Disassociating from a Security Hub CSPM administrator account
Note
We recommend using AWS Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see Managing Security Hub CSPM for multiple accounts with AWS Organizations.
If your account was added as an AWS Security Hub CSPM member account by invitation, you can disassociate the member account from the administrator account. After you disassociate a member account, Security Hub CSPM doesn't send findings from the account to the administrator account.
Member accounts that are managed using the integration with AWS Organizations can't disassociate their accounts from the administrator account. Only the Security Hub CSPM delegated administrator can disassociate member accounts that are managed with Organizations.
When you disassociate from your administrator account, your account remains in the administrator account's member list with a status of Resigned. However, the administrator account does not receive any findings for your account.
After you disassociate yourself from the administrator account, the invitation to be a member still remains. You can accept the invitation again in the future.
Note
The Security Hub CSPM console continues to use DisassociateFromMasterAccount.
It will eventually change to use
DisassociateFromAdministratorAccount. Any IAM policies that
specifically control access to this function must continue to use
DisassociateFromMasterAccount. You should also add
DisassociateFromAdministratorAccount to your policies to ensure
that the correct permissions are in place after the console begins to use
DisassociateFromAdministratorAccount.
