Registering a Delegated Administrator for AWS Config
Delegated administrators are accounts within a given AWS Organization that are granted additional administrative privileges for a specified AWS service. For more information, see Delegated administrator in the AWS Organizations User Guide. You must use the AWS CLI to register a delegated administrator.
Registering a Delegated Administrator
-
Log in with management account credentials.
-
Open a command prompt or a terminal window.
-
Enter the following command to enable service access as a delegated administrator for your organization to deploy and manage AWS Config rules and conformance packs across your organization:
aws organizations enable-aws-service-access --service-principal=config-multiaccountsetup.amazonaws.com
-
Enter the following command to enable service access as a delegated administrator for your organization to aggregate AWS Config data across your organization:
aws organizations enable-aws-service-access --service-principal=config.amazonaws.com
-
To check if the enable service access is complete, enter the following command and press Enter to execute the command.
aws organizations list-aws-service-access-for-organization
You should see output similar to the following:
{ "EnabledServicePrincipals": [ { "ServicePrincipal": [ "config.amazonaws.com", "config-multiaccountsetup.amazonaws.com" ], "DateEnabled": 1607020860.881 } ] }
-
Next, enter the following command to register a member account as a delegated administrator for AWS Config.
aws organizations register-delegated-administrator --service-principal=config-multiaccountsetup.amazonaws.com --account-id
MemberAccountID
and
aws organizations register-delegated-administrator --service-principal=config.amazonaws.com --account-id
MemberAccountID
-
To check if the registration of delegated administrator is complete, enter the following command from the management account and press Enter to execute the command.
aws organizations list-delegated-administrators --service-principal=config-multiaccountsetup.amazonaws.com
and
aws organizations list-delegated-administrators --service-principal=config.amazonaws.com
You should see output similar to the following:
{ "DelegatedAdministrators": [ { "Id": "
MemberAccountID
", "Arn": "arn:aws:organizations::ManagementAccountID
:account/o-c7esubdi38
/MemberAccountID
", "Email": "name
@amazon.com", "Name": "name
", "Status": "ACTIVE
", "JoinedMethod": "INVITED
", "JoinedTimestamp":1604867734.48
, "DelegationEnabledDate":1607020986.801
} ] }