Considerations and recommendations for using Amazon Macie with AWS Organizations - Amazon Macie

Considerations and recommendations for using Amazon Macie with AWS Organizations

Before you integrate Amazon Macie with AWS Organizations and configure your organization in Macie, consider the following requirements and recommendations.

Designating a Macie administrator account

While you determine which account should be the delegated Macie administrator account for your organization, keep the following in mind:

  • An organization can have only one delegated Macie administrator account.

  • An account can’t be a Macie administrator and member account at the same time.

  • Only the AWS Organizations management account for an organization can designate the delegated Macie administrator account for the organization, and only the management account can subsequently change or remove that designation.

  • The AWS Organizations management account for an organization can also be the delegated Macie administrator account for the organization. However, we don't recommend this configuration based on AWS Security best practices and the principle of least privilege. Users who have access to the management account for billing purposes are likely to be different from users who need access to Macie for information security purposes.

    If you prefer this configuration, you must enable Macie for the organization's management account in at least one AWS Region before you designate the account as the delegated Macie administrator account. Otherwise, the account won't be able to access and manage Macie settings and resources for member accounts.

  • Unlike AWS Organizations, Macie is a Regional service. This means that the designation of a Macie administrator account is a Regional designation. It also means that associations between Macie administrator and member accounts are Regional. For example, if the management account designates a Macie administrator account in the US East (N. Virginia) Region, the Macie administrator can manage Macie for member accounts only in that Region.

    To centrally manage Macie accounts in multiple AWS Regions, the management account must log in to each Region where the organization currently uses or will use Macie, and then designate the Macie administrator account in each of those Regions. The Macie administrator can then configure the organization in each of those Regions. For a list of Regions where Macie is currently available, see Amazon Macie endpoints and quotas in the Amazon Web Services General Reference.

  • An account can be associated with only one Macie administrator account at a time. If your organization uses Macie in multiple Regions, the designated Macie administrator account must be the same in all of those Regions. However, your organization’s management account must designate the administrator account separately in each Region.

  • If the Macie administrator’s AWS account is suspended, isolated, or closed, all associated Macie member accounts are automatically removed as Macie member accounts but Macie isn’t disabled for the accounts.

Changing or removing the designation of a Macie administrator account

Only the AWS Organizations management account for an organization can change or remove the designation of a delegated Macie administrator account for the organization.

If the management account removes the designation, all associated member accounts are removed as Macie member accounts but Macie isn't disabled for the accounts. For an account to also pause or stop using Macie, a user of the account must suspend (pause) or disable Macie for the account.

Adding and removing Macie member accounts

As you add, remove, and otherwise manage member accounts for your organization, keep the following in mind:

  • A Macie administrator account can be associated with no more than 5,000 active (enabled) Macie member accounts in each AWS Region. If your organization exceeds this quota, the Macie administrator won’t be able to add member accounts until they remove the necessary number of existing member accounts in the Region.

    When an organization meets this quota, we notify the Macie administrator by creating AWS Health and Amazon CloudWatch events for their account. We also send email to the address that’s associated with their account.

    If you’re the Macie administrator for an organization, you can determine how many active member accounts are currently associated with your account by using the Accounts page on the Amazon Macie console or the DescribeOrganizationConfiguration operation of the Amazon Macie API. For more information, see Reviewing Amazon Macie accounts for an organization.

  • An account can be associated with only one Macie administrator account at a time. This means that an account can’t accept a Macie invitation from another account if it’s already associated with the Macie administrator account for an organization in AWS Organizations.

    Similarly, if an account already accepted an invitation, the Macie administrator for an organization in AWS Organizations can’t add the account as a Macie member account. The account must first disassociate from its current, invitation-based administrator account.

  • To add the AWS Organizations management account as a Macie member account, a user of the management account must first enable Macie for the account. The Macie administrator isn’t allowed to enable Macie for the management account.

  • A member account can’t disassociate from its Macie administrator account. Only the Macie administrator can remove an account as a Macie member account.

  • If the Macie administrator removes a Macie member account, Macie continues to be enabled for the account. To also pause or stop using Macie, a user of the account must suspend (pause) or disable Macie for the account.

Transitioning from an invitation-based organization

If you already associated a Macie administrator account with member accounts by using Macie membership invitations, we recommend that you designate that account as the delegated Macie administrator account for your organization in AWS Organizations. This simplifies the transition from an invitation-based organization.

If you do this, all currently associated member accounts continue to be members. If a member account is part of your organization in AWS Organizations, the account’s association automatically changes from By Invitation to Via AWS organization in Macie. If a member account isn’t part of your organization in AWS Organizations, the account’s association continues to be By Invitation. In both cases, the accounts continue to be associated with the delegated Macie administrator account as member accounts.

We recommend this approach because an account can’t be associated with more than one Macie administrator account at the same time. If you designate a different account as the Macie administrator account for your organization in AWS Organizations, the designated administrator won’t be able to manage accounts that are already associated with another Macie administrator account by invitation. Each member account must first disassociate from its current, invitation-based administrator account. The Macie administrator for your organization in AWS Organizations can then add the account as a Macie member account and begin managing the account.

After you integrate Macie with AWS Organizations and you configure your organization in Macie, you can optionally designate a different Macie administrator account for the organization. You can also continue to use invitations to associate and manage member accounts that aren't part of your organization in AWS Organizations.