Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Detective and Amazon Organizations

Amazon Detective uses your log data to generate visualizations that allow you to analyze, investigate, and identify the root cause of security findings or suspicious activity.

Using Amazon Organizations allows you to ensure that your Detective behavior graph provides visibility into the activity for all of your organization accounts.

When you grant trusted access to Detective, the Detective service can react automatically to changes in the organization membership. The delegated administrator can enable any organization account as a member account in the behavior graph. Detective also can automatically enable new organization accounts as member accounts. Organization accounts cannot disassociate themselves from the behavior graph.

For more information, see Using Amazon Detective in your organization in the Amazon Detective Administration Guide.

Use the following information to help you integrate Amazon Detective with Amazon Organizations.

Service-linked roles created when you enable integration

The following service-linked role is automatically created in your organization's management account when you enable trusted access. This role allows Detective to perform supported operations within your organization's accounts in your organization.

You can delete or modify this role only if you disable trusted access between Detective and Organizations, or if you remove the member account from the organization.

Service principals used by the service-linked roles

The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Detective grant access to the following service principals:

To enable trusted access with Detective

For information about the permissions needed to enable trusted access, see Permissions required to enable trusted access.

You can enable trusted access using only the Organizations tools.

You can enable trusted access by using the Amazon Organizations console.

Amazon Web Services Management Console

To enable trusted service access using the Organizations console

1. Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

2. In the navigation pane, choose Services.

3. Choose Amazon Detective in the list of services.

4. Choose Enable trusted access.

5. In the Enable trusted access for Amazon Detective dialog box, type enable to confirm it, and then choose Enable trusted access.

6. If you are the administrator of only Amazon Organizations, tell the administrator of Amazon Detective that they can now enable that service using its console to work with Amazon Organizations.

To disable trusted access with Detective

For information about the permissions needed to disable trusted access, see Permissions required to disable trusted access.

Only an administrator in the Amazon Organizations management account can disable trusted access with Amazon Detective.

You can disable trusted access using only the Organizations tools.

You can disable trusted access by using the Amazon Organizations console.

Amazon Web Services Management Console

To disable trusted service access using the Organizations console

1. Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

2. In the navigation pane, choose Services.

3. Choose Amazon Detective in the list of services.

4. Choose Disable trusted access.

5. In the Disable trusted access for Amazon Detective dialog box, type disable to confirm it, and then choose Disable trusted access.

6. If you are the administrator of only Amazon Organizations, tell the administrator of Amazon Detective that they can now disable that service using its console or tools from working with Amazon Organizations.

Enabling a delegated administrator account for Detective

The delegated administrator account for Detective is the administrator account for a Detective behavior graph. The delegated administrator determines which organization accounts to enable and disable as member accounts in that behavior graph. The delegated administrator can configure Detective to automatically enable new organization accounts as member accounts as they are added to the organization. For information on how a delegated administrator manages organization accounts, see Managing organization accounts as member accounts in the Amazon Detective Administration Guide.

Only an administrator in the organization management account can configure a delegated administrator for Detective.

You can specify a delegated administrator account from the Detective console or API, or by using the Organizations CLI or SDK operation.

To configure a delegated administrator using the Detective console or API, see Designating a Detective administrator account for an organization in the Amazon Detective Administration Guide.

Amazon CLI, Amazon API

If you want to configure a delegated administrator account using the Amazon CLI or one of the Amazon SDKs, you can use the following commands:

• Amazon CLI:

  $ aws organizations register-delegated-administrator \
      --account-id 123456789012 \
      --service-principal detective.amazonaws.com

• Amazon SDK: Call the Organizations RegisterDelegatedAdministrator operation and the member account's ID number and identify the account service principal account.amazonaws.com as parameters.

Disabling a delegated administrator for Detective

You can remove the delegated administrator using either the Detective console or API, or by using the Organizations DeregisterDelegatedAdministrator CLI or SDK operation. For information on how to remove a delegated administrator using the Detective console or API, or the Organizations API, see Designating a Detective administrator account for an organization in the Amazon Detective Administration Guide.