Designating a delegated administrator account for Amazon Inspector
The delegated administrator is an account that manages a service for an organiztion. This topic describes how to designate a delegated administrator for Amazon Inspector.
Considerations
Before designating a delegated administrator, note the following:
- The delegated administrator can manage a maximum of 10,000 members.
-
If you exceed 10,000 member accounts, you receive a notification through the Amazon CloudWatch Personal Health Dashboard and email to the delegated administrator account.
- The delegated administrator is Regional.
-
Amazon Inspector is a Regional service. You must repeat the steps in the procedure in every Amazon Web Services Region where you plan to use Amazon Inspector.
- An organization can have only one delegated administrator.
-
If designate an account as the delegated administrator in one Amazon Web Services Region, that account must be the delegated administrator in all other Amazon Web Services Regions.
- Changing a delegated administrator does not deactivate Amazon Inspector for member accounts.
-
If you remove a delegated administrator, member accounts become standalone accounts and scan settings aren't affected.
- Your Amazon Organization must have all features activated.
-
This is the default setting for Amazon Organizations. If it's not activated, see Activating all features in your organization.
Permissions required to designate a delegated administrator
You must have permission to activate Amazon Inspector and to designate an Amazon Inspector delegated administrator. Add the following statement to the end of your IAM policy to grant these permissions. For more information, see Managing IAM policies.
{ "Sid": "PermissionsForInspectorAdmin", "Effect": "Allow", "Action": [ "inspector2:EnableDelegatedAdminAccount", "organizations:EnableAWSServiceAccess", "organizations:RegisterDelegatedAdministrator", "organizations:ListDelegatedAdministrators", "organizations:ListAWSServiceAccessForOrganization", "organizations:DescribeOrganizationalUnit", "organizations:DescribeAccount", "organizations:DescribeOrganization" ], "Resource": "*" }
Designating a delegated administrator for your Amazon organization
The following procedure describes how to designate a delegated administrator for your organization. Before you complete the procedure, make sure you are in the same organization as the member accounts you want the delegated administrator to manage.
Note
You must use the Amazon Organizations management account to complete this procedure. Only the Amazon Organizations management account can designate a delegated administrator. Permissions might be required to designate a delegated administrator. For more information, see Permissions required to designate a delegated administrator.
When you activate Amazon Inspector for the first time, Amazon Inspector creates the service linked role AWSServiceRoleForAmazonInspector
for the account.
For information about how Amazon Inspector uses service-linked roles, see Using service-linked roles for
Amazon Inspector.