Settings for IAM Access Analyzer - AWS Identity and Access Management
Delegated administrator for IAM Access AnalyzerDeleting analyzers

Settings for IAM Access Analyzer

If you're configuring AWS Identity and Access Management Access Analyzer in your AWS Organizations management account, you can add a member account in the organization as the delegated administrator to manage IAM Access Analyzer for your organization. The delegated administrator has permissions to create and manage analyzers within the organization. Only the management account can add a delegated administrator.

Delegated administrator for IAM Access Analyzer

The delegated administrator for IAM Access Analyzer is a member account within the organization that has permissions to create and manage analyzers that analyze access across the organization. Only the management account can add, remove, or change a delegated administrator.

If you add a delegated administrator, you can later change to a different account for the delegated administrator. When you do, the former delegated administrator account loses permission to all analyzers that were created using that account to analyze access across the organization. These analyzers move to a disabled state and no longer generate new or update existing findings. The existing findings for these analyzers are also no longer accessible. You can access them again in the future by configuring the account as the delegated administrator. If you know that you won't use the same account as a delegated administrator, consider deleting the analyzers before changing the delegated administrator. This deletes all findings generated. When the new delegated administrator creates new analyzers, new instances of the same findings are generated. You don't lose any findings, they just get generated for the new analyzer in a different account. And you can continue to access findings for the organization using the organization management account, which also has administrator permissions. The new delegated administrator must create new analyzers for IAM Access Analyzer to start monitoring resources in your organization.

If the delegated administrator leaves the AWS organization, the delegated administration privileges are removed from the account. All analyzers in the account with the organization as the zone of trust move to a disabled state. The existing findings for these analyzers are also no longer accessible.

The first time that you configure analyzers in the management account, you can choose Add delegated administrator on the Analyzer settings page in the IAM Access Analyzer console.

Note

IAM Access Analyzer charges for unused access analyzers based on the number of IAM roles and users analyzed per analyzer per month. If you create an unused access analyzer in the management account and the delegated administrator account, you will be charged for both unused access analyzers. For more details about pricing, see IAM Access Analyzer pricing.

To add a delegated administrator using the console

  1. Log in to the AWS console using the management account for your organization.

  2. Open the IAM console at https://console.aws.amazon.com/iam/.

  3. Under Access Analyzer, choose Analyzer settings.

  4. Choose Add delegated administrator.

  5. In the Delegated administrator field, enter the AWS account number of an organization member account to make the delegated administrator.

    The account must be a member of your organization.

  6. Choose Save changes.

To add a delegated administrator using the AWS CLI or the AWS SDKs

When you create an analyzer to analyzer access across the organization in a delegated administrator account using the AWS CLI, AWS API (using the AWS SDKs) or AWS CloudFormation, you must use AWS Organizations APIs to enable service access for IAM Access Analyzer and register the member account as a delegated administrator.

  1. Enable trusted service access for IAM Access Analyzer in AWS Organizations. See How to Enable or Disable Trusted Access in the AWS Organizations User Guide.

  2. Register a valid member account of your AWS organization as a delegated administrator using the AWS Organizations RegisterDelegatedAdministrator API operation or the register-delegated-administrator AWS CLI command.

After you change the delegated administrator, the new administrator must create analyzers to start monitoring access to the resources in your organization.

Deleting analyzers

You can delete existing external and unused access analyzers from the Analyzer settings page. When you delete an analyzer, the resources specified in the analyzer are no longer monitored and no new findings are generated. All findings that were generated by the analyzer are deleted.

For findings that are deleted because the analyzer that generated them is deleted, the event is sent to EventBridge in the next two days after the analyzer was deleted. It can take up to 90 days after the analyzer was deleted for the Security Hub findings to be deleted.

To delete an analyzer

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. Under Access Analyzer, choose Analyzer settings.

  3. Select the analyzer to delete and then choose Delete.

  4. Type delete in the confirmation text box and then choose Delete.