Designating a delegated administrator in Security Hub - Amazon Security Hub
Designating a delegated administrator after enabling Security Hub
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Designating a delegated administrator in Security Hub

In the Amazon organization management account, you can designate a delegated administrator for your organization. As a best practice, we recommend using the same delegated administrator across security services for consistent governance.

The procedure in this topic describes how to designate a delegated administrator in Security Hub. It assumes you previously enabled Security Hub but did not designate a delegated administrator during the enablement workflow.

Considerations

Consider the following when designating a delegated administrator in Security Hub:

  • The Amazon organization management account can designate itself as the delegated administrator in Security Hub CSPM. The Amazon organization management account cannot designate itself as the delegated administrator in Security Hub. In this scenario, the Amazon organization management account must designate another Amazon Web Services account as the delegated administrator in Security Hub. As a best practice, we recommend using the same delegated administrator across security services for consistent governance.

  • If the Amazon organization management account designates a delegated administrator in Security Hub CSPM, that delegated administrator automatically becomes the delegated administrator in Security Hub. In this scenario, Security Hub only allows this particular Amazon Web Services account to serve as the delegated administrator.

Note

If the Amazon organization management account uses the same delegated administrator in Security Hub as it does in Security Hub CSPM, removing it through the Security Hub CSPM console or with the Amazon Organizations API also removes it in Security Hub. Similarly, removing it through the Security Hub console or with the Amazon Organizations API also removes it in Security Hub CSPM. When the delegated administrator is removed from Security Hub CSPM, Central Configuration will automatically opt out.

Designating a delegated administrator after enabling Security Hub

This procedure is for the Amazon organization management account to complete. It assumes the Amazon organization management account previously enabled Security Hub but did not designate a delegated administrator during the enablement workflow.

Note

After you complete this procedure, you must create a policy allowing the delegated administrator for your organization to configure Security Hub and perform specific actions in Amazon Organizations. For more information, see Creating the delegated administrator policy in Security Hub.

To designate a delegated administrator in Security Hub

  1. Sign in to your Amazon account with your organization management account credentials, and open the Security Hub console at https://console.aws.amazon.com/securityhub/v2/home.

  2. From the navigation pane, choose General.

  3. In Delegated administrator, choose Configure. Select one of the provided Amazon Web Services accounts, or enter the 12-digit Amazon Web Services account number for the Amazon Web Services account that you want to designate as the delegated administrator for your organization. Choose Save.