Changing a delegated administrator
Changing your delegated administrator in AWS Audit Manager is a two-step process. First, you need to remove the current delegated administrator account. Then, you can add a new account as the delegated administrator.
Follow the steps on this page to change your delegated administrator.
Contents
Prerequisites
Before you remove the current account
Before you remove the current delegated administrator account, keep in mind the following considerations:
-
Evidence finder cleanup task - If the current delegated administrator (account A) enabled evidence finder, you'll need to perform a cleanup task before you assign account B as the new delegated administrator.
Before you use your management account to remove account A, make sure that account A signs in to Audit Manager and disables evidence finder. Disabling evidence finder automatically deletes the event data store that was created in the account when evidence finder was enabled.
If this task isn’t completed, the event data store remains in account A. In this case, we recommend that the original delegated administrator uses CloudTrail Lake to manually delete the event data store.
This cleanup task is necessary to ensure that you don't end up with multiple event data stores. Audit Manager ignores an unused event data store after you remove or change a delegated administrator account. However, if you don't delete the unused event data store, the event data store continues to incur storage costs from CloudTrail Lake.
-
Data deletion - When you remove a delegated administrator account for Audit Manager, the data for that account isn’t deleted. If you want to delete resource data for a delegated administrator account, you must perform that task separately before you remove the account. Either, you can do this in the Audit Manager console. Or, you can use one of the delete API operations that are provided by Audit Manager. For a list of available delete operations, see Deletion of Audit Manager data.
At this time, Audit Manager doesn't provide an option to delete evidence for a specific delegated administrator. Instead, when your management account deregisters Audit Manager, we perform a cleanup for the current delegated administrator account at the time of deregistration.
Before you add the new account
Before you add the new delegated administrator account, keep in mind the following considerations:
-
The new account must be part of an organization.
-
Before you designate a new delegated administrator, you must enable all features in your organization. You must also configure your organization's Security Hub settings. This way, Audit Manager can collect Security Hub evidence from your member accounts.
-
The delegated administrator account must have access on the KMS key that you provided when setting up Audit Manager.
-
You can't use your AWS Organizations management account as a delegated administrator in Audit Manager.
Procedure
You can change a delegated administrator using the Audit Manager console, the AWS Command Line Interface (AWS CLI), or the Audit Manager API.
Warning
When you change a delegated administrator, you continue to have access to the evidence that you previously collected under the old delegated administrator account. However, Audit Manager stops collecting and attaching evidence to the old delegated administrator account.
Next steps
To remove your delegated administrator account, see Removing a delegated administrator.