Understanding the relationship between Amazon Macie administrator and member accounts
If you centrally manage multiple Amazon Macie accounts as an organization, the Macie administrator has access to Amazon Simple Storage Service (Amazon S3) inventory data, policy findings, and certain Macie settings and resources for associated member accounts. The administrator can also perform automated sensitive data discovery and run sensitive data discovery jobs to detect sensitive data in S3 buckets that member accounts own. Support for specific tasks varies based on whether a Macie administrator account is associated with a member account through AWS Organizations or by invitation.
The following table provides details about the relationship between Macie administrator and member accounts. It indicates the default permissions for each type of account. To further restrict access to Macie features and operations, you can use custom AWS Identity and Access Management (IAM) policies.
In the table:
-
Self indicates that the account can't perform the task for any associated accounts.
-
Any indicates that the account can perform the task for an individual associated account.
-
All indicates that the account can perform the task and the task applies to all associated accounts.
A dash (–) indicates that the account can’t perform the task.
| Task | Through AWS Organizations | By invitation | ||
|---|---|---|---|---|
| Administrator | Member | Administrator | Member | |
| Enable Macie | Any | – | Self | Self |
| Review the organization's account inventory 1 | All | – | All | – |
| Add a member account | Any | – | Any | – |
| Review statistics and metadata for S3 buckets | All | Self | All | Self |
| Review policy findings | All | Self | All | Self |
| Suppress (archive) policy findings 2 | All | – | All | – |
| Publish policy findings 3 | Self | Self | Self | Self |
| Configure a repository for sensitive data discovery results | Self | Self | Self | Self |
| Create and use allow lists | Self | Self | Self | Self |
| Create and use custom data identifiers | Self | Self | Self | Self |
| Configure and perform automated sensitive data discovery | All | – | All | – |
| Review automated sensitive data discovery statistics, data, and results | All | – | All | – |
| Create and run sensitive data discovery jobs 4 | Any | Self | Any | Self |
| Review the details of sensitive data discovery jobs 5 | Self | Self | Self | Self |
| Review sensitive data findings 6 | Self | Self | Self | Self |
| Suppress (archive) sensitive data findings 6 | Self | Self | Self | Self |
| Publish sensitive data findings 6 | Self | Self | Self | Self |
| Configure Macie to retrieve sensitive data samples | Self | Self | Self | Self |
| Configure publication destinations for findings | Self | Self | Self | Self |
| Set the publication frequency for findings | All | Self | All | Self |
| Create sample findings | Self | Self | Self | Self |
| Review account quotas and estimated usage costs | All | Self | All | Self |
| Suspend Macie 7 | Any | – | Any | Self |
| Disable Macie 8 | Self | Self | Self | Self |
| Remove (disassociate) a member account | Any | – | Any | – |
| Disassociate from an administrator account | – | – | – | Self |
| Delete an association with another account 9 | Any | – | Any | Self |
-
The administrator for an organization in AWS Organizations can review all accounts in the organization, including accounts that haven’t enabled Macie. The administrator for an invitation-based organization can review only those accounts that they add to their inventory.
-
Only an administrator can suppress policy findings. If an administrator creates a suppression rule, Macie applies the rule to policy findings for all accounts in the organization unless the rule is configured to exclude specific accounts. If a member creates a suppression rule, Macie doesn’t apply the rule to policy findings for the member’s account.
-
Only the account that owns an affected resource can publish policy findings for the resource to AWS Security Hub. Both administrator and member accounts automatically publish policy findings for an affected resource to Amazon EventBridge.
-
A member can configure a job to analyze objects only in S3 buckets that their account owns. An administrator can configure a job to analyze objects in buckets that their account owns or a member account owns. For information about how quotas are applied and costs are calculated for multiple-account jobs, see Understanding how estimated usage costs are calculated.
-
Only the account that creates a job can access the job's details. This includes job-related details in the S3 bucket inventory.
-
Only the account that creates a job can access, suppress, or publish sensitive data findings that the job produces. Only an administrator can access, suppress, or publish sensitive data findings that automated sensitive data discovery produces.
-
For an administrator to suspend Macie for their own account, the administrator must first disassociate their account from all member accounts.
-
For an administrator to disable Macie for their own account, the administrator must first disassociate their account from all member accounts, and delete the associations between their account and all of those accounts. For a member to disable Macie, the administrator must first disassociate the member's account from their administrator account. Or, in an invitation-based organization, the member can disassociate their account from its administrator account, and then disable Macie.
-
The administrator for an organization in AWS Organizations can delete an association with a member account after they disassociate the account from their administrator account. The account continues to appear in the administrator's account inventory, but its status indicates that it's not a member account. In an invitation-based organization, an administrator and a member can delete an association with another account after they disassociate their account from the other account. The other account then stops appearing in their account inventory.
