Considerations and recommendations for invitation-based organizations in Amazon Macie - Amazon Macie

Considerations and recommendations for invitation-based organizations in Amazon Macie

Before you create or begin managing an invitation-based organization in Amazon Macie, consider the following requirements and recommendations.

Choosing a Macie administrator account

While you determine which account should be the Macie administrator account for the organization, keep the following in mind:

  • An organization can have only one Macie administrator account.

  • An account can’t be a Macie administrator and member account at the same time.

  • Macie is a Regional service. This means that the association between a Macie administrator account and a member account is Regional—the association exists only in the AWS Region that an invitation is sent from and accepted in. For example, if the Macie administrator sends invitations in the US East (N. Virginia) Region and those invitations are accepted, the Macie administrator can manage the member accounts only in that Region.

    To centrally manage Macie accounts in multiple AWS Regions, the Macie administrator can log in to each Region where the organization currently uses or will use Macie and send invitations to the appropriate accounts in each of those Regions. For a list of Regions where Macie is currently available, see Amazon Macie endpoints and quotas in the AWS General Reference.

  • A member account can be associated with only one Macie administrator account at a time. If your organization uses Macie in multiple Regions, this means that the Macie administrator account must be the same in all of those Regions. However, administrator and member accounts must send and accept invitations separately in each Region.

  • If the Macie administrator’s AWS account is suspended, isolated, or closed, all associated member accounts are automatically removed as member accounts but Macie continues to be enabled for those accounts.

Sending invitations and managing Macie member accounts

As the Macie administrator for an invitation-based organization, keep the following in mind when you send invitations and manage accounts in the organization:

  • Before you send an invitation, ensure that you understand the relationship between Macie administrator and member accounts.

  • If you send an invitation, related data might be transferred across AWS Regions. This is the case because Macie verifies the receiving account’s email address by using an email verification service that operates only in the US East (N. Virginia) Region.

  • You can send an invitation to any active AWS account, including accounts that haven’t enabled Macie. However, to accept or decline an invitation, the receiving account must enable Macie in the Region that the invitation was sent from.

  • A Macie administrator account can be associated with no more than 1,000 accounts in each AWS Region. This includes accounts that haven’t responded to invitations yet. If your account meets this quota, you can’t add or invite additional accounts until you remove the necessary number of associated accounts, receive the necessary number of declined invitations, or a combination of the two.

    To determine how many accounts are currently associated with your account, you can use the Accounts page on the Amazon Macie console or the ListMembers operation of the Amazon Macie API. For more information, see Reviewing Amazon Macie accounts for an invitation-based organization.

  • An account can be associated with only one Macie administrator account at a time. This means that an account can’t accept your invitation if it’s already associated with another Macie administrator account. The account must first disassociate from its current Macie administrator account.

  • In an invitation-based organization, a member account can disassociate from its Macie administrator account at any time. If this happens, Macie continues to be enabled for the account and the account becomes a standalone Macie account. Macie doesn't notify you if a member account disassociates from your administrator account. However, the account continues to appear in your account inventory and it has a status of Member resigned.

  • If you remove a member account from your organization, Macie continues to be enabled for the account and the account becomes a standalone Macie account.

Responding to and managing membership invitations

As a recipient of an invitation or a member of an invitation-based organization, keep the following in mind when you respond to and manage invitations that you receive:

  • Before you accept an invitation, ensure that you understand the relationship between Macie administrator and member accounts.

  • Your account can be associated with only one Macie administrator account at a time. If you accept an invitation and subsequently want to join another organization (by invitation or through AWS Organizations), you have to first disassociate your account from its current Macie administrator account. You can then join the other organization.

  • To accept or decline an invitation, you have to enable Macie in the AWS Region that the invitation was sent from. The account that sent the invitation can’t enable Macie in that Region for you. Declining an invitation is optional. If you decline an invitation, you can optionally disable Macie in the applicable Region after you decline the invitation.

  • If you’re a Macie administrator, you can’t accept an invitation to become a member account—an account can’t be a Macie administrator and member account at the same time. To become a member account, you must first disassociate your account from all of its member accounts by removing all member accounts from your current organization.

  • Macie is a Regional service. If you accept an invitation, the association between your account and the Macie administrator account is Regional—the association exists only in the AWS Region that the invitation was sent from and accepted in.

  • If you use Macie in multiple Regions, the Macie administrator account for your account has to be the same in all of those Regions. However, the Macie administrator has to send invitations to you separately in each Region, and you have to accept the invitations separately in each Region.

  • You can disassociate your account from a Macie administrator account at any time. If you do this, Macie continues to be enabled for your account and your account becomes a standalone Macie account.

  • If your Macie administrator removes your account from their organization, Macie continues to be enabled for your account and your account becomes a standalone Macie account.

Transitioning to AWS Organizations

After you create an invitation-based organization in Macie, you can transition to using AWS Organizations instead. To simplify the transition, we recommend that you designate the existing, invitation-based administrator account as the Macie administrator account for the organization in AWS Organizations.

If you do this, all currently associated member accounts continue to be members. If a member account is part of the organization in AWS Organizations, the account’s association automatically changes from By invitation to Via AWS Organizations in Macie. If a member account isn’t part of the organization in AWS Organizations, the account’s association continues to be By invitation. In both cases, the accounts continue to be associated with the Macie administrator account as member accounts.

We recommend this approach because a member account can be associated with only one Macie administrator account at a time. If you designate a different account as the Macie administrator account for an organization in AWS Organizations, the designated administrator won’t be able to manage accounts that are already associated with another Macie administrator account by invitation. Each member account must first disassociate from its current, invitation-based administrator account. Only then can the Macie administrator for the AWS Organizations organization add the member account to their organization and begin managing Macie for the account.

After you integrate Macie with AWS Organizations and you configure your organization in Macie, you can optionally designate a different Macie administrator account for the organization. You can also continue to use invitations to associate and manage member accounts that aren't part of your organization in AWS Organizations.