Cannot add AWS Management Account as member of Security Hub
Hi,
New to SecurityHub. Using AWS Organizations (not Control Tower) and made a new 'security-tooling' account as recommended in best practices to act as Master account for SecurityHub. I then delegated SecurityHub in all other accounts (3 accounts plus the management account) to this master account. SecurityHub Settings shows 3 Members (the non-management accounts), but the AWS Organizations Management account is listed as 'No Member' and cannot be added as a Member either. Red error message when I try using Actions: Adding 1 Member Failed.
Why is the management account not added as a member automatically and why can't I add it? The management account has the exact same delegation to the security-tooling account as the other non-management accounts.
Thanks.
You should create a Security account and then from the organization main account enable Security Hub on that account, and then delegate the security account as the Admin. Then if you leverage organization that will automatically enroll the main account and allow you to leverage AWS organizations integration features as well with Security Hub. If you just setup a security account, and enabled Security Hub there, that's likely why you're seeing this.
Relevant questions
Cannot add AWS Management Account as member of Security Hub
Accepted Answerasked 4 months agoWhich AWS Account or Organization Unit should be Account Management delegated admin
asked a month agoEnabling AWS Configuration on Control Tower Main Account
asked 6 months agoIAM as code - centralize the management of IAM roles and policies in a multi-account organization
Accepted Answerasked 2 years agoControl Tower - Unable to add new account to the Security OU?
Accepted Answerasked 4 months agoMember account root user best practices
asked 5 months agoBest practices to deploy GuardDuty, Macie, Sec Hub and Config in a Multi-account environment?
asked 8 months agoIssue building Control tower landing zone on a new account - AWS Control Tower setup failed. Be sure your account is subscribed to the AWS EC2 service, then try again
Accepted Answerasked 5 months agoError about AWS Config in Master Account after setting up Control Tower and SecurityHub
asked 6 months agoSecurity Hub Master Invites Not Received
asked 2 years ago
I guess I didn't realize that if I delegate and specify the account ID of the Security Account, that I also had to enable SecurityHub on the organization main account. I thought it was either/or: either enable SecurityHub here OR delegate it, but apparently it's both. I enabled it now on the main account and now I can add it as a Member in the Security Account. On the main account it also shows the Security Hub dashboard, but when looking at Settings->Accounts, it says this account is managed by 'the Security account'. So that seems fine then, thanks!