Designating a different Amazon Macie administrator account for an organization - Amazon Macie

Designating a different Amazon Macie administrator account for an organization

After an AWS Organizations organization is integrated and configured in Amazon Macie, the AWS Organizations management account can designate a different account as the delegated Macie administrator account for the organization.

To change the designation, you (as a user of the AWS Organizations management account) must have the same permissions that were required to initially designate a Macie administrator account for the organization. You must also be allowed to perform the following AWS Organizations action: organizations:deregisterDelegatedAdministrator. This action allows you to remove the current designation.

If your organization uses Macie in multiple AWS Regions, you must change the designation in each Region in which your organization uses Macie—the delegated Macie administrator account must be the same in all of those Regions. To learn about additional requirements, see Considerations and recommendations for using Amazon Macie with AWS Organizations.

To designate a different Macie administrator account for your organization

To designate a different Macie administrator account for your organization, you can use the Amazon Macie console or a combination of the Amazon Macie and AWS Organizations APIs. Only a user of the AWS Organizations management account can change the designation.

Console

To change the designation by using the Amazon Macie console, follow these steps.

To designate a different Macie administrator account

  1. Log in to the AWS Management Console using your AWS Organizations management account.

  2. By using the AWS Region selector in the upper-right corner of the page, select the Region in which you want to change the designation.

  3. Open the Amazon Macie console at https://console.aws.amazon.com/macie/.

  4. Do one of the following, depending on whether Macie is enabled for your management account in the current Region:

    • If Macie isn’t enabled, choose Get started on the welcome page.

    • If Macie is enabled, choose Settings in the navigation pane.

  5. Under Delegated administrator, choose Remove. To change the designation, you must first remove the current designation.

  6. Confirm that you want to remove the current designation.

  7. Under Delegated administrator, enter the 12-digit account ID for the AWS account to designate as the new Macie administrator account for the organization.

  8. Choose Delegate.

Repeat the preceding steps in each additional Region in which you integrated Macie with AWS Organizations.

API

To change the designation programmatically, you use two operations of the Amazon Macie API and one operation of the AWS Organizations API. This is because you have to remove the current designation in both Macie and AWS Organizations before you submit the new designation.

To remove the current designation:

  1. Use the DisableOrganizationAdminAccount operation of the Macie API. For the required adminAccountId parameter, specify the 12-digit account ID for the AWS account that’s currently designated as the Macie administrator account for the organization.

  2. Use the DeregisterDelegatedAdministrator operation of the AWS Organizations API. For the AccountId parameter, specify the 12-digit account ID for the account that’s currently designated as the Macie administrator account for the organization. This value should match the account ID that you specified in the preceding Macie request. For the ServicePrincipal parameter, specify the Macie service principal (macie.amazonaws.com).

After you remove the current designation, submit the new designation by using the EnableOrganizationAdminAccount operation of the Macie API. For the required adminAccountId parameter, specify the 12-digit account ID for the AWS account to designate as the new Macie administrator account for the organization.

To change the designation by using the AWS CLI, run the disable-organization-admin-account command of the Macie API and the deregister-delegated-administrator command of the AWS Organizations API. These commands remove the current designation in Macie and AWS Organizations, respectively. For the admin-account-id and account-id parameters, specify the 12-digit account ID for the AWS account to remove as the current Macie administrator account. Use the region parameter to specify the Region that the removal applies to. For example:

C:\> aws macie2 disable-organization-admin-account --region us-east-1 --admin-account-id 111122223333 && aws organizations deregister-delegated-administrator --region us-east-1 --account-id 111122223333 --service-principal macie.amazonaws.com

Where:

  • us-east-1 is the Region that the removal applies to, the US East (N. Virginia) Region.

  • 111122223333 is the account ID for the account to remove as the Macie administrator account.

  • macie.amazonaws.com is the Macie service principal.

After you remove the current designation, submit the new designation by running the enable-organization-admin-account command of the Macie API. For the admin-account-id parameter, specify the 12-digit account ID for the AWS account to designate as the new Macie administrator account for the organization. Use the region parameter to specify the Region that the designation applies to. For example:

C:\> aws macie2 enable-organization-admin-account --region us-east-1 --admin-account-id 444455556666

Where us-east-1 is the Region that the designation applies to (the US East (N. Virginia) Region) and 444455556666 is the account ID for the account to designate as the new Macie administrator account.