Step 2: Create an Amazon Firewall Manager default administrator account - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Step 2: Create an Amazon Firewall Manager default administrator account

This procedure uses the account and organization that you chose and configured in the preceding step.

Only the organization's management account can create Firewall Manager default administrator accounts. The first administrator account that you create is the default admininstrator account. The default administrator account can manage third-party firewalls and has full administrative scope. When you set the default administrator account, Firewall Manager automatically sets it as an Amazon Organizations delegated administrator for Firewall Manager. This allows Firewall Manager to access information about the organizational units (OUs) in the organization. You can use OUs to specify the scope of your Firewall Manager policies. For more information about setting policy scope, see the guidance for the individual policy types under Creating an Amazon Firewall Manager policy. For more information about Organizations and management accounts, see Managing the Amazon Accounts in Your Organization.

Required settings for the organization's management account

The organization's management account must have the following settings in order to onboard the organization to Firewall Manager and create a default administrator:

  • It must be a member of the organization in Amazon Organizations where you want to apply your Firewall Manager policies.

To set the default administrator account
  1. Sign in to the Firewall Manager Amazon Web Services Management Console using an existing Amazon Organizations management account.

  2. Open the Firewall Manager console at

  3. In the navigation pane, choose Settings.

  4. Type the Amazon account ID of the account that you've chosen to use as the Firewall Manager administrator.


    The default administrator has full administrative scope. Full administrative scope means that this account can apply policies to all accounts and organizational units (OUs) within the organization, take actions in all Regions, and manage all Firewall Manager policy types.

  5. Choose Create administrator account to create the account.

For more information about managing the Firewall Manager administrator account, see Working with Amazon Firewall Manager administrators.