Managing multiple accounts in Amazon Macie - Amazon Macie

Managing multiple accounts in Amazon Macie

To manage multiple Amazon Macie accounts, you choose a single account to be an administrator account for Macie. You can then associate other Macie accounts with the Macie administrator account as member accounts. There are two ways to associate accounts with a Macie administrator account: by using AWS Organizations or by sending membership invitations from Macie.

We recommend that you use AWS Organizations to manage multiple accounts. AWS Organizations is an account management service that enables AWS administrators to consolidate and centrally manage multiple accounts as a single organization. To learn more about this service, see the AWS Organizations User Guide.

Managing multiple accounts through AWS Organizations

If the account to be the Macie administrator account is part of an organization in AWS Organizations, you can designate that account as the organization's delegated Macie administrator account. You can then use the delegated Macie administrator account to enable Macie for other accounts in the organization and add those accounts as Macie member accounts.

If you already associated a Macie administrator account with member accounts by using invitations, you can designate that account as the delegated Macie administrator for the AWS organization. When you do, all currently associated member accounts remain members, which means you can take full advantage of the added benefits of managing your Macie accounts through AWS Organizations.

For more information, see Managing multiple Amazon Macie accounts with AWS Organizations.

Managing multiple accounts by invitation

If the accounts to associate aren't part of an organization in AWS Organizations, you can determine which account you want to be the Macie administrator account, and then use that administrator account to invite other accounts to become member accounts. When an invited account accepts an invitation, the account becomes a Macie member account that's associated with the Macie administrator account.

For more information, see Managing multiple Amazon Macie accounts by using invitations.

Understanding the relationship between administrator and member accounts

When you use Macie in a multiple-account environment, the Macie administrator account has access to certain metadata, S3 bucket configuration data, and policy findings for member accounts. The administrator account can also create sensitive data discovery jobs that analyze bucket objects on behalf of member accounts.

A Macie administrator account can primarily perform the following tasks:

  • Add and remove member accounts. The process by which this is done differs based on whether the accounts are associated through AWS Organizations or by invitation.

  • Manage the status of Macie for associated member accounts, including enabling and suspending Macie.

  • Create sensitive data discovery jobs for buckets that are owned by member accounts. Note that only the account that creates a job can access information about the job and any sensitive data findings that the job produces.

The following table provides details about the relationship between Macie administrator and member accounts. "Self" indicates that the account can't perform the action for any associated accounts. "Any" indicates that the account can perform the action for any associated accounts. "All" indicates actions that are applied to all associated accounts when they are performed by the designated account.

Action Designation
Administrator Administrator Member
Through AWS Organizations By invitation
View accounts in your organization Any Any
Enable Macie Any Self Self
View policy findings Any Any Self
Create sensitive data discovery jobs Any Any Self
View the details of sensitive data discovery jobs1 Self Self Self
View sensitive data findings2 Self Self Self
Suppress findings Self Self Self
Generate sample findings Self Self Self
Set the publication frequency for findings All All Self
Configure publication destinations for findings Self Self Self
Configure a repository for sensitive data discovery results Self Self Self
Suspend Macie3 Any Any Self
  1. Only the account that creates a job can access information about the job. This includes job-related details in the S3 bucket inventory.

  2. Only the account that creates a job can access or publish sensitive data findings that the job produces.

  3. To take this action for a Macie administrator account, you must first disassociate the account from all of its member accounts in Macie.