By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cannot add AWS Management Account as member of Security Hub

0

Hi,

New to SecurityHub. Using AWS Organizations (not Control Tower) and made a new 'security-tooling' account as recommended in best practices to act as Master account for SecurityHub. I then delegated SecurityHub in all other accounts (3 accounts plus the management account) to this master account. SecurityHub Settings shows 3 Members (the non-management accounts), but the AWS Organizations Management account is listed as 'No Member' and cannot be added as a Member either. Red error message when I try using Actions: Adding 1 Member Failed.

Why is the management account not added as a member automatically and why can't I add it? The management account has the exact same delegation to the security-tooling account as the other non-management accounts.

Thanks.

Topics
Security, Identity, & ComplianceManagement & GovernanceAWS Well-Architected Framework
Tags
Security, Identity, & ComplianceAWS Security HubAWS Control TowerAWS OrganizationsSecurity
Language
English
AWS-User-8416516
asked 2 years ago1361 views
1 Answer
1
Accepted Answer

You should create a Security account and then from the organization main account enable Security Hub on that account, and then delegate the security account as the Admin. Then if you leverage organization that will automatically enroll the main account and allow you to leverage AWS organizations integration features as well with Security Hub. If you just setup a security account, and enabled Security Hub there, that's likely why you're seeing this.

profile pictureAWS
EXPERT
Rob_H
answered 2 years ago
  • AWS-User-8416516
    2 years ago

    I guess I didn't realize that if I delegate and specify the account ID of the Security Account, that I also had to enable SecurityHub on the organization main account. I thought it was either/or: either enable SecurityHub here OR delegate it, but apparently it's both. I enabled it now on the main account and now I can add it as a Member in the Security Account. On the main account it also shows the Security Hub dashboard, but when looking at Settings->Accounts, it says this account is managed by 'the Security account'. So that seems fine then, thanks!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content