Required permissions to assign a delegated administrator - AWS CloudTrail

Required permissions to assign a delegated administrator

When assigning a CloudTrail delegated administrator, you must have the permissions to add and remove the delegated administrator in CloudTrail, as well as certain AWS Organizations API actions and IAM permissions listed in the following policy statement.

You can add the following statement to the end of an IAM policy to grant these permissions:

{ "Sid": "Permissions", "Effect": "Allow", "Action": [ "cloudtrail:RegisterOrganizationDelegatedAdmin", "cloudtrail:DeregisterOrganizationDelegatedAdmin", "organizations:RegisterDelegatedAdministrator", "organizations:DeregisterDelegatedAdministrator", "organizations:ListAWSServiceAccessForOrganization", "iam:CreateServiceLinkedRole", "iam:GetRole" ], "Resource": "*" }