Managing multiple Amazon Macie accounts with AWS Organizations - Amazon Macie

Managing multiple Amazon Macie accounts with AWS Organizations

When you use Amazon Macie with AWS Organizations, you designate an account as the delegated Macie administrator for the organization. Only the management account for an AWS organization can designate a delegated Macie administrator for their organization.

When an account is designated as a delegated Macie administrator, the account becomes a Macie administrator account, has Macie automatically enabled in the designated AWS Region, and is granted permission to enable and manage Macie for all the accounts that are in the organization in that Region. Additional accounts in the organization can be viewed and added as Macie member accounts that are associated with the administrator account.

If you already used invitations to set up a Macie administrator account with associated member accounts, and the member accounts are in the same AWS organization, their type changes from By Invitation to Via Organizations when you designate the existing Macie administrator account as the delegated Macie administrator for an AWS organization. If the existing member accounts aren't in the same AWS organization, their type continues to be By Invitation. In both cases, these previously added accounts become member accounts of the delegated Macie administrator account. You can continue to add accounts as members even if they aren't in your organization. You can do this by sending invitations from Macie.

Considerations

  • There is a limit of 5,000 member accounts for each delegated Macie administrator account. However, you might have more than 5,000 accounts in your organization. If you exceed 5,000 member accounts, you'll receive notification in Amazon CloudWatch, AWS Personal Health Dashboard, and email to the administrator account.

  • Although the management account for an organization can also be the delegated Macie administrator account, we don't recommend this configuration based on AWS Security best practices and the principle of least privilege. If you prefer this configuration, enable Macie for the organization's management account in at least one Region before you designate the account as the delegated Macie administrator account. Otherwise, the administrator won't be able to manage Macie settings or resources for associated member accounts.

  • If you remove the delegated Macie administrator, all associated member accounts are removed as Macie members, but Macie isn't disabled for those accounts.

The topics in this section explain how to designate a delegated Macie administrator account for an AWS organization and how to add existing organization accounts as member accounts.

Designating a delegated Macie administrator for an AWS organization

Before you designate a delegated Macie administrator account for your AWS organization, verify that you're allowed to perform the following AWS Organizations actions:

  • organizations:DescribeOrganization

  • organizations:EnableAWSServiceAccess

  • organizations:ListAWSServiceAccessForOrganization

  • organizations:RegisterDelegatedAdministrator

These actions allow you to: retrieve information about your organization; integrate Macie with AWS Organizations; retrieve information about the AWS services that you enabled to integrate with your organization; and, administer AWS Organizations features in Macie.

To grant these permissions, append the following statement to an existing Macie policy for your account:

{ "Sid": "Permissions to designate a delegated Macie administrator", "Effect": "Allow", "Action": [ "organizations:EnableAWSServiceAccess", "organizations:DescribeOrganization", "organizations:RegisterDelegatedAdministrator", "organizations:ListAWSServiceAccessForOrganization" ], "Resource": "*" }

If you want to designate your AWS Organizations management account as the delegated Macie administrator for your organization, the account also needs permission to perform the following AWS Identity and Access Management (IAM) action: CreateServiceLinkedRole. This action allows you to enable Macie.

To grant this permission, add the following statement to the IAM policy for your AWS Organizations management account:

{ "Sid": "Permissions to enable Macie", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::111122223333:role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie", "Condition": { "StringLike": { "iam:AWSServiceName": "macie.amazonaws.com" } } }

In the statement, replace 111122223333 with the account ID for your AWS account.

Note

If you want to use Macie in a manually enabled AWS Region, also replace the value for the Macie service principal in the Resource element and the iam:AWSServiceName condition key. The value must specify the Region code for the Region. For example, if you're using Macie in the Middle East (Bahrain) Region, which has the Region code me-south-1, do the following:

  • For the Resource element, replace

    arn:aws:iam::111122223333:role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie

    with

    arn:aws:iam::111122223333:role/aws-service-role/macie.me-south-1.amazonaws.com/AWSServiceRoleForAmazonMacie,

    where 111122223333 is the account ID for your AWS account.

  • For the iam:AWSServiceName condition key, replace macie.amazonaws.com with macie.me-south-1.amazonaws.com.

After you verify your permissions, you can designate a delegated Macie administrator account for your organization. Thereafter, you need only use your organization's management account to change or remove the delegated administrator account.

To designate a delegated Macie administrator account

  1. Log in to the AWS Management Console using your AWS Organizations management account.

  2. Open the Macie console at https://console.aws.amazon.com/macie/.

  3. In the navigation pane, choose Settings.

  4. Under Delegated administrator, enter the 12-digit account ID for the AWS account that you want to designate as the delegated Macie administrator account.

  5. Choose Delegate.

Repeat the preceding steps in each AWS Region where your organization uses Macie. We recommend that you designate the same delegated administrator in each Region.

Adding existing organization accounts as members

When you add an account in an AWS organization as a Macie member account, Macie is automatically enabled for that account in the current AWS Region. To add and enable Macie for those accounts in additional Regions, you must add the accounts as Macie member accounts in each additional Region.

To add existing accounts as members

  1. Open the Macie console at https://console.aws.amazon.com/macie/.

  2. In the navigation pane, under Settings, choose Accounts. The Accounts page lists all the accounts in the organization. To quickly find specific accounts, you can sort and filter the table.

  3. Select the check box for each account that you want to add as a Macie member account.

  4. On the Actions menu, choose Add member.

  5. Confirm that you want to add the selected accounts as members. After you do this, the status of the selected accounts changes to Enabled.

Repeat the preceding steps in each Region where your organization uses Macie.