Designating a delegated administrator for Amazon Inspector - Amazon Inspector

Designating a delegated administrator for Amazon Inspector

Important considerations for delegated administrators

Take note of the following factors that define how the delegated administrator operates in Amazon Inspector:

A delegated administrator can manage a maximum of 5,000 members.

Each Amazon Inspector delegated administrator has a quota of 5,000 member accounts. However, your organization could include more than 5,000 accounts. If you exceed 5,000 member accounts, you will receive a notification through the Amazon CloudWatch Personal Health Dashboard and in an email to the delegated administrator account.

A delegated administrator is Regional.

Unlike AWS Organizations, Amazon Inspector is a Regional service. This means that a delegated administrator must be designated in each Region and must add and enable scans for members in each AWS Region for which you would like to manage Amazon Inspector.

An organization can have only one delegated administrator.

You can only have one delegated administrator for Amazon Inspector for an organization. If you have designated an account as a delegated administrator in one AWS Region, that account must be your delegated administrator in all other Regions.

Changing a delegated administrator does not disable Amazon Inspector for member accounts.

If you remove the delegated administrator, Amazon Inspector is not disabled in those accounts, and scan settings will not be affected.

Your AWS Organization must have all features enabled.

All features is the default setting for AWS Organizations. If it is not enabled see Enabling all features in your organization.

Permissions required to designate a delegated administrator

You must have permission to enable Amazon Inspector and to designate an Amazon Inspector delegated administrator.

Add the following statement to the end of an IAM policy to grant these permissions:

{ "Sid": "PermissionsForInspectorAdmin", "Effect": "Allow", "Action": [ "inspector2:EnableDelegatedAdminAccount", "organizations:EnableAWSServiceAccess", "organizations:RegisterDelegatedAdministrator", "organizations:ListDelegatedAdministrators", "organizations:ListAWSServiceAccessForOrganization", "organizations:DescribeOrganizationalUnit", "organizations:DescribeAccount", "organizations:DescribeOrganization" ], "Resource": "*" }

Designating a delegated administrator for your AWS organization

The following procedure shows you how to designate a delegated administrator for your AWS organization. When this designation is complete, Amazon Inspector is enabled for both the Organizations management account and the chosen delegated administrator account.

Note

Only the Organizations management account can designate a delegated administrator.

Enabling Amazon Inspector for the first time creates the service-linked role AWSServiceRoleForAmazonInspector for the account. For more information about how Amazon Inspector uses service-linked roles, see Using service-linked roles for Amazon Inspector. For information about service-linked roles in general, see Using service-linked roles in the IAM User Guide.

To designate a delegated administrator for Amazon Inspector:

  1. Log in to the AWS Management Console using the AWS Organizations management account.

  2. Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home, then use the Region selector in the upper right to specify the Region in which you want to designate an administrator.

  3. Under Enable Inspector enter the twelve-digit AWS account ID of the account that you want to designate as the Amazon Inspector delegated administrator for your organization, and choose Delegate Administration.

  4. (Recommended) Repeat the previous steps for each AWS Region.

After you specify the delegated administrator, you only need to use the AWS Organizations management account to change or remove the delegated administrator account.