Permissions required to designate a delegated GuardDuty administrator account

When delegating a delegated GuardDuty administrator account you must have permissions to enable GuardDuty as well as certain AWS Organizations API actions. You can add the following statement at the end of an IAM policy to grant these permissions:


{
    "Sid": "PermissionsForGuardDutyAdmin",
    "Effect": "Allow",
    "Action": [
        "guardduty:EnableOrganizationAdminAccount",
        "organizations:EnableAWSServiceAccess",
        "organizations:RegisterDelegatedAdministrator",
        "organizations:ListDelegatedAdministrators",
        "organizations:ListAWSServiceAccessForOrganization",
        "organizations:DescribeOrganizationalUnit",
        "organizations:DescribeAccount",
        "organizations:DescribeOrganization",
        "organizations:ListAccounts"
    ],
    "Resource": "*"
}

Additionally, if you wish to designate your AWS Organizations management account as the GuardDuty delegated GuardDuty administrator account that entity will need CreateServiceLinkedRole permissions to initialize GuardDuty. To do this, add the following statement to the IAM policy and replace 111122223333 with the AWS account ID of your organization's management account:


{
	"Sid": "PermissionsToEnableGuardDuty"
	"Effect": "Allow",
	"Action": [
		"iam:CreateServiceLinkedRole"
	],
	"Resource": "arn:aws:iam::111122223333:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty",
	"Condition": {
		"StringLike": {
			"iam:AWSServiceName": "guardduty.amazonaws.com"
		}
	}
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Managing accounts with AWS Organizations

Designating a delegated GuardDuty administrator account and managing members using console