diff --git a/internal/provider/provider.go b/internal/provider/provider.go
index 37ef5293e560..e2b9b70ea530 100644
--- a/internal/provider/provider.go
+++ b/internal/provider/provider.go
@@ -1203,10 +1203,11 @@ func Provider() *schema.Provider {
 			"aws_devicefarm_test_grid_project": devicefarm.ResourceTestGridProject(),
 			"aws_devicefarm_upload":            devicefarm.ResourceUpload(),
 
-			"aws_detective_admin_account":       detective.ResourceAdminAccount(),
-			"aws_detective_graph":               detective.ResourceGraph(),
-			"aws_detective_invitation_accepter": detective.ResourceInvitationAccepter(),
-			"aws_detective_member":              detective.ResourceMember(),
+			"aws_detective_admin_account":              detective.ResourceAdminAccount(),
+			"aws_detective_graph":                      detective.ResourceGraph(),
+			"aws_detective_invitation_accepter":        detective.ResourceInvitationAccepter(),
+			"aws_detective_member":                     detective.ResourceMember(),
+			"aws_detective_organization_configuration": detective.ResourceOrganizationConfiguration(),
 
 			"aws_dx_bgp_peer":                                  directconnect.ResourceBGPPeer(),
 			"aws_dx_connection":                                directconnect.ResourceConnection(),
diff --git a/internal/service/detective/detective_test.go b/internal/service/detective/detective_test.go
index 3b6fce5c678f..bfc6c841f1dd 100644
--- a/internal/service/detective/detective_test.go
+++ b/internal/service/detective/detective_test.go
@@ -25,6 +25,9 @@ func TestAccDetective_serial(t *testing.T) {
 			"disappears":  testAccOrganizationAdminAccount_disappears,
 			"MultiRegion": testAccOrganizationAdminAccount_MultiRegion,
 		},
+		"OrganizationConfiguration": {
+			"basic": testAccOrganizationConfiguration_basic,
+		},
 	}
 
 	for group, m := range testCases {
diff --git a/internal/service/detective/organization_configuration.go b/internal/service/detective/organization_configuration.go
new file mode 100644
index 000000000000..704f3de9248b
--- /dev/null
+++ b/internal/service/detective/organization_configuration.go
@@ -0,0 +1,82 @@
+package detective
+
+import (
+	"fmt"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/detective"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-provider-aws/internal/conns"
+	"github.com/hashicorp/terraform-provider-aws/internal/verify"
+)
+
+func ResourceOrganizationConfiguration() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceOrganizationConfigurationUpdate,
+		Read:   resourceOrganizationConfigurationRead,
+		Update: resourceOrganizationConfigurationUpdate,
+		Delete: schema.Noop,
+
+		Importer: &schema.ResourceImporter{
+			State: schema.ImportStatePassthrough,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"auto_enable": {
+				Type:     schema.TypeBool,
+				Required: true,
+			},
+
+			"graph_arn": {
+				Type:         schema.TypeString,
+				Required:     true,
+				ForceNew:     true,
+				ValidateFunc: verify.ValidARN,
+			},
+		},
+	}
+}
+
+func resourceOrganizationConfigurationUpdate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*conns.AWSClient).DetectiveConn
+
+	graphARN := d.Get("graph_arn").(string)
+
+	input := &detective.UpdateOrganizationConfigurationInput{
+		AutoEnable: aws.Bool(d.Get("auto_enable").(bool)),
+		GraphArn:   aws.String(graphARN),
+	}
+
+	_, err := conn.UpdateOrganizationConfiguration(input)
+
+	if err != nil {
+		return fmt.Errorf("error updating Detective Organization Configuration (%s): %w", graphARN, err)
+	}
+
+	d.SetId(graphARN)
+
+	return resourceOrganizationConfigurationRead(d, meta)
+}
+
+func resourceOrganizationConfigurationRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*conns.AWSClient).DetectiveConn
+
+	input := &detective.DescribeOrganizationConfigurationInput{
+		GraphArn: aws.String(d.Id()),
+	}
+
+	output, err := conn.DescribeOrganizationConfiguration(input)
+
+	if err != nil {
+		return fmt.Errorf("error reading Detective Organization Configuration (%s): %w", d.Id(), err)
+	}
+
+	if output == nil {
+		return fmt.Errorf("error reading Detective Organization Configuration (%s): empty response", d.Id())
+	}
+
+	d.Set("auto_enable", output.AutoEnable)
+	d.Set("graph_arn", d.Id())
+
+	return nil
+}
diff --git a/internal/service/detective/organization_configuration_test.go b/internal/service/detective/organization_configuration_test.go
new file mode 100644
index 000000000000..f20a372af5b7
--- /dev/null
+++ b/internal/service/detective/organization_configuration_test.go
@@ -0,0 +1,76 @@
+package detective_test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/service/detective"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-provider-aws/internal/acctest"
+)
+
+func testAccOrganizationConfiguration_basic(t *testing.T) {
+	graphResourceName := "aws_detective_graph.test"
+	resourceName := "aws_detective_organization_configuration.test"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			acctest.PreCheck(t)
+			acctest.PreCheckOrganizationsAccount(t)
+		},
+		ErrorCheck:        acctest.ErrorCheck(t, detective.EndpointsID),
+		ProviderFactories: acctest.ProviderFactories,
+		// Detective Organization Configuration cannot be deleted separately.
+		// Ensure parent resource is destroyed instead.
+		CheckDestroy: testAccCheckGraphDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccOrganizationConfigurationConfig_autoEnable(true),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "auto_enable", "true"),
+					resource.TestCheckResourceAttrPair(resourceName, "graph_arn", graphResourceName, "id"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccOrganizationConfigurationConfig_autoEnable(false),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "auto_enable", "false"),
+					resource.TestCheckResourceAttrPair(resourceName, "graph_arn", graphResourceName, "id"),
+				),
+			},
+		},
+	})
+}
+
+func testAccOrganizationConfigurationConfig_autoEnable(autoEnable bool) string {
+	return fmt.Sprintf(`
+data "aws_caller_identity" "current" {}
+
+data "aws_partition" "current" {}
+
+resource "aws_organizations_organization" "test" {
+  aws_service_access_principals = ["detective.${data.aws_partition.current.dns_suffix}"]
+  feature_set                   = "ALL"
+}
+
+resource "aws_detective_graph" "test" {}
+
+resource "aws_detective_admin_account" "test" {
+  depends_on = [aws_organizations_organization.test]
+
+  account_id = data.aws_caller_identity.current.account_id
+}
+
+resource "aws_detective_organization_configuration" "test" {
+  depends_on = [aws_detective_admin_account.test]
+
+  auto_enable = %[1]t
+  graph_arn   = aws_detective_graph.test.id
+}
+`, autoEnable)
+}
diff --git a/website/docs/r/detective_organization_configuration.html.markdown b/website/docs/r/detective_organization_configuration.html.markdown
new file mode 100644
index 000000000000..69b81f23e851
--- /dev/null
+++ b/website/docs/r/detective_organization_configuration.html.markdown
@@ -0,0 +1,47 @@
+---
+subcategory: "Detective"
+layout: "aws"
+page_title: "AWS: aws_detective_organization_configuration"
+description: |-
+  Manages the Detective Organization Configuration
+---
+
+# Resource: aws_detective_organization_configuration
+
+Manages the Detective Organization Configuration in the current AWS Region. The AWS account utilizing this resource must have been assigned as a delegated Organization administrator account, e.g., via the [`aws_detective_organization_admin_account` resource](/docs/providers/aws/r/detective_organization_admin_account.html). More information about Organizations support in Detective can be found in the [Detective User Guide](https://docs.aws.amazon.com/detective/latest/adminguide/accounts-orgs-transition.html).
+
+~> **NOTE:** This is an advanced Terraform resource. Terraform will automatically assume management of the Detective Organization Configuration without import and perform no actions on removal from the Terraform configuration.
+
+## Example Usage
+
+```terraform
+resource "aws_detective_graph" "example" {
+  enable = true
+}
+
+resource "aws_detective_organization_configuration" "example" {
+  auto_enable = true
+  detector_id = aws_detective_detector.example.id
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `auto_enable` - (Required) When this setting is enabled, all new accounts that are created in, or added to, the organization are added as a member accounts of the organization’s Detective delegated administrator and Detective is enabled in that AWS Region.
+* `detector_id` - (Required) The detector ID of the Detective account.
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `id` - Identifier of the Detective Graph.
+
+## Import
+
+Detective Organization Configurations can be imported using the Detective Graph ID, e.g.,
+
+```
+$ terraform import aws_detective_organization_configuration.example 00b00fd5aecc0ab60a708659477e9617
+```