Delegated administrator organizational view - AWS Health

Delegated administrator organizational view

With AWS Health, you can leverage the delegated administrator feature from AWS Organizations that allows an account other than the management account to view aggregated AWS Health events on the AWS Health Dashboard or programmatically through the AWS Health API. The delegated administrator feature provides the flexibility for different teams to view and manage health events across your organization. It's an AWS security best practice to delegate responsibilities outside of the management account where possible.

Register a delegated administrator for your organizational view

After you enable organizational view for your organization, you can register up to five member accounts in your organization as a delegated administrator. To do this, call the RegisterDelegatedAdministrator API operation. After you register the member acounts, they are delegated administer accounts and can access the AWS Health organizational view from the AWS Health Dashboard. If the account has a Business, Enterprise On-Ramp, or Enterprise Support plan, then the delegated administrators can use the AWS Health API to access the AWS Health organizational view.

To establish a delegated administrator, from the management account in your organization, call the following AWS Command Line Interface (AWS CLI) command. You can use this command from the management account or from an account that can assume the role with the required AWS Identity and Access Management permissions. In the following example command, replace ACCOUNT_ID with the member account ID that you want to register along with the AWS Health service principal "health.amazonaws.com".

aws organizations register-delegated-administrator --account-id ACCOUNT_ID --service-principal health.amazonaws.com

After a delegated administrator is registered, you have visibility into all AWS Health events affecting accounts across your organization. You can view historical events over the past 90 days or since the organizational view feature was first enabled, whichever is more recent. Note that enabling the delegated administrator feature is an asynchronous process and takes up to a minute to complete.

Remove a delegated administrator from your organizational view

To remove access for a delegated administrator, call the DeregisterDelegatedAdministrator API operation.

From your organization's management account, call the following AWS CLI command to remove a member account as delegated administrator. In the following example command, replace ACCOUNT_ID with the member account ID that you want to remove.

aws organizations deregister-delegated-administrator --account-id ACCOUNT_ID --service-principal health.amazonaws.com