Unable to add management account into security hub in audit account

Question

We have set up AWS Organization, Control Tower, and IAm Identity Center. We have 3 OUs which are Security, Prod, and NonProd, keep in mind the Management Account is not under any OU (its in the root). From the management account, we delegated the Audit Account as the securityhub administrator. We were able to automatically enroll every account in the Organization **except ** for the management account. Why is that? Is this an expected behavior?

We also found out that Config and SecurityHub are enabled on every account **except ** the management account, is this also an expected behavior? If so, why?

Answer

Yes, the behavior of the management account not being automatically enrolled or having *Config* and *Security Hub* enabled by default is expected behavior. The management account in an *AWS Organization* has a special status as the root account and is not part of any *Organizational Unit (OU)*. The automatic enrollment and service enablement processes are designed to target accounts within *OUs*, but they typically do not apply to the management account itself due to its distinct role and configuration.

> This is an intentional design decision by *AWS* to maintain separation and control over the management account, which serves as the central administrative account for the entire *AWS Organization*. The management account is treated differently from other accounts to prevent unintended changes or configurations from being applied automatically.

Unable to add management account into security hub in audit account

Relevanter Inhalt