Understanding the relationship between Amazon Macie administrator and member accounts - Amazon Macie

Understanding the relationship between Amazon Macie administrator and member accounts

If you centrally manage multiple Amazon Macie accounts as an organization, the Macie administrator has access to Amazon Simple Storage Service (Amazon S3) inventory data, policy findings, and certain Macie settings and resources for associated member accounts. The administrator can also run sensitive data discovery jobs to detect sensitive data in S3 buckets that member accounts own. Support for specific tasks varies based on whether a Macie administrator account is associated with a member account through AWS Organizations or by invitation.

The following table provides details about the relationship between Macie administrator and member accounts. It indicates the default permissions for each type of account. To further restrict access to Macie features and operations, you can use custom AWS Identity and Access Management (IAM) policies.

In the table:

  • Self indicates that the account can't perform the action for any associated accounts.

  • Any indicates that the account can perform the action for an individual associated account.

  • All indicates that the account can perform the action and the action applies to all associated accounts.

The dash (–) indicates that the account can’t perform the action.

Action Designation
Administrator Administrator Member
Through AWS Organizations By invitation
Enable Macie Any Self Self
View the organization's account inventory 1 All All
Add a member account Any Any
Remove (disassociate) a member account Any Any
Disassociate from the administrator account 2 Self
Create sample findings Self Self Self
View metadata and statistics for S3 buckets All All Self
View policy findings All All Self
Publish policy findings 3 Self Self Self
Create and use custom data identifiers Self Self Self
Create and run sensitive data discovery jobs 4 Self Self Self
View the details of sensitive data discovery jobs 5 Self Self Self
View sensitive data findings 6 Self Self Self
Publish sensitive data findings 7 Self Self Self
Suppress (archive) findings Self Self Self
Configure publication destinations for findings Self Self Self
Set the publication frequency for findings All All Self
Configure a repository for sensitive data discovery results Self Self Self
View account quotas and estimated usage costs All All Self
Suspend Macie 8 Any Any Self
Disable Macie 9 Self Self Self
  1. The Macie administrator for an organization in AWS Organizations can view all accounts in the organization, including accounts that haven’t enabled Macie. The administrator for an invitation-based organization can view only those accounts that they add to their inventory.

  2. A member of an AWS Organizations organization can’t take this action. A member of an invitation-based organization can take this action.

  3. Only the account that owns the affected resource can publish policy findings for the resource to AWS Security Hub. Both administrator and member accounts automatically publish policy findings for an affected resource to Amazon EventBridge.

  4. An administrator can configure a job to analyze objects in S3 buckets that are owned by their account and member accounts. A member can configure a job to analyze objects only in S3 buckets that are owned by their account.

  5. Only the account that creates a job can access the job's details. This includes job-related details in the S3 bucket inventory.

  6. Only the account that creates a job can access sensitive data findings that the job produces.

  7. Only the account that creates a job can publish sensitive data findings that the job produces.

  8. For an administrator to take this action, the administrator must first disassociate their account from all member accounts.

  9. For an administrator to take this action, the administrator must first disassociate their account from all member accounts and delete the associations between their account and all of those accounts. For a member to take this action, the member must first disassociate their account from its administrator account.