Designating a different Amazon Macie administrator account for an invitation-based organization - Amazon Macie

Designating a different Amazon Macie administrator account for an invitation-based organization

After you create and establish an invitation-based organization, you can change the Amazon Macie administrator account for the organization. To do this, administrators and members of the organization should take the following steps:

  1. The current Macie administrator optionally exports the current inventory of active member accounts for the organization. This simplifies the transition by helping you identify member accounts that should continue to be part of the organization.

  2. The current Macie administrator removes all member accounts from the current organization. This disassociates the accounts from the current administrator account but Macie continues to be enabled for the accounts.

  3. The new Macie administrator adds the previous member accounts to the new organization. This associates the accounts with the new administrator account.

  4. Each member account accepts the invitation to join the new organization. When an account accepts the invitation, the account becomes an active member account in the new organization. The new Macie administrator can then access Macie settings, data, and resources for the account.

If your organization uses Macie in multiple AWS Regions, perform the preceding steps in each of those Regions.

To export the current inventory of active member accounts, the current Macie administrator can use the Amazon Macie console or the Amazon Macie API. With the console, the current administrator can export the data to a comma-separated values (CSV) file. The new administrator can then use the console to upload the CSV file and add all the accounts (in bulk) to the new organization.

To export member account data by using the console

  1. Sign in to the AWS Management Console using the current Macie administrator account.

  2. By using the AWS Region selector in the upper-right corner of the page, select the Region in which you want to export the data.

  3. Open the Amazon Macie console at https://console.aws.amazon.com/macie/.

  4. In the navigation pane, under Settings, choose Accounts.

  5. (Optional) To filter the Accounts table and show only those accounts that are currently active Macie member accounts in the organization, use the filter box above the table to add the following filter conditions:

    • Type = Invitation

    • Status = Enabled

  6. In the Accounts table, select the check box for each active member account to include in the exported data.

  7. Choose Export CSV.

  8. Specify a name and location for the file.

With the Amazon Macie API, the current Macie administrator can retrieve the data in JSON format. The new Macie administrator can then use that data to generate the list of account IDs and email addresses for the accounts to add and invite to the new organization. To retrieve the data in JSON format, use the ListMembers operation of the Amazon Macie API. If the operation succeeds, Macie returns a members array that provides details about all the accounts that are associated with the administrator’s account. If an account is an active Macie member account in the current, invitation-based organization, the value for the relationshipStatus property of the account is Enabled and the invitedAt property specifies a date and time.