Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Audit Manager and Amazon Organizations

Amazon Audit Manager helps you continuously audit your Amazon usage to simplify how you assess risk and compliance with regulations and industry standards. Audit Manager automates evidence collection to make it easier to assess if your policies, procedures, and activities are operating effectively. When it is time for an audit, Audit Manager helps you manage stakeholder reviews of your controls and helps you build audit-ready reports with much less manual effort.

When you integrate Audit Manager with Amazon Organizations, you can gather evidence from a broader source by including multiple Amazon Web Services accounts from your organization within the scope of your assessments.

For more information, see Enable Amazon Organizations in the Audit Manager User Guide.

Use the following information to help you integrate Amazon Audit Manager with Amazon Organizations.

Service-linked roles created when you enable integration

The following service-linked role is automatically created in your organization's management account when you enable trusted access. This role allows Audit Manager to perform supported operations within your organization's accounts in your organization.

You can delete or modify this role only if you disable trusted access between Audit Manager and Organizations, or if you remove the member account from the organization.

For more information about how Audit Manager uses this role, see Using service-linked roles in the Amazon Audit Manager Users Guide.

Service principals used by the service-linked roles

The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Audit Manager grant access to the following service principals:

To enable trusted access with Audit Manager

For information about the permissions needed to enable trusted access, see Permissions required to enable trusted access.

Audit Manager requires trusted access to Amazon Organizations before you can designate a member account to be the delegated administrator for your organization.

You can enable trusted access using either the Amazon Audit Manager console or the Amazon Organizations console.

To enable trusted access using the Audit Manager console

For instructions about enabling trusted access, see Setting Up in the Amazon Audit Manager User Guide.

You can enable trusted access by running a Organizations Amazon CLI command, or by calling an Organizations API operation in one of the Amazon SDKs.

Amazon CLI, Amazon API

To enable trusted service access using the Organizations CLI/SDK

You can use the following Amazon CLI commands or API operations to enable trusted service access:

• Amazon CLI: enable-aws-service-access

  You can run the following command to enable Amazon Audit Manager as a trusted service with Organizations.

  $ aws organizations enable-aws-service-access \
      --service-principal auditmanager.amazonaws.com

  This command produces no output when successful.

• Amazon API: EnableAWSServiceAccess

To disable trusted access with Audit Manager

For information about the permissions needed to disable trusted access, see Permissions required to disable trusted access.

Only an administrator in the Amazon Organizations management account can disable trusted access with Amazon Audit Manager.

You can disable trusted access using only the Organizations tools.

You can disable trusted access by running a Organizations Amazon CLI command, or by calling an Organizations API operation in one of the Amazon SDKs.

Amazon CLI, Amazon API

To disable trusted service access using the Organizations CLI/SDK

You can use the following Amazon CLI commands or API operations to disable trusted service access:

• Amazon CLI: disable-aws-service-access

  You can run the following command to disable Amazon Audit Manager as a trusted service with Organizations.

  $ aws organizations disable-aws-service-access \
      --service-principal auditmanager.amazonaws.com

  This command produces no output when successful.

• Amazon API: DisableAWSServiceAccess

Enabling a delegated administrator account for Audit Manager

When you designate a member account to be a delegated administrator for the organization, users and roles from that account can perform administrative actions for Audit Manager that otherwise can be performed only by users or roles in the organization's management account. This helps you to separate management of the organization from management of Audit Manager.

For instruction about enabling a delegated administrator account for Audit Manager, see Setting Up in the Amazon Audit Manager User Guide.

If you configure a delegated administrator using the Amazon Audit Manager console, then Audit Manager automatically enables trusted access for you.

Amazon CLI, Amazon API

If you want to configure a delegated administrator account using the Amazon CLI or one of the Amazon SDKs, you can use the following commands:

• Amazon CLI:

  $  aws audit-manager register-account \
      --delegated-admin-account 123456789012

• Amazon SDK: Call the RegisterAccount operation and provide delegatedAdminAccount as a parameter to delegate the administrator account.