Configuring a delegated administrator - Amazon Systems Manager
Configure an Explorer delegated administratorDeregister an Explorer delegated administrator
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Configuring a delegated administrator

If you aggregate Amazon Systems Manager Explorer data from multiple Amazon Web Services Regions and accounts by using resource data sync with Amazon Organizations, then we recommend that you configure a delegated administrator for Explorer.

A delegated administrator can use the following Explorer resource data sync APIs using the console, SDK, Amazon Command Line Interface (Amazon CLI), or Amazon Tools for Windows PowerShell:

A delegated administrator can create a maximum of five resource data syncs for either an entire organization or a subset of organizational units. Resource data syncs created by a delegated administrator are only available in the delegated administrator account. You can't view the syncs or the aggregated data in the Amazon Organizations management account.

For more information about resource data sync, see Setting up Systems Manager Explorer to display data from multiple accounts and Regions. For more information about Amazon Organizations, see What is Amazon Organizations? in the Amazon Organizations User Guide.

Configure an Explorer delegated administrator

Use the following procedure to register an Explorer delegated administrator.

To register an Explorer delegated administrator

  1. Log into your Amazon Organizations management account.

  2. Open the Amazon Systems Manager console at https://console.amazonaws.cn/systems-manager/.

  3. In the navigation pane, choose Explorer.

  4. Choose Settings.

  5. In the Delegated administrator for Explorer section, verify that you have configured the required service-linked role and service access options. If necessary, choose the Create role and Enable access buttons to configure these options.

  6. For Account ID, enter the Amazon Web Services account ID. This account must be a member account in Amazon Organizations.

  7. Choose Register delegated administrator.

The delegated administrator now has access to the Include all accounts from my Amazon Organizations configuration and Select organization units in Amazon Organizations options on the Create resource data sync page.

Deregister an Explorer delegated administrator

Use the following procedure to deregister an Explorer delegated administrator. A delegated administrator account can only be deregistered by the Amazon Organizations management account. When a delegated administrator account is deregistered, the system deletes all Amazon Organizations resource data syncs created by the delegated administrator.

To deregister an Explorer delegated administrator

  1. Log into your Amazon Organizations management account.

  2. Open the Amazon Systems Manager console at https://console.amazonaws.cn/systems-manager/.

  3. In the navigation pane, choose Explorer.

  4. Choose Settings.

  5. In the Delegated administrator for Explorer section, choose Deregister. The system displays a warning.

  6. Enter the account ID and choose Remove.

The account no longer has access to the Amazon Organizations resource data sync API operations. The system deletes all Amazon Organizations resource data syncs created by the account.