Enable a Delegated Administrator Account for the AWS Organizations
2024年06月17日
$ aws organizations register-delegated-administrator --account-id 123456789012 --service-principal account.amazonaws.com
$ aws organizations list-delegated-administrators --service-principal account.amazonaws.com
2. Delegation policy:
Use the following delegation policy to delegate administrator for AWS Organizations. The AWS account ID 123456789012 is used for representing the AWS Organizations administrator account.
AWS services that you can use with AWS Organizations - AWS Organizations (amazon.com)
AWS Account Management and AWS Organizations - AWS Organizations (amazon.com)
Delegated administrator for AWS Organizations - AWS Organizations (amazon.com)
There are two concepts around this topic, which is delegated administrator account and delegation policy. They are not exact the same and have some differences.
In the following command examples, it is assumed that the AWS Organizations management account ID is 123456789012 and the designated account to have Organization management privileges has an ID as 111122223333.
1. Enable a delegated administrator account for the AWS Organizations.$ aws organizations register-delegated-administrator --account-id 123456789012 --service-principal account.amazonaws.com
$ aws organizations list-delegated-administrators --service-principal account.amazonaws.com
{
"DelegatedAdministrators": [
{
"Id": "111122223333",
"Arn": "arn:aws:organizations::123456789012:account/o-o3******l9/111122223333",
"Email": "xxxx@tianzhui.cloud",
"Name": "Account Management",
"Status": "ACTIVE",
"JoinedMethod": "CREATED",
"JoinedTimestamp": "2024-06-17T01:14:56.301000+00:00",
"DelegationEnabledDate": "2024-07-22T04:55:47.096000+00:00"
}
]
}
2. Delegation policy:
Use the following delegation policy to delegate administrator for AWS Organizations. The AWS account ID 123456789012 is used for representing the AWS Organizations administrator account.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"organizations:AttachPolicy",
"organizations:CreatePolicy",
"organizations:DeletePolicy",
"organizations:Describe*",
"organizations:DetachPolicy",
"organizations:DisablePolicyType",
"organizations:EnablePolicyType",
"organizations:List*",
"organizations:TagResource",
"organizations:UntagResource",
"organizations:UpdatePolicy"
],
"Resource": "*"
}
]
}
References
AWS services that you can use with AWS Organizations - AWS Organizations (amazon.com)
AWS Account Management and AWS Organizations - AWS Organizations (amazon.com)
Delegated administrator for AWS Organizations - AWS Organizations (amazon.com)