Organization delegated administrator

When you use CloudTrail with an AWS Organizations organization, you can assign any account within the organization to act as a CloudTrail delegated administrator to manage the organization's trails and event data stores on behalf of the organization. A delegated administrator is a member account in an organization that can perform the same administrative tasks (except as noted) in CloudTrail as the management account.

If you choose a delegated administrator, this member account has administrative permissions on all organization trails and event data stores in the organization. Adding a delegated administrator does not alter the management or operation of the organization's trails or event data stores.

The first time you add a delegated administrator in the CloudTrail console, or by using the AWS CLI or CloudTrail API, CloudTrail checks whether the organization’s management account has a service-linked role. If the management account does not have a service-linked role, CloudTrail creates the service-linked role for the management account. For more information about service-linked roles, see Using service-linked roles for AWS CloudTrail.

Note

When you add a delegated administrator using the AWS Organizations CLI or API operation, the service-linked role doesn't get created if it does not exist. The service-linked role is only created when you make a call from the management account directly to the CloudTrail service, such as when you add a delegated administrator or create an organization trail or event data store using the CloudTrail console, AWS CLI or CloudTrail API.

Take note of the following factors that define how the delegated administrator operates in CloudTrail.

The management account remains the owner of any CloudTrail organization resources the delegated administrator creates.: The organization's management account remains the owner of any CloudTrail organization resources the delegated administrator creates, such as trails and event data stores. This provides continuity for the organization in the event the delegated administrator changes.
Removing a delegated administrator account does not delete any CloudTrail organization resources they created.: Organization trails and event data stores created by the delegated administrator are not deleted when you remove the delegated administrator, because the management account always serves as the owner of the CloudTrail organization resources regardless of whether they are created by the delegated administrator or the management account.
An organization can have a maximum of three CloudTrail delegated administrators.: You can have a maximum of three CloudTrail delegated administrators per organization. For more information about removing a delegated administrator, see Remove a CloudTrail delegated administrator.

The following table shows the capabilities of the management account, delegated administrator accounts, and accounts that are members within the AWS Organizations organization.

Capabilities	Management account	Delegated administrator account	Member accounts
Add or remove delegated administrator accounts.	Yes	No	No
Create an organization trail.	Yes	Yes¹	No
View a list of organization trails.	Yes	Yes	Yes
Update an organization trail.	Yes	Yes^1,²	No
Delete an organization trail.	Yes	Yes	No
Create an organization event data store for CloudTrail events or AWS Config configuration items.	Yes	Yes	No
Enable Insights on an organization event data store.	Yes	No	No
Update an organization event data store.	Yes	Yes²	No
Enable Lake query federation on an organization event data store³.	Yes	Yes	No
Disable Lake query federation on an organization event data store.	Yes	Yes	No
Delete an organization event data store.	Yes	Yes	No
Copy trail events to an organization event data store.	Yes	No	No
Run queries on organization event data stores.	Yes	Yes	No
View the Lake dashboard for an organization event data store.	Yes	Yes	No

¹The delegated administrator can only configure a CloudWatch Logs log group using the AWS CLI or CloudTrail CreateTrail or UpdateTrail API operations. Both the CloudWatch Logs log group and log role must exist in the calling account.

²Only the management account can convert an organization trail or event data store to an account-level trail or event data store, or convert an account-level trail or event data store to an organization trail or event data store. These actions are not allowed for the delegated administrator because organization trails and event data stores only exist in the management account. When an organization trail or event data store is converted to an account-level trail or event data store, only the management account has access to the trail or event data store.

³Only a single delegated administrator account or the management account can enable federation on an organization event data store. Other delegated administrator accounts can query and share information using the Lake Formation data sharing feature. Any delegated administrator account as well as the organization's management account can disable federation.

Topics

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Configure CloudTrail settings

Required permissions to assign a delegated administrator