Enable Security Hub in an AWS Organization

By: Morten Jensen, Feb 21 2021

Background

In November 2020 AWS announced that Security Hub now integrates with AWS Organizations.

Unlike for many other AWS Organizations services integrations you will not find the ability to enable Security Hub on the Organizations page in the Master account.

Instead, integration needs to be activated from the Security Hub. If Security Hub is already in use then the option to integrate may not figure on the Security Hub Console.

Instead, activation must be done via a command line with aws securityhub update-organization-configuration --auto-enable from the Organizations Administrator acount.

Running the command above may fail if the Organizations account (or another account) has not been enabled as the Security Hub Administrator account: An error occurred (InvalidAccessException) when calling the UpdateOrganizationConfiguration operation: Account 123456789012 is not an administrator for this organization.

In this case, run aws securityhub enable-organization-admin-account --admin-account-id 123456789012.

Once the command has been successfully completed, re-run aws securityhub update-organization-configuration --auto-enable, which should now succeed.

It may be the case that even after activating integration that AWS Organizations accounts members are still not listed correctly. For instance, invitations prior to enabling integration may not have completed and status is therefore “Invited (X months ago)”. Also, some accounts may have already existed as non-members from before integration activation in which case they are listed as “Not a member”.

It’s possible to enroll these accounts from the commandline as well by using aws securityhub create-members --account-details AccountId=123456789012,Email=account@email.com where the AccountId is the id of the account to enroll and Email is the account email address.