Registering a Delegated Administrator - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Registering a Delegated Administrator

Delegated administrators are accounts within a given Amazon Organization that are granted additional administrative privileges for a specified Amazon service. For more information, see Delegated administrator in the Amazon Organizations User Guide. You must use the Amazon CLI to register a delegated administrator.

Registering a Delegrated Administrator

  1. Log in with management account credentials.

  2. Open a command prompt or a terminal window.

  3. Enter the following command to enable service access as a delegated administrator for your organization to deploy and manage Amazon Config rules and conformance packs across your organization:

    aws organizations enable-aws-service-access --service-principal=config-multiaccountsetup.amazonaws.com

  4. Enter the following command to enable service access as a delegated administrator for your organization to aggregate Amazon Config data across your organization:

    aws organizations enable-aws-service-access --service-principal=config.amazonaws.com

  5. To check if the enable service access is complete, enter the following command and press Enter to execute the command.

    aws organizations list-aws-service-access-for-organization

    You should see output similar to the following:

    {
    "EnabledServicePrincipals": [
        {
            "ServicePrincipal": [
                "config.amazonaws.com",
                "config-multiaccountsetup.amazonaws.com"
        ],
            "DateEnabled": 1607020860.881
        }
    ]
}

  6. Next, enter the following command to register a member account as a delegated administrator for Amazon Config.

    aws organizations register-delegated-administrator --service-principal=config-multiaccountsetup.amazonaws.com --account-id MemberAccountID

    and

    aws organizations register-delegated-administrator --service-principal=config.amazonaws.com --account-id MemberAccountID

  7. To check if the registration of delegated administrator is complete, enter the following command from the management account and press Enter to execute the command.

    aws organizations list-delegated-administrators --service-principal=config-multiaccountsetup.amazonaws.com

    and

    aws organizations list-delegated-administrators --service-principal=config.amazonaws.com

    You should see output similar to the following:

    {
    "DelegatedAdministrators": [
        {
            "Id": "MemberAccountID",
            "Arn": "arn:aws:organizations::MemberAccountID:account/o-c7esubdi38/MemberAccountID",
            "Email": "name@amazon.com",
            "Name": "name",
            "Status": "ACTIVE",
            "JoinedMethod": "INVITED",
            "JoinedTimestamp": 1604867734.48,
            "DelegationEnabledDate": 1607020986.801
        }
    ]
}