Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0
The register delegated administrator account solution is a common solution to register a delegated administrator account (e.g. Security Tooling Account) within the AWS Organizations management account using the AWS Organizations APIs.
- All resources are deployed via AWS CloudFormation as a
StackSet
andStack Instance
within the management account or a CloudFormationStack
within a specific account. - The Customizations for AWS Control Tower solution deploys all templates as a CloudFormation
StackSet
. - For parameter details, review the AWS CloudFormation templates.
- The Lambda function delegates the administrator account for the provided service principals
- Contains Lambda function execution logs
- IAM role used by the Lambda function to enable AWS service access for the provided service and register an AWS account as the delegated administrator.
- AWS Organizations APIs are used to delegate the administrator account
- The services that support a delegated administrator account can be configured and managed within this account.
- Service Principal Mapping
Service | Service Principal |
---|---|
AWS IAM Access Analyzer | access-analyzer.amazonaws.com |
AWS Audit Manager | auditmanager.amazonaws.com |
AWS CloudFormation StackSets | stacksets.cloudformation.amazonaws.com |
AWS Config | config.amazonaws.com |
AWS Config Conformance Packs | config-multiaccountsetup.amazonaws.com |
Amazon Macie | macie.amazonaws.com |
AWS Security Hub | securityhub.amazonaws.com |
Amazon S3 Storage Lens | storage-lens.s3.amazonaws.com |
- Download and Stage the SRA Solutions. Note: This only needs to be done once for all the solutions.
- Verify that the SRA Prerequisites Solution has been deployed.
Choose a Deployment Method:
In the management account (home region)
, launch the sra-common-register-delegated-administrator-ssm.yaml template. This uses an approach where some of the CloudFormation parameters are populated from SSM parameters created by the SRA Prerequisites Solution. The Audit account
is set as the delegated administrator account for all the associated SRA solutions.
aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/common/common_register_delegated_administrator/templates/sra-common-register-delegated-administrator-ssm.yaml --stack-name sra-common-register-delegated-administrator-ssm --capabilities CAPABILITY_NAMED_IAM
-
Verify the configuration using the following AWS CLI shell script
# Export management account AWS credentials before running the below command for accountId in $(aws organizations list-delegated-administrators --query 'DelegatedAdministrators[*].Id' \ --output text); do echo -e "$accountId\n Service Principals: " \ $(aws organizations list-delegated-services-for-account --account-id $accountId \ --query 'DelegatedServices[*].ServicePrincipal'); done
- In the
management account (home region)
, delete the AWS CloudFormation Stack created in the solution deployment. - In the
management account (home region)
, delete the AWS CloudWatch Log Group (e.g. /aws/lambda/<solution_name>) for the deployed Lambda function.