Permissions required to designate a delegated GuardDuty administrator account - Amazon GuardDuty

Permissions required to designate a delegated GuardDuty administrator account

When delegating a delegated GuardDuty administrator account you must have permissions to enable GuardDuty as well as certain AWS Organizations API actions. You can add the following statement at the end of an IAM policy to grant these permissions:

{ "Sid": "PermissionsForGuardDutyAdmin", "Effect": "Allow", "Action": [ "guardduty:EnableOrganizationAdminAccount", "organizations:EnableAWSServiceAccess", "organizations:RegisterDelegatedAdministrator", "organizations:ListDelegatedAdministrators", "organizations:ListAWSServiceAccessForOrganization", "organizations:DescribeOrganizationalUnit", "organizations:DescribeAccount", "organizations:DescribeOrganization", "organizations:ListAccounts" ], "Resource": "*" }

Additionally, if you wish to designate your AWS Organizations management account as the GuardDuty delegated GuardDuty administrator account that entity will need CreateServiceLinkedRole permissions to initialize GuardDuty. To do this, add the following statement to the IAM policy and replace 111122223333 with the AWS account ID of your organization's management account:

{ "Sid": "PermissionsToEnableGuardDuty" "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::111122223333:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty", "Condition": { "StringLike": { "iam:AWSServiceName": "guardduty.amazonaws.com" } } }