Delegated administrator organizational view - Amazon Health
Register a delegated administrator for your organizational viewRemove a delegated administrator from your organizational view
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Delegated administrator organizational view

With Amazon Health, you can leverage the delegated administrator feature from Amazon Organizations that allows an account other than the management account to view aggregated Amazon Health events on the Amazon Health Dashboard or programmatically through the Amazon Health API. The delegated administrator feature provides the flexibility for different teams to view and manage health events across your organization. It's an Amazon security best practice to delegate responsibilities outside of the management account where possible.

Register a delegated administrator for your organizational view

After you enable organizational view for your organization, you can register up to five member accounts in your organization as a delegated administrator. To do this, call the RegisterDelegatedAdministrator API operation. After you register the member acounts, they are delegated administer accounts and can access the Amazon Health organizational view from the Amazon Health Dashboard. If the account has a Business, Enterprise On-Ramp, or Enterprise Support plan, then the delegated administrators can use the Amazon Health API to access the Amazon Health organizational view.

To establish a delegated administrator, from the management account in your organization, call the following Amazon Command Line Interface (Amazon CLI) command. You can use this command from the management account or from an account that can assume the role with the required Amazon Identity and Access Management permissions. In the following example command, replace ACCOUNT_ID with the member account ID that you want to register along with the Amazon Health service principal "health.amazonaws.com".

aws organizations register-delegated-administrator --account-id ACCOUNT_ID --service-principal  health.amazonaws.com

After a delegated administrator is registered, you have visibility into all Amazon Health events affecting accounts across your organization. You can view historical events over the past 90 days or since the organizational view feature was first enabled, whichever is more recent. Note that enabling the delegated administrator feature is an asynchronous process and takes up to a minute to complete.

Remove a delegated administrator from your organizational view

To remove access for a delegated administrator, call the DeregisterDelegatedAdministrator API operation.

From your organization's management account, call the following Amazon CLI command to remove a member account as delegated administrator. In the following example command, replace ACCOUNT_ID with the member account ID that you want to remove.

aws organizations deregister-delegated-administrator --account-id ACCOUNT_ID --service-principal  health.amazonaws.com