdministratorInvitation
to your policies to ensure that
the correct permissions are in place after the console begins to use
AcceptAdministratorInvitation
.
Decline an invitation
You can decline an invitation to be a member account. When you decline an
invitation in the Security Hub console, your account is marked as Resigned on the
administrator account's list of member accounts.
When you decline an invitation, you must be signed in to the member account that received the invitation.
Choose your preferred method, and follow the steps to decline an invitation to be a member account.
- Security Hub console
-
To decline a membership invitation
Open the Amazon Security Hub console at https://console.amazonaws.cn/securityhub/.
-
In the navigation pane, choose Settings, and then
choose Accounts.
-
In the Administrator account section, choose Decline
invitation.
- Security Hub API
-
To decline a membership invitation
Invoke the DeclineInvitations
API. You must provide
the Amazon Web Services account ID of the administrator account that issued the
invitation. To view information about your invitations, use the ListInvitations
operation.
- Amazon CLI
-
To decline a membership invitation
Run
the decline-invitations
command.
You must provide
the Amazon Web Services account ID of the administrator account that issued the
invitation. To view information about your invitations, run the list-invitations
command.
aws securityhub decline-invitations --account-ids "<administratorAccountId>
"
Example
aws securityhub decline-invitations --account-ids "123456789012"