Registering a Delegated Administrator

Delegated administrators are accounts within a given AWS Organization that are granted additional administrative privileges for a specified AWS service. For more information, see Delegated administrator in the AWS Organizations User Guide. You must use the AWS CLI to register a delegated administrator.

Registering a Delegated Administrator

Log in with management account credentials.
Open a command prompt or a terminal window.
Enter the following command to enable service access as a delegated administrator for your organization to deploy and manage AWS Config rules and conformance packs across your organization:
```
aws organizations enable-aws-service-access --service-principal=config-multiaccountsetup.amazonaws.com
```
Enter the following command to enable service access as a delegated administrator for your organization to aggregate AWS Config data across your organization:
```
aws organizations enable-aws-service-access --service-principal=config.amazonaws.com
```

To check if the enable service access is complete, enter the following command and press Enter to execute the command.


aws organizations list-aws-service-access-for-organization

You should see output similar to the following:


{
    "EnabledServicePrincipals": [
        {
            "ServicePrincipal": [
                "config.amazonaws.com",
                "config-multiaccountsetup.amazonaws.com"
        ],
            "DateEnabled": 1607020860.881
        }
    ]
}

Next, enter the following command to register a member account as a delegated administrator for AWS Config.


aws organizations register-delegated-administrator --service-principal=config-multiaccountsetup.amazonaws.com --account-id MemberAccountID

and


aws organizations register-delegated-administrator --service-principal=config.amazonaws.com --account-id MemberAccountID

To check if the registration of delegated administrator is complete, enter the following command from the management account and press Enter to execute the command.


aws organizations list-delegated-administrators --service-principal=config-multiaccountsetup.amazonaws.com

and


aws organizations list-delegated-administrators --service-principal=config.amazonaws.com

You should see output similar to the following:


{
    "DelegatedAdministrators": [
        {
            "Id": "MemberAccountID",
            "Arn": "arn:aws:organizations::MemberAccountID:account/o-c7esubdi38/MemberAccountID",
            "Email": "name@amazon.com",
            "Name": "name",
            "Status": "ACTIVE",
            "JoinedMethod": "INVITED",
            "JoinedTimestamp": 1604867734.48,
            "DelegationEnabledDate": 1607020986.801
        }
    ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Creating Aggregators

Editing Aggregators