# Managing AWS Security Incident Response accounts with AWS Organizations
AWS Security Incident Response is integrated with AWS Organizations. The AWS Organizations management account for the organization can designate an account as the delegated administrator for AWS Security Incident Response. This action enables AWS Security Incident Response as a trusted service in AWS Organizations. For information about how these permissions are granted, see [ Using AWS Organizations with other AWS services](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html).
The following sections will walk you through various tasks that you may perform as a delegated Security Incident Response administrator account.
**Topics**
+ [
# Considerations and recommendations for using AWS Security Incident Response with AWS Organizations
](considerations_important.md)
+ [
# Enabling trusted access for AWS Account Management
](using-orgs-trusted-access.md)
+ [
# Permissions required to designate a delegated Security Incident Response administrator account
](organizations_permissions.md)
+ [
# Designating a delegated administrator for AWS Security Incident Response
](delegated-admin-designate.md)
+ [
# Managing membership with organizational units (OUs) for AWS Security Incident Response
](managing-membership-with-ou.md)
+ [
# Adding members to AWS Security Incident Response
](add-member-accounts.md)
+ [
# Removing members from AWS Security Incident Response
](remove-member-account.md)
# Considerations and recommendations for using AWS Security Incident Response with AWS Organizations
The following considerations and recommendations can help you understand how a delegated Security Incident Response administrator account operates in AWS Security Incident Response:
**Delegated administrator account for AWS Security Incident Response.**
You can designate one member account as the delegated Security Incident Response administrator account. For example, if you designate a member account *111122223333* in *Europe (Ireland)*, you can't designate another member account *555555555555* in *Canada (Central)*. It is required that you use the same account as delegated Security Incident Response administrator account in all other Regions.
**You set up your delegated Security Incident Response administrator account in a specific AWS Region.**
You designate a delegated Security Incident Response administrator account in one AWS Region during the initial setup. Although the setup is regional, AWS Security Incident Response provides organization-wide coverage across all supported AWS Regions. Security findings from Amazon GuardDuty and AWS Security Hub CSPM are ingested from all supported AWS Regions, and cases are centrally managed in the Region where you activated your subscription. The delegated Security Incident Response administrator account and member accounts must be added through AWS Organizations.
**It's not recommended to set your organization's management account as the delegated Security Incident Response administrator account.**
Your organization's management account can be the delegated Security Incident Response administrator account. However, the AWS security best practices follow the principle of least privilege and does't recommend this configuration.
**Removing a delegated Security Incident Response administrator account from a live subscription cancels the subscription immediately.**
If you remove a delegated Security Incident Response administrator account, AWS Security Incident Response removes all the member accounts associated with this delegated Security Incident Response administrator account. AWS Security Incident Response will no longer be enabled for all the member accounts.
# Enabling trusted access for AWS Account Management
Enabling trusted access for AWS Security Incident Response allows the delegated administrator of the management account to modify the information and metadata (for example, primary or alternate contact details) specific to each member account in AWS Organizations.
Use the following procedure to enable trusted access for AWS Security Incident Response in your organization.
**Minimum permissions**
To perform these tasks, you must meet the following requirements:
You can perform this only from the organization's management account.
Your organization must have [all features enabled](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html).
------
#### [ Console ]
**To enable trusted access for AWS Security Incident Response**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations). You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.
1. Choose **Services** in the navigation pane.
1. Choose **AWS Security Incident Response** in the list of services.
1. Choose **Enable trusted access**.
1. In the **Enable trusted access for AWS Security Incident Response** dialog box, type **enable** to confirm it, and then choose **Enable trusted access**.
------
#### [ API/CLI ]
**To enable trusted access for AWS Account Management**
After running the following command, you can use credentials from the organization's management account to call Account Management API operations that use the `--accountId` parameter to reference member accounts in an organization.
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/organizations/latest/userguide/enable-aws-service-access.html)
The following example enables trusted access for AWS Security Incident Response in the calling account's organization.
```
$ aws organizations enable-aws-service-access \
--service-principal security-ir.amazonaws.com
```
This command produces no output if it's successful.
------
# Permissions required to designate a delegated Security Incident Response administrator account
You can chose to set up your AWS Security Incident Response membership using delegated administrator for AWS Organizations. For information about how these permissions are granted, see [Using AWS Organizations with other AWS services](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html).
**Note**
AWS Security Incident Response automatically enables the AWS Organizations trusted relationship when using the console for setup and management. If you use the CLI/SDK then you have to manually enable this by using the [EnableAWSServiceAccess API](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html) to trust `security-ir.amazonaws.com`.
As the AWS Organizations manager, before you designate the delegated Security Incident Response administrator account for your organization, verify that you can perform the following AWS Security Incident Response actions: `security-ir:CreateMembership` and `security-ir:UpdateMembership`. These actions allow you to designate the delegated Security Incident Response administrator account for your organization by using AWS Security Incident Response. You must also ensure that you are allowed to perform the AWS Organizations actions that help you retrieve information about your organization.
To grant these permissions, include the following statement in an AWS Identity and Access Management (IAM) policy for your account:
```
{
"Sid": "PermissionsForSIRAdmin",
"Effect": "Allow",
"Action": [
"security-ir:CreateMembership",
"security-ir:UpdateMembership",
"organizations:EnableAWSServiceAccess",
"organizations:RegisterDelegatedAdministrator",
"organizations:ListDelegatedAdministrators",
"organizations:ListAWSServiceAccessForOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribeAccount",
"organizations:DescribeOrganization",
"organizations:ListAccounts"
],
"Resource": "*"
}
```
If you want to designate your AWS Organizations management account as the delegated Security Incident Response administrator account, your account will also need the IAM action: `CreateServiceLinkedRole`. Review [Considerations and recommendations for using AWS Security Incident Response with AWS Organizations](considerations_important.md) before you proceed to add the permissions.
To continue with designating your AWS Organizations management account as the delegated Security Incident Response administrator account, add the following statement to the IAM policy and replace *111122223333* with the AWS account ID of your AWS Organizations management account:
```
{
"Sid": "PermissionsToEnableSecurityIncidentResponse"
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws:iam::111122223333:role/aws-service-role/security-ir.amazonaws.com/AWSServiceRoleForSecurityIncidentResponse",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "security-ir.amazonaws.com"
}
}
}
```
# Designating a delegated administrator for AWS Security Incident Response
This section provides steps to designate a delegated administrator in the AWS Security Incident Response organization.
As a manager of the AWS organization, make sure that you read through the [Considerations and recommendations](considerations_important.md) on how a delegated Security Incident Response administrator account operates. Before proceeding, ensure that you have [Permissions required to designate a delegated Security Incident Response administrator account](organizations_permissions.md).
Choose a preferred access method to designate a delegated Security Incident Response administrator account for your organization. Only a management can perform this step.
------
#### [ Console ]
1. Open the Security Incident Response console at https://console.aws.amazon.com/security-ir/
To sign in, use the management credentials for your AWS Organizations organization.
1. By using the AWS Region selector in the upper-right corner of the page, select the Region in which you want to designate the delegated Security Incident Response administrator account for your organization.
1. Follow the setup wizard to create your membership, including the delegated administrator account.
------
#### [ API/CLI ]
+ Run CreateMembership using the credentials of the AWS account of the organization's management.
+ Alternatively, you can use AWS Command Line Interface to do this. The following AWS CLI command designates a delegated Security Incident Response administrator account. Following are the string options available for configuring your membership:
```
{
"customerAccountId": "stringstring",
"membershipName": "stringstring",
"customerType": "Standalone",
"organizationMetadata": {
"organizationId": "string",
"managementAccountId": "stringstring",
"delegatedAdministrators": [
"stringstring"
]
},
"membershipAccountsConfigurations": {
"autoEnableAllAccounts": true,
"organizationalUnits": [
"string"
]
},
"incidentResponseTeam": [
{
"name": "string",
"jobTitle": "stringstring",
"email": "stringstring"
}
],
"internalIdentifier": "string",
"membershipId": "stringstring",
"optInFeatures": [
{
"featureName": "RuleForwarding",
"isEnabled": true
}
]
}
```
If AWS Security Incident Response is not enabled for your delegated Security Incident Response administrator account, it won't be able to take any action. If not already done so, make sure to enable AWS Security Incident Response for the newly designated delegated Security Incident Response administrator account.
------
# Managing membership with organizational units (OUs) for AWS Security Incident Response
AWS Security Incident Response supports membership coverage for individual organizational units (OUs). You can update your membership to cover specific OUs at any time. All accounts within the selected OUs, including accounts under child OUs, will be covered by your membership.
When updating your membership association, updates can be applied for up to 5 OUs at a time. If you wish to make changes to more than 5 OUs, complete association changes in batches of 5 OUs until all updates are completed.
------
#### [ Console ]
1. Open the Security Incident Response console at https://console.aws.amazon.com/security-ir/
To sign in, use the management credentials for your AWS Organizations organization.
1. Navigate to **Manage membership** > Accounts
1. Click **Update association**
1. Select **Choose organizational units (OUs)**
1. Select **Add OUs** or **Remove OUs**
1. Select up to 5 OUs you wish to update. You cannot add and remove OUs at the same time.
**Note**
All accounts and child OUs under a selected OU will be associated.
1. Click **Update association**
1.
**Note**
If you wish to make changes to more than 5 OUs, repeat steps 5 and 6 until all OUs have been associated.
------
To learn more about making OU changes within your AWS organization, please see [Managing organizational units (OUs) with AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html).
# Adding members to AWS Security Incident Response
There is a one to one relationship with AWS Organizations and your AWS Security Incident Response membership. As accounts are added (or removed) from your Organizations or organizational units (OUs), these changes will be reflected in the covered accounts for your AWS Security Incident Response membership.
To add an account to your membership, follow one of the options for [ Managing accounts in an organization with AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts.html).
You may also add additional OUs to your membership at any time — see [Managing membership with organizational units (OUs)](https://docs.aws.amazon.com/security-ir/latest/userguide/managing-membership-with-ou.html).
# Removing members from AWS Security Incident Response
To remove an account from your membership, you can remove a member account from your organization, move accounts out of your selected OUs, or remove OUs from your membership.
To remove an account from your membership, follow the procedures for [ removing a member account from an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_remove.html).
To move accounts out of your OUs, follow the procedures for [ Moving accounts to an organizational unit (OU) or between the root and OUs with AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/move_account_to_ou.html).
To remove OU from your membership, follow the procedures for [Managing membership with organizational units (OUs)](https://docs.aws.amazon.com/security-ir/latest/userguide/managing-membership-with-ou.html).