Permissions required to designate a delegated GuardDuty administrator account
When delegating a delegated GuardDuty administrator account you must have permissions to enable GuardDuty as well as certain AWS Organizations API actions. You can add the following statement at the end of an IAM policy to grant these permissions:
{ "Sid": "PermissionsForGuardDutyAdmin", "Effect": "Allow", "Action": [ "guardduty:EnableOrganizationAdminAccount", "organizations:EnableAWSServiceAccess", "organizations:RegisterDelegatedAdministrator", "organizations:ListDelegatedAdministrators", "organizations:ListAWSServiceAccessForOrganization", "organizations:DescribeOrganizationalUnit", "organizations:DescribeAccount", "organizations:DescribeOrganization", "organizations:ListAccounts" ], "Resource": "*" }
Additionally, if you wish to designate your AWS Organizations management account as the GuardDuty
delegated GuardDuty administrator account that entity will need CreateServiceLinkedRole
permissions to
initialize GuardDuty. To do this, add the following statement to the IAM policy and
replace 111122223333
with the AWS account ID of
your organization's management account:
{ "Sid": "PermissionsToEnableGuardDuty" "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::
111122223333
:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty", "Condition": { "StringLike": { "iam:AWSServiceName": "guardduty.amazonaws.com" } } }