Integrating and configuring an organization in Amazon Macie - Amazon Macie

Integrating and configuring an organization in Amazon Macie

To start using Amazon Macie with AWS Organizations, the AWS Organizations management account for the organization first designates an account as the delegated Macie administrator account for the organization. This enables Macie as a trusted service in AWS Organizations. It also enables Macie in the current AWS Region for the designated administrator account, and it allows the designated administrator account to enable and manage Macie for other accounts in the organization in that same Region. For information about how these permissions are granted, see Using AWS Organizations with other AWS services in the AWS Organizations User Guide.

The delegated Macie administrator then configures the organization in Macie, primarily by adding the organization’s accounts as Macie member accounts in the Region. The administrator can then access certain Macie settings, data, and resources for those accounts in that Region.

This topic explains how to designate a delegated Macie administrator for an organization and how to add the organization's accounts as Macie member accounts. Before you perform these tasks, ensure that you understand the relationship between administrator and member accounts. It’s also a good idea to review the considerations and recommendations for using Macie with AWS Organizations.

To integrate and configure the organization in multiple Regions, the AWS Organizations management account and the delegated Macie administrator repeat these steps in each additional Region.

Step 1: Verify your permissions

Before you designate the delegated Macie administrator account for your organization, verify that you (as a user of the AWS Organizations management account) are allowed to perform the following AWS Organizations actions:

  • organizations:DescribeOrganization

  • organizations:EnableAWSServiceAccess

  • organizations:ListAWSServiceAccessForOrganization

  • organizations:RegisterDelegatedAdministrator

These actions allow you to: retrieve information about your organization; integrate Macie with AWS Organizations; retrieve information about which AWS services you've integrated with AWS Organizations; and, designate a delegated Macie administrator account for your organization.

To grant these permissions, append the following statement to an existing Macie policy for your account:

{ "Sid": "Grant permissions to designate a delegated Macie administrator", "Effect": "Allow", "Action": [ "organizations:EnableAWSServiceAccess", "organizations:DescribeOrganization", "organizations:ListAWSServiceAccessForOrganization", "organizations:RegisterDelegatedAdministrator" ], "Resource": "*" }

If you want to designate your AWS Organizations management account as the delegated Macie administrator account for the organization, your account also needs permission to perform the following AWS Identity and Access Management (IAM) action: CreateServiceLinkedRole. This action allows you to enable Macie for the management account. However, based on AWS Security best practices and the principle of least privilege, we don't recommend that you do this.

If you decide to grant this permission, add the following statement to the IAM policy for your AWS Organizations management account:

{ "Sid": "Grant permissions to enable Macie", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::111122223333:role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie", "Condition": { "StringLike": { "iam:AWSServiceName": "macie.amazonaws.com" } } }

In the statement, replace 111122223333 with the account ID for the management account.

If you want to administer Macie in a manually enabled AWS Region, also update the value for the Macie service principal in the Resource element and the iam:AWSServiceName condition key. The value must specify the Region code for the Region. For example, to administer Macie in the Middle East (Bahrain) Region, which has the Region code me-south-1, do the following:

  • For the Resource element, replace

    arn:aws:iam::111122223333:role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie

    with

    arn:aws:iam::111122223333:role/aws-service-role/macie.me-south-1.amazonaws.com/AWSServiceRoleForAmazonMacie

    Where 111122223333 is the account ID for the management account and me-south-1 specifies the Region code for the Region.

  • For the iam:AWSServiceName condition key, replace macie.amazonaws.com with macie.me-south-1.amazonaws.com

    Where me-south-1 specifies the Region code for the Region.

For a list of Regions where Macie is currently available and the Region code for each one, see Amazon Macie endpoints and quotas in the Amazon Web Services General Reference. For information about manually enabled Regions, see Managing AWS Regions in the Amazon Web Services General Reference.

Step 2: Designate the delegated Macie administrator account for the organization

After you verify your permissions, you (as a user of the AWS Organizations management account) can designate the delegated Macie administrator account for your organization.

To designate the delegated Macie administrator account for an organization

To designate the delegated Macie administrator account for your organization, you can use the Amazon Macie console or the Amazon Macie API. Only a user of the AWS Organizations management account can perform this task.

Console

Follow these steps to designate the delegated Macie administrator account by using the Amazon Macie console.

To designate the delegated Macie administrator account

  1. Log in to the AWS Management Console using your AWS Organizations management account.

  2. By using the AWS Region selector in the upper-right corner of the page, select the Region in which you want to designate the delegated Macie administrator account for your organization.

  3. Open the Amazon Macie console at https://console.aws.amazon.com/macie/.

  4. Do one of the following, depending on whether Macie is enabled for your management account in the current Region:

    • If Macie isn’t enabled, choose Get started on the welcome page.

    • If Macie is enabled, choose Settings in the navigation pane.

  5. Under Delegated administrator, enter the 12-digit account ID for the AWS account that you want to designate as the Macie administrator account.

  6. Choose Delegate.

Repeat the preceding steps in each additional Region in which you want to integrate your organization with Macie. You must designate the same Macie administrator account in each of those Regions.

API

To designate the delegated Macie administrator account programmatically, use the EnableOrganizationAdminAccount operation of the Amazon Macie API. To designate the account in multiple Regions, submit the designation for each Region in which you want to integrate your organization with Macie. You must designate the same Macie administrator account in each of those Regions.

When you submit the designation, use the required adminAccountId parameter to specify the 12-digit account ID for the AWS account to designate as the Macie administrator account for the organization. Also ensure that you specify the Region that the designation applies to.

To designate the Macie administrator account by using the AWS Command Line Interface (AWS CLI), run the enable-organization-admin-account command. For the admin-account-id parameter, specify the 12-digit account ID for the AWS account to designate. Use the region parameter to specify the Region that the designation applies to. For example:

C:\> aws macie2 enable-organization-admin-account --region us-east-1 --admin-account-id 111122223333

Where us-east-1 is the Region that the designation applies to (the US East (N. Virginia) Region) and 111122223333 is the account ID for the account to designate.

After you designate the Macie administrator account for your organization, the Macie administrator can begin configuring the organization in Macie.

Step 3: Automatically enable and add new organization accounts as Macie member accounts

By default, Macie isn’t automatically enabled for new accounts when the accounts are added to your organization in AWS Organizations. In addition, the accounts aren’t automatically added as Macie member accounts. The accounts appear in the Macie administrator's account inventory. However, Macie isn’t necessarily enabled for the accounts and the Macie administrator can’t necessarily access Macie settings, data, and resources for the accounts.

If you’re the delegated Macie administrator for the organization, you can change this configuration setting for your organization. If you turn on the Auto-enable setting, Macie is automatically enabled for new accounts when the accounts are added to your organization in AWS Organizations, and the accounts are automatically associated with your Macie administrator account as member accounts.

Note

If you turn on the Auto-enable setting, note the following exceptions:

  • If a new account is already associated with a different Macie administrator account, Macie doesn’t automatically add the account as a member account in your organization. The account must disassociate from its current Macie administrator account before it can be part of your organization in Macie. To identify accounts where this is the case, you can review the account inventory for your organization. You can then add the accounts manually.

  • If your organization reaches the quota of 5,000 Macie member accounts in an AWS Region, Macie automatically turns off this setting in the Region. If this happens, we notify you by creating AWS Health and Amazon CloudWatch events for your Macie administrator account. We also send email to the address that’s associated with that account. If the total number of accounts subsequently decreases to fewer than 5,000 accounts, Macie automatically turns on the setting again.

Also note that changing this setting doesn’t affect the status of existing accounts in your organization. To enable and manage Macie for existing accounts, you need to manually add those accounts as Macie member accounts. The next step explains how to do this.

To automatically enable and add new organization accounts as Macie member accounts

To automatically enable and add new accounts as Macie member accounts, you can use the Amazon Macie console or the Amazon Macie API. Only the delegated Macie administrator for the organization can perform this task.

Console

To perform this task by using the console, you must be allowed to perform the following AWS Organizations action: organizations:listAccounts. This action allows you to retrieve and display information about the accounts in your organization. If you have these permissions, follow these steps to automatically enable and add new organization accounts as Macie member accounts.

To automatically enable and add new organization accounts

  1. Open the Amazon Macie console at https://console.aws.amazon.com/macie/.

  2. By using the AWS Region selector in the upper-right corner of the page, select the Region in which you want to automatically enable and add new accounts as Macie member accounts.

  3. In the navigation pane, under Settings, choose Accounts.

  4. On the Accounts page, next to Add accounts, turn on Auto-enable.

Repeat the preceding steps in each additional Region in which you want to configure your organization in Macie.

To subsequently change this setting and stop enabling and adding new accounts automatically, repeat the preceding steps and turn off Auto-enable.

API

To automatically enable and add new Macie member accounts programmatically, use the UpdateOrganizationConfiguration operation of the Amazon Macie API. When you submit your request, set the value for the autoEnable parameter to true. (The default value is false.) Also ensure that you specify the Region that your request applies to. To automatically enable and add new accounts in additional Regions, submit the request for each additional Region.

If you use the AWS CLI to submit the request, run the update-organization-configuration command and specify the auto-enable parameter to enable and add new accounts automatically. For example:

$ aws macie2 update-organization-configuration --region us-east-1 --auto-enable

Where us-east-1 is the Region in which to automatically enable and add new accounts, the US East (N. Virginia) Region.

To subsequently change this setting and stop enabling and adding new accounts automatically, run the same command again and use the no-auto-enable parameter, instead of the auto-enable parameter, in each applicable Region.

Step 4: Enable and add existing organization accounts as Macie member accounts

When you integrate Macie with AWS Organizations, Macie isn’t automatically enabled for all the existing accounts in the organization. In addition, the accounts aren’t automatically associated with the delegated Macie administrator account as Macie member accounts.

Therefore, the final step of integrating and configuring your organization in Macie is to add existing organization accounts as Macie member accounts. When you add an existing account as a Macie member account, Macie is automatically enabled for the account and you (as the delegated Macie administrator) gain access to certain Macie settings, data, and resources for the account.

Note that you can’t add an account that’s currently associated with another Macie administrator account. To add the account, work with the account owner to first disassociate the account from its current administrator account. In addition, you can’t add an existing account if Macie is currently suspended for the account. The account owner must first re-enable Macie for the account. Finally, if you want to add the AWS Organizations management account as a member account, a user of that account must first enable Macie for the account.

To enable and add existing organization accounts as Macie member accounts

To enable and add existing organization accounts as Macie member accounts, you can use the Amazon Macie console or the Amazon Macie API. Only the delegated Macie administrator for the organization can perform this task.

Console

To perform this task by using the console, you must be allowed to perform the following AWS Organizations action: organizations:listAccounts. This action allows you to retrieve and display information about the accounts in your organization. If you have these permissions, follow these steps to enable and add existing accounts as Macie member accounts.

To enable and add existing organization accounts

  1. Open the Amazon Macie console at https://console.aws.amazon.com/macie/.

  2. By using the AWS Region selector in the upper-right corner of the page, select the Region in which you want to enable and add existing accounts as Macie member accounts.

  3. In the navigation pane, under Settings, choose Accounts.

    The Accounts page opens and displays a table of the accounts that are associated with your Macie account. If an account is part of your organization in AWS Organizations, its Type is Via AWS organization. If an account isn’t a Macie member account, its Status is Not a member.

  4. In the Accounts table, select the check box for each account that you want to add as a Macie member account.

    Tip

    To more easily identify accounts to add, you can filter the table: place your cursor in the filter bar, choose the Status field, select the Not a member check box, and then choose Apply.

  5. On the Actions menu, choose Add member.

  6. Confirm that you want to add the selected accounts as member accounts.

After you confirm the addition of the selected accounts, the status of the accounts changes to Creating/Enabling, and then Enabled.

Repeat the preceding steps in each additional Region in which you want to configure your organization in Macie.

API

To programmatically enable and add one or more existing accounts as Macie member accounts, use the CreateMember operation of the Amazon Macie API. When you submit your request, use the supported parameters to specify the 12-digit account ID and email address of each AWS account to enable and add. Also specify the Region that the request applies to. To enable and add existing accounts in additional Regions, submit the request for each additional Region.

To retrieve the account ID and email address of an AWS account to enable and add, you can optionally use the ListMembers operation of the Amazon Macie API. This operation provides details about the accounts that are associated with your Macie account, including accounts that aren’t Macie member accounts. If the value for the relationshipStatus property of an account isn’t Enabled, the account isn’t a Macie member account.

To enable and add one or more existing accounts by using the AWS CLI, run the create-member command. Use the region parameter to specify the Region in which to enable and add the accounts. Use the account-details parameter to specify the account ID and email address for each AWS account to add. For example:

$ aws macie2 create-member --region us-east-1 --account-details AccountId=123456789012,Email=janedoe@example.com

Where us-east-1 is the Region in which to enable and add the account as a Macie member account (the US East (N. Virginia) Region), and the account-details parameter uses shorthand syntax to specify the account ID (123456789012) and the email address (janedoe@example.com) for the account.