Configuring a delegated administrator for Explorer - Amazon Systems Manager
Before you begin
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Configuring a delegated administrator for Explorer

If you aggregate Amazon Systems Manager Explorer data from multiple Amazon Web Services Regions and accounts by using resource data sync with Amazon Organizations, then we recommend that you configure a delegated administrator for Explorer. A delegated administrator improves Explorer security in the following ways.

  • You limit the number of Explorer administrators who can create or delete multi-account and Region resource data syncs to an individual Amazon Web Services account.

  • You no longer need to be logged into the Amazon Organizations management account to administer resource data syncs in Explorer.

A delegated administrator can use the following Explorer resource data sync APIs using the console, SDK, Amazon Command Line Interface (Amazon CLI), or Amazon Tools for Windows PowerShell:

A delegated administrator can search, filter, and aggregate Explorer data from the console or by using programmatic tools such as the SDK, the Amazon CLI, or Amazon Tools for Windows PowerShell. Search, filter, and data aggregation use the GetOpsSummary API operation.

A delegated administrator can create a maximum of five resource data syncs for either an entire organization or a subset of organizational units. Resource data syncs created by a delegated administrator are only available in the delegated administrator account. You can't view the syncs or the aggregated data in the Amazon Organizations management account.

Note

You can't use a delegated administrator account to create a resource data sync in opt-in Amazon Web Services Regions. You must use an Amazon Organizations management account.

For more information about resource data sync, see Setting up Systems Manager Explorer to display data from multiple accounts and Regions. For more information about Amazon Organizations, see What is Amazon Organizations? in the Amazon Organizations User Guide.

Topics

Before you begin

The following list includes important information about Explorer delegated administration.

  • You can delegate only one account for Explorer administration.

  • The account ID that you specify as an Explorer delegated administrator must be listed as a member account in Amazon Organizations. For more information, see Creating an Amazon Web Services account in your organization in the Amazon Organizations User Guide.

  • A delegated administrator can use all Explorer resource data sync API operations in the console or by using programmatic tools such as the SDK, the Amazon Command Line Interface (Amazon CLI), or Amazon Tools for Windows PowerShell. Resource data sync API operations include the following: CreateResourceDataSync, DeleteResourceDataSync, ListResourceDataSync, and UpdateResourceDataSync.

  • A delegated administrator can search, filter, and aggregate Explorer data in the console or by using programmatic tools such as the SDK, the Amazon CLI, or Amazon Tools for Windows PowerShell. Search, filter, and data aggregation use the GetOpsSummary API operation.

  • Resource data syncs created by a delegated administrator are only available in the delegated administrator account. You can't view the syncs or the aggregated data in the Amazon Organizations management account.

  • A delegated administrator can create a maximum of five resource data syncs.

  • A delegated administrator can create a resource data sync for either an entire organization in Amazon Organizations or a subset of organizational units.