Cannot add AWS Management Account as member of Security Hub
New to SecurityHub. Using AWS Organizations (not Control Tower) and made a new 'security-tooling' account as recommended in best practices to act as Master account for SecurityHub. I then delegated SecurityHub in all other accounts (3 accounts plus the management account) to this master account. SecurityHub Settings shows 3 Members (the non-management accounts), but the AWS Organizations Management account is listed as 'No Member' and cannot be added as a Member either. Red error message when I try using Actions: Adding 1 Member Failed.
Why is the management account not added as a member automatically and why can't I add it? The management account has the exact same delegation to the security-tooling account as the other non-management accounts.
You should create a Security account and then from the organization main account enable Security Hub on that account, and then delegate the security account as the Admin. Then if you leverage organization that will automatically enroll the main account and allow you to leverage AWS organizations integration features as well with Security Hub. If you just setup a security account, and enabled Security Hub there, that's likely why you're seeing this.
I guess I didn't realize that if I delegate and specify the account ID of the Security Account, that I also had to enable SecurityHub on the organization main account. I thought it was either/or: either enable SecurityHub here OR delegate it, but apparently it's both. I enabled it now on the main account and now I can add it as a Member in the Security Account. On the main account it also shows the Security Hub dashboard, but when looking at Settings->Accounts, it says this account is managed by 'the Security account'. So that seems fine then, thanks!
Cannot add AWS Management Account as member of Security HubAccepted Answerasked 4 months ago
Which AWS Account or Organization Unit should be Account Management delegated adminasked a month ago
Enabling AWS Configuration on Control Tower Main Accountasked 6 months ago
IAM as code - centralize the management of IAM roles and policies in a multi-account organizationAccepted Answerasked 2 years ago
Control Tower - Unable to add new account to the Security OU?Accepted Answerasked 4 months ago
Member account root user best practicesasked 5 months ago
Best practices to deploy GuardDuty, Macie, Sec Hub and Config in a Multi-account environment?asked 8 months ago
Issue building Control tower landing zone on a new account - AWS Control Tower setup failed. Be sure your account is subscribed to the AWS EC2 service, then try againAccepted Answerasked 5 months ago
Error about AWS Config in Master Account after setting up Control Tower and SecurityHubasked 6 months ago
Security Hub Master Invites Not Receivedasked 2 years ago