Important considerations for delegated administrators Permissions required to designate a delegated administrator Designating a delegated administrator

Designating a delegated administrator for Amazon Inspector

As mentioned in the previous topic, the delegated administrator account for Amazon Inspector can access specific metadata and create suppression rules, which are applied to member accounts. This topic describes how to designate a delegated administrator for Amazon Inspector.

Important considerations for delegated administrators

Take note of the following factors that define how the delegated administrator operates in Amazon Inspector:

A delegated administrator can manage a maximum of 5,000 members.: Each Amazon Inspector delegated administrator has a quota of 5,000 member accounts. However, your organization could include more than 5,000 accounts. If you exceed 5,000 member accounts, you will receive a notification through the Amazon CloudWatch Personal Health Dashboard and an email to the delegated administrator account.
A delegated administrator is Regional.: Unlike AWS Organizations, Amazon Inspector is a Regional service. This means you must designate the a delegated administrator, add member accounts, and activate scan types in each AWS Region you want to use Amazon Inspector in.
An organization can have only one delegated administrator.: You can only have one delegated administrator for Amazon Inspector for an organization. If you have designated an account as a delegated administrator in one Region, that account must be your delegated administrator in all other Regions.
Changing a delegated administrator does not deactivate Amazon Inspector for member accounts.: If you remove the delegated administrator, Amazon Inspector won't be deactivated in those accounts, and scan settings won't be affected.
Your AWS Organization must have all features activated.: This is the default setting for AWS Organizations. If it's not activated, see Activating all features in your organization.

Permissions required to designate a delegated administrator

You must have permission to activate Amazon Inspector and to designate an Amazon Inspector delegated administrator.

Add the following statement to the end of an IAM policy to grant these permissions.



{
    "Sid": "PermissionsForInspectorAdmin",
    "Effect": "Allow",
    "Action": [
        "inspector2:EnableDelegatedAdminAccount",
        "organizations:EnableAWSServiceAccess",
        "organizations:RegisterDelegatedAdministrator",
        "organizations:ListDelegatedAdministrators",
        "organizations:ListAWSServiceAccessForOrganization",
        "organizations:DescribeOrganizationalUnit",
        "organizations:DescribeAccount",
        "organizations:DescribeOrganization"
    ],
    "Resource": "*"
}

Designating a delegated administrator for your AWS organization

The following procedure shows you how to designate a delegated administrator for your AWS organization. When this designation is complete, Amazon Inspector is activated for both the Organizations management account and the chosen delegated administrator account.

Note

Only the Organizations management account can designate a delegated administrator.

Activating Amazon Inspector for the first time creates the service-linked role (SLR) AWSServiceRoleForAmazonInspector for the account. For more information about how Amazon Inspector uses service-linked roles, see Using service-linked roles for Amazon Inspector. For information about service-linked roles in general, see Using service-linked roles in the IAM User Guide.

To designate a delegated administrator for Amazon Inspector

Console

Designate a delegated administrator in the console

Sign in to the AWS Management Console using the AWS Organizations management account.
Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.
Use the AWS Region selector to specify the Region where you want to designate a delegated administrator.
Choose General settings.
In the Delegated administrator tile, enter the account ID of the AWS account that you want to designate as the delegated administrator, and then choose Delegate administration.
(Optional) Repeat the previous steps for each AWS Region.

API

Designate a delegated administrator using the API

Run the EnableDelegatedAdminAccount API operation using the credentials of the AWS account of the Organizations management account. You can also use the AWS Command Line Interface to do this by running the following CLI command:aws inspector2 enable-delegated-admin-account --delegated-admin-account-id 11111111111.

Note
Make sure to specify the account ID of the account that you want to make an Amazon Inspector delegated administrator.

After you specify the delegated administrator, you must use the AWS Organizations management account only to change or remove the delegated administrator account.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Understanding the relationship between administrator and member accounts

Activating scans for member accounts