Permissions required to designate a delegated GuardDuty administrator account

When delegating a delegated GuardDuty administrator account you must have permissions to enable GuardDuty as well as certain Amazon Organizations API actions. You can add the following statement at the end of an IAM policy to grant these permissions:


{
    "Sid": "PermissionsForGuardDutyAdmin",
    "Effect": "Allow",
    "Action": [
        "guardduty:EnableOrganizationAdminAccount",
        "organizations:EnableAWSServiceAccess",
        "organizations:RegisterDelegatedAdministrator",
        "organizations:ListDelegatedAdministrators",
        "organizations:ListAWSServiceAccessForOrganization",
        "organizations:DescribeOrganizationalUnit",
        "organizations:DescribeAccount",
        "organizations:DescribeOrganization",
        "organizations:ListAccounts"
    ],
    "Resource": "*"
}

Additionally, if you wish to designate your Amazon Organizations management account as the GuardDuty delegated GuardDuty administrator account that entity will need CreateServiceLinkedRole permissions to initialize GuardDuty. To do this, add the following statement to the IAM policy and replace 111122223333 with the Amazon Web Services account ID of your organization's management account:


{
	"Sid": "PermissionsToEnableGuardDuty"
	"Effect": "Allow",
	"Action": [
		"iam:CreateServiceLinkedRole"
	],
	"Resource": "arn:aws-cn:iam::111122223333:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty",
	"Condition": {
		"StringLike": {
			"iam:AWSServiceName": "guardduty.amazonaws.com"
		}
	}
}

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Managing accounts with Amazon Organizations

Designating a delegated GuardDuty administrator account and managing members using console