Designating a delegated administrator account for Amazon Inspector - Amazon Inspector
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Designating a delegated administrator account for Amazon Inspector

The delegated administrator is an account that manages a service for an organiztion. This topic describes how to designate a delegated administrator for Amazon Inspector.

Considerations

Before designating a delegated administrator, note the following:

The delegated administrator can manage a maximum of 10,000 members.

If you exceed 10,000 member accounts, you receive a notification through the Amazon CloudWatch Personal Health Dashboard and email to the delegated administrator account.

The delegated administrator is Regional.

Amazon Inspector is a Regional service. You must repeat the steps in the procedure in every Amazon Web Services Region where you plan to use Amazon Inspector.

An organization can have only one delegated administrator.

If designate an account as the delegated administrator in one Amazon Web Services Region, that account must be the delegated administrator in all other Amazon Web Services Regions.

Changing a delegated administrator does not deactivate Amazon Inspector for member accounts.

If you remove a delegated administrator, member accounts become standalone accounts and scan settings aren't affected.

Your Amazon Organization must have all features activated.

This is the default setting for Amazon Organizations. If it's not activated, see Activating all features in your organization.

Permissions required to designate a delegated administrator

You must have permission to activate Amazon Inspector and to designate an Amazon Inspector delegated administrator. Add the following statement to the end of your IAM policy to grant these permissions. For more information, see Managing IAM policies.

{ "Sid": "PermissionsForInspectorAdmin", "Effect": "Allow", "Action": [ "inspector2:EnableDelegatedAdminAccount", "organizations:EnableAWSServiceAccess", "organizations:RegisterDelegatedAdministrator", "organizations:ListDelegatedAdministrators", "organizations:ListAWSServiceAccessForOrganization", "organizations:DescribeOrganizationalUnit", "organizations:DescribeAccount", "organizations:DescribeOrganization" ], "Resource": "*" }

Designating a delegated administrator for your Amazon organization

The following procedure describes how to designate a delegated administrator for your organization. Before you complete the procedure, make sure you are in the same organization as the member accounts you want the delegated administrator to manage.

Note

You must use the Amazon Organizations management account to complete this procedure. Only the Amazon Organizations management account can designate a delegated administrator. Permissions might be required to designate a delegated administrator. For more information, see Permissions required to designate a delegated administrator.

When you activate Amazon Inspector for the first time, Amazon Inspector creates the service linked role AWSServiceRoleForAmazonInspector for the account. For information about how Amazon Inspector uses service-linked roles, see Using service-linked roles for Amazon Inspector.

Console
To designate a delegated administrator for Amazon Inspector
  1. Sign in to the Amazon Organizations management account, and then open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.

  2. Use the Amazon Web Services Region selector to specify the Amazon Web Services Region where you want to designate the delegated administrator.

  3. From the navigation pane, choose General settings.

  4. Under Delegated administrator, enter the 12-digit ID of the Amazon Web Services account you want to designate as the delegated administrator.

  5. Choose Delegate, and then choose Delegate again.

When you designate a delegated administrator, all scan types are activated for the account by default. If you want to activate Amazon Inspector for the Amazon Organizations management account, complete the following procedure.

To activate Amazon Inspector for the Amazon Organizations management account
  1. Sign in to the delegated administrator account, and then open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.

  2. From the navigation pane, choose Account management.

  3. Under Accounts, select the Amazon Organizations management account, and then choose Activate.

  4. Select which scan types you want to activate for the Amazon Organizations management account, and then choose Submit.

API
Designate a delegated administrator using the API
  • Run the EnableDelegatedAdminAccount API operation using the credentials of the Amazon Web Services account of the Organizations management account. You can also use the Amazon Command Line Interface to do this by running the following CLI command:aws inspector2 enable-delegated-admin-account --delegated-admin-account-id 11111111111.

    Note

    Make sure to specify the account ID of the account that you want to make an Amazon Inspector delegated administrator.