Understanding the relationship between Amazon Macie administrator and member accounts
If you centrally manage multiple Amazon Macie accounts as an organization, the Macie administrator has access to Amazon Simple Storage Service (Amazon S3) inventory data, policy findings, and certain Macie settings and resources for associated member accounts. The administrator can also perform automated sensitive data discovery and run sensitive data discovery jobs to detect sensitive data in S3 buckets that member accounts own. Support for specific tasks varies based on whether a Macie administrator account is associated with a member account through AWS Organizations or by invitation.
The following table provides details about the relationship between Macie administrator and member accounts. It indicates the default permissions for each type of account. To further restrict access to Macie features and operations, you can use custom AWS Identity and Access Management (IAM) policies.
In the table:
-
Self indicates that the account can't perform the task for any associated accounts.
-
Any indicates that the account can perform the task for an individual associated account.
-
All indicates that the account can perform the task and the task applies to all associated accounts.
The dash (–) indicates that the account can’t perform the task.
| Task | Designation | ||
| Administrator | Administrator | Member | |
| Through AWS Organizations | By invitation | ||
| Enable Macie | Any | Self | Self |
| Review the organization's account inventory 1 | All | All | – |
| Add a member account | Any | Any | – |
| Remove (disassociate) a member account | Any | Any | – |
| Disassociate from an administrator account 2 | – | – | Self |
| Create sample findings | Self | Self | Self |
| Review statistics and metadata for S3 buckets | All | All | Self |
| Review policy findings | All | All | Self |
| Suppress (archive) policy findings 3 | All | All | – |
| Publish policy findings 4 | Self | Self | Self |
| Create and use allow lists | Self | Self | Self |
| Create and use custom data identifiers | Self | Self | Self |
| Configure and perform automated sensitive data discovery | All | All | – |
| Review automated sensitive data discovery statistics, data, and other types of results | All | All | – |
| Create and run sensitive data discovery jobs 5 | Any | Any | Self |
| Review the details of sensitive data discovery jobs 6 | Self | Self | Self |
| Review sensitive data findings 7 | Self | Self | Self |
| Suppress (archive) sensitive data findings 7 | Self | Self | Self |
| Publish sensitive data findings 7 | Self | Self | Self |
| Configure publication destinations for findings | Self | Self | Self |
| Set the publication frequency for findings | All | All | Self |
| Configure a repository for sensitive data discovery results | Self | Self | Self |
| Configure Macie to retrieve sensitive data samples | Self | Self | Self |
| Review account quotas and estimated usage costs | All | All | Self |
| Suspend Macie 8 | Any | Any | Self |
| Disable Macie 9 | Self | Self | Self |
-
The Macie administrator for an organization in AWS Organizations can review all accounts in the organization, including accounts that haven’t enabled Macie. The administrator for an invitation-based organization can review only those accounts that they add to their inventory.
-
A member of an AWS Organizations organization can’t perform this task. A member of an invitation-based organization can perform this task.
-
Only an administrator can suppress policy findings. If an administrator creates a suppression rule, Macie applies the rule to policy findings for all accounts in the organization unless the rule is configured to exclude specific accounts. If a member creates a suppression rule, Macie doesn’t apply the rule to policy findings for the member’s account.
-
Only the account that owns an affected resource can publish policy findings for the resource to AWS Security Hub. Both administrator and member accounts automatically publish policy findings for an affected resource to Amazon EventBridge.
-
A member can configure a job to analyze objects only in S3 buckets that their account owns. An administrator can configure a job to analyze objects in buckets that their account owns or a member account owns. For information about how quotas are applied and costs are calculated for multiple-account jobs, see Understanding how estimated usage costs are calculated.
-
Only the account that creates a job can access the job's details. This includes job-related details in the S3 bucket inventory.
-
Only the account that creates a job can access, suppress, or publish sensitive data findings that the job produces. Only an administrator can access, suppress, or publish sensitive data findings that automated sensitive data discovery produces.
-
For an administrator to perform this task for their own account, the administrator must first disassociate their account from all member accounts.
-
For an administrator to perform this task for their own account, the administrator must first disassociate their account from all member accounts and delete the associations between their account and all of those accounts. For a member to perform this task for their account, the member must first disassociate their account from its administrator account.
