When enabling Security Hub Advanced for the organization from a delegated administrator account, do you need to enable the Security Hub policy?

Issue I was facing

When enabling Security Hub Advanced for an organization from a delegated administrator account, is it necessary to first enable the Security Hub policy in Organizations from the organization management account?

How to address this?

It is not necessary to enable the Security Hub policy in the organization management account beforehand.

Even with the Security Hub policy disabled, it is possible to enable Security Hub Advanced for the organization by creating a Security Hub policy as the delegated administrator account.

By creating a Security Hub policy in the delegated administrator account, the Security Hub policy that can be viewed from Organizations will automatically change to enabled status.

What I tried

As a prerequisite, the Security Hub Advanced delegated administrator account has been set up from the organization management account, and a delegation policy has been created. Without a delegation management policy, creating a Security Hub policy will result in a permission error.

1. Before creating the Security Hub policy, the Security Hub policy item that can be viewed from the Organizations policy screen in the organization management account is in a disabled state.
   

2. Create a Security Hub policy from the "Settings" of Security Hub Advanced in the delegated administrator account. Set which regions to enable and the account scope within the organization for which to implement enablement, then create the policy.
   

3. When checking the Organizations policy screen in the organization management account again, I confirmed that the Security Hub policy had been automatically enabled.
   

Reference information

https://docs.aws.amazon.com/ja_jp/securityhub/latest/userguide/security-hub-adv-set-da.html

https://dev.classmethod.jp/articles/enabling-aws-security-hub-advanced-in-organizations/