Designating a delegated administrator account for Amazon Inspector - Amazon Inspector
Important considerations for delegated administratorsPermissions required to designate a delegated administratorDesignating a delegated administrator
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Designating a delegated administrator account for Amazon Inspector

You might want to designate one account to manage all member accounts in an Amazon service. This account is called a delegated administrator account. Delegated administrator accounts in Amazon Inspector have access to specific metadata that member accounts cannot access. For more information, see Understanding the delegated administrator account and member account Amazon Inspector.

This topic describes how to designate a delegated administrator for Amazon Inspector.

Important considerations for delegated administrators

Take note of the following factors that define how the delegated administrator operates in Amazon Inspector:

A delegated administrator can manage a maximum of 5,000 members.

Each Amazon Inspector delegated administrator has a quota of 5,000 member accounts. However, your organization could include more than 5,000 accounts. If you exceed 5,000 member accounts, you will receive a notification through the Amazon CloudWatch Personal Health Dashboard and an email to the delegated administrator account.

A delegated administrator is Regional.

Unlike Amazon Organizations, Amazon Inspector is a Regional service. This means you must designate the a delegated administrator, add member accounts, and activate scan types in each Amazon Web Services Region you want to use Amazon Inspector in.

An organization can have only one delegated administrator.

You can only have one delegated administrator for Amazon Inspector for an organization. If you have designated an account as a delegated administrator in one Region, that account must be your delegated administrator in all other Regions.

Changing a delegated administrator does not deactivate Amazon Inspector for member accounts.

If you remove the delegated administrator, Amazon Inspector won't be deactivated in those accounts, and scan settings won't be affected.

Your Amazon Organization must have all features activated.

This is the default setting for Amazon Organizations. If it's not activated, see Activating all features in your organization.

Permissions required to designate a delegated administrator

You must have permission to activate Amazon Inspector and to designate an Amazon Inspector delegated administrator.

Add the following statement to the end of an IAM policy to grant these permissions.


{
    "Sid": "PermissionsForInspectorAdmin",
    "Effect": "Allow",
    "Action": [
        "inspector2:EnableDelegatedAdminAccount",
        "organizations:EnableAWSServiceAccess",
        "organizations:RegisterDelegatedAdministrator",
        "organizations:ListDelegatedAdministrators",
        "organizations:ListAWSServiceAccessForOrganization",
        "organizations:DescribeOrganizationalUnit",
        "organizations:DescribeAccount",
        "organizations:DescribeOrganization"
    ],
    "Resource": "*"
}

Designating a delegated administrator for your Amazon organization

The following procedure shows you how to designate a delegated administrator for your Amazon organization. When this designation is complete, Amazon Inspector is activated for both the Organizations management account and the chosen delegated administrator account.

Note

Only the Organizations management account can designate a delegated administrator.

Activating Amazon Inspector for the first time creates the service-linked role (SLR) AWSServiceRoleForAmazonInspector for the account. For more information about how Amazon Inspector uses service-linked roles, see Using service-linked roles for Amazon Inspector. For information about service-linked roles in general, see Using service-linked roles in the IAM User Guide.

To designate a delegated administrator for Amazon Inspector

Console
Designate a delegated administrator in the console

  1. Sign in to the Amazon Web Services Management Console using the Amazon Organizations management account.

  2. Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.

  3. Use the Amazon Web Services Region selector to specify the Region where you want to designate a delegated administrator.

  4. Choose General settings.

  5. In the Delegated administrator tile, enter the account ID of the Amazon Web Services account that you want to designate as the delegated administrator, and then choose Delegate administration.

  6. (Optional) Repeat the previous steps for each Amazon Web Services Region.

API
Designate a delegated administrator using the API

  • Run the EnableDelegatedAdminAccount API operation using the credentials of the Amazon Web Services account of the Organizations management account. You can also use the Amazon Command Line Interface to do this by running the following CLI command:aws inspector2 enable-delegated-admin-account --delegated-admin-account-id 11111111111.

    Note

    Make sure to specify the account ID of the account that you want to make an Amazon Inspector delegated administrator.

After you specify the delegated administrator, you must use the Amazon Organizations management account only to change or remove the delegated administrator account.