Changing the AWS Firewall Manager administrator account - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

Changing the AWS Firewall Manager administrator account

To use AWS Firewall Manager, you must log in to the console with a Firewall Manager administrator account. You can designate only one account in an organization as a Firewall Manager administrator account. It must be a member account that's not the AWS Organizations management account. To set up an administrator account for the first time, see Step 2: Set the AWS Firewall Manager administrator account.

If you designate an account as an administrator account, and you later want to designate a different account as the administrator account, perform the following procedure.

Important

To designate a different account, you first must revoke administrator privileges from the current administrator account. When you revoke the privileges, all Firewall Manager policies created by that account are deleted. You then must sign into Firewall Manager with the AWS Organizations management account to designate a new administrator account.

To designate a different account as the AWS Firewall Manager administrator account (console)

  1. Sign in to the AWS Management Console using your Firewall Manager administrator account, and then open the Firewall Manager console at https://console.aws.amazon.com/wafv2/fmsv2 .

  2. In the navigation pane, choose Settings.

  3. Choose Revoke administrator account.

    Important

    When you revoke administrator privileges from the current administrator account, all Firewall Manager policies created by that account are deleted.

  4. Sign out of the AWS Management Console.

  5. Sign in to the AWS Management Console using your AWS Organizations management account. You can sign in using your root user credentials for the account (not recommended) or you can sign in using an IAM user or IAM role within the account that has equivalent permissions.

  6. Open the Firewall Manager console at https://console.aws.amazon.com/wafv2/fmsv2 .

  7. Choose Get started.

  8. Type an account ID to associate with Firewall Manager. This account will be the new Firewall Manager administrator account. It can be the management account that you are signed in with or it can be a member account in your organization. If the account ID that you type is a member account and not the management account, Firewall Manager sets the appropriate permissions for the member account.

    Note

    The account is given permission to create and manage AWS WAF rules and rule groups and AWS WAF Classic rules across all accounts within the organization.

  9. Choose Set administrator.