Delegated administrator for Amazon services that work with Organizations - Amazon Organizations
Permissions granted to delegated administrator accounts
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Delegated administrator for Amazon services that work with Organizations

We recommend that you use the Amazon Organizations management account and its users and roles only for tasks that must be performed by that account. We also recommend that you store your Amazon resources in other member accounts in the organization and keep them out of the management account. This is because security features like Organizations service control policies (SCPs) do not restrict users or roles in the management account. Separating your resources from your management account can also help you understand the charges on your invoices.

Many Amazon services that integrate with Organizations enable you to reduce the usage of the management account. These services enable you to register one or more member accounts as administrators that can manage all of the organization's accounts used in the service. These accounts are called delegated administrators for that specific service. By registering a member account as a delegated administrator for an Amazon service you enable that account to have some administrative permissions for that service, as well as permissions for Organizations read-only actions.

Before you register an account as a delegated administrator for a service:

Note

To learn how to enable a delegated administrator a service, reference the table in Amazon services that you can use with Amazon Organizations and select the Learn more link in the Supports Delegated Administrator column for that service.

Permissions granted to delegated administrator accounts

Each service-specific delegated administrator account has permissions granted by that service. To learn more, reference the table in Amazon services that you can use with Amazon Organizations and select the Learn more link in the Supports Delegated Administrator column for that service.

A delegated administrator account also has these read-only permissions:

  • DescribeAccount

  • DescribeCreateAccountStatus

  • DescribeEffectivePolicy

  • DescribeHandshake

  • DescribeOrganization

  • DescribeOrganizationalUnit

  • DescribePolicy

  • DescribeResourcePolicy

  • ListAccounts

  • ListAccountsForParent

  • ListAWSServiceAccessForOrganization

  • ListChildren

  • ListCreateAccountStatus

  • ListDelegatedAdministrators

  • ListDelegatedServicesForAccount

  • ListHandshakesForAccount

  • ListHandshakesForOrganization

  • ListOrganizationalUnitsForParent

  • ListParents

  • ListPolicies

  • ListPoliciesForTarget

  • ListRoots

  • ListTagsForResource

  • ListTargetsForPolicy

These permissions enable you to view, but not change these console items:

  • Organization structure, all accounts and OUs, and organizational policies

  • Memberships

  • All accounts and OUs.

  • Organizational policies