Designating a delegated administrator account for Amazon Inspector
The delegated administrator account is an account that you designate to manage all member accounts for an Amazon service. Delegated administrator accounts in Amazon Inspector have access to specific metadata. For more information, see Understanding the delegated administrator account and member account Amazon Inspector. This section describes how to designate a delegated administrator for Amazon Inspector.
Important considerations for delegated administrators
Take note of the following factors that define how the delegated administrator operates in Amazon Inspector:
- A delegated administrator can manage a maximum of 5,000 members.
-
Each Amazon Inspector delegated administrator has a quota of 5,000 member accounts. However, your organization could include more than 5,000 accounts. If you exceed 5,000 member accounts, you will receive a notification through the Amazon CloudWatch Personal Health Dashboard and an email to the delegated administrator account.
- A delegated administrator is Regional.
-
Unlike Amazon Organizations, Amazon Inspector is a Regional service. This means you must designate the a delegated administrator, add member accounts, and activate scan types in each Amazon Web Services Region you want to use Amazon Inspector in.
- An organization can have only one delegated administrator.
-
You can only have one delegated administrator for Amazon Inspector for an organization. If you have designated an account as a delegated administrator in one Region, that account must be your delegated administrator in all other Regions.
- Changing a delegated administrator does not deactivate Amazon Inspector for member accounts.
-
If you remove the delegated administrator, Amazon Inspector won't be deactivated in those accounts, and scan settings won't be affected.
- Your Amazon Organization must have all features activated.
-
This is the default setting for Amazon Organizations. If it's not activated, see Activating all features in your organization.
Permissions required to designate a delegated administrator
You must have permission to activate Amazon Inspector and to designate an Amazon Inspector delegated administrator. Add the following statement to the end of an IAM policy to grant these permissions. For more information, see Managing IAM policies.
{ "Sid": "PermissionsForInspectorAdmin", "Effect": "Allow", "Action": [ "inspector2:EnableDelegatedAdminAccount", "organizations:EnableAWSServiceAccess", "organizations:RegisterDelegatedAdministrator", "organizations:ListDelegatedAdministrators", "organizations:ListAWSServiceAccessForOrganization", "organizations:DescribeOrganizationalUnit", "organizations:DescribeAccount", "organizations:DescribeOrganization" ], "Resource": "*" }
Designating a delegated administrator for your Amazon organization
The following procedure shows you how to designate a delegated administrator for your Amazon organization. When this designation is complete, Amazon Inspector is activated for both the Organizations management account and the chosen delegated administrator account.
Note
Only the Organizations management account can designate a delegated administrator.
Activating Amazon Inspector for the first time creates the service-linked role (SLR)
AWSServiceRoleForAmazonInspector
for the account. For more
information about how Amazon Inspector uses service-linked roles, see Using service-linked roles for
Amazon Inspector. For information about service-linked roles in general, see Using service-linked roles in the IAM User
Guide.
To designate a delegated administrator for Amazon Inspector
After you specify the delegated administrator, you must use the Amazon Organizations management account only to change or remove the delegated administrator account.