Delegated Administrators
Delegated administrators enable you to designate specific member accounts in your AWS Organization to manage AWS services on behalf of the entire organization. This delegation model is essential for implementing centralized security, compliance, and monitoring capabilities while following AWS best practices for account separation.
What are Delegated Administrators?
Delegated administrators are member accounts that have been granted permissions to manage specific AWS services across all accounts in an organization. Instead of managing these services from the management account (which should have limited operational use), you delegate administrative responsibilities to dedicated accounts.
This approach provides several key benefits:
- Separation of concerns: Management account remains focused on organizational governance
- Specialized account roles: Dedicated accounts for security, logging, networking, etc.
- Centralized service management: Single point of control for organization-wide services
- Enhanced security: Reduced operational activity in the sensitive management account
Supported AWS Services
Many AWS services support delegated administration. Here are the most commonly used services in enterprise environments:
- AWS Security Hub: Centralized security findings and compliance monitoring
- Amazon GuardDuty: Threat detection and continuous monitoring
- AWS Config: Configuration compliance and change tracking
- Amazon Inspector: Vulnerability assessment and management
- IAM Access Analyzer: Access analysis and external access detection
- Amazon Macie: Data security and privacy monitoring
Service Delegation Patterns
Different AWS services require different delegation patterns based on their architecture:
Global Services
Some services need to be delegated only once per organization (typically in your primary region):
- AWS Config:
config.amazonaws.com - IAM Access Analyzer:
access-analyzer.amazonaws.com
Regional Services
Other services need to be delegated in each region where you operate:
- AWS Security Hub:
securityhub.amazonaws.com - Amazon GuardDuty:
guardduty.amazonaws.com - Amazon Inspector:
inspector2.amazonaws.com - Amazon Macie:
macie.amazonaws.com
Implementation with NTC Organizations
NTC Organizations provides a streamlined approach to managing delegated administrators across multiple regions:
Basic Configuration
# Define your delegated administrators
locals {
# Services that need delegation only once (global services)
global_delegated_administrators = [
{
service_principal = "config.amazonaws.com"
admin_account_id = "123456789012" # Security account ID
},
{
service_principal = "access-analyzer.amazonaws.com"
admin_account_id = "123456789012" # Security account ID
},
]
# Services that need delegation in each region
regional_delegated_administrators = [
{
service_principal = "securityhub.amazonaws.com"
admin_account_id = "123456789012" # Security account ID
},
{
service_principal = "guardduty.amazonaws.com"
admin_account_id = "123456789012" # Security account ID
},
{
service_principal = "inspector2.amazonaws.com"
admin_account_id = "123456789012" # Security account ID
},
]
}
Multi-Region Deployment
We can configure admin delegations in different regions by calling the ntc-organizations submodule regional-admin-delegations with a different provider for each region.
# Primary region - includes both global and regional delegations
module "ntc_delegated_admins_euc1" {
source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-organizations//modules/regional-admin-delegations?ref=X.X.X"
# combine list of regional and global admin delegations
delegated_administrators = concat(
local.global_delegated_administrators,
local.regional_delegated_administrators
)
providers = {
aws = aws.eu_central_1 # Primary region
}
}
# Secondary regions - only regional delegations
module "ntc_delegated_admins_euc2" {
source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-organizations//modules/regional-admin-delegations?ref=X.X.X"
delegated_administrators = local.regional_delegated_administrators
providers = {
aws = aws.eu_central_2
}
}
module "ntc_delegated_admins_use1" {
source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-organizations//modules/regional-admin-delegations?ref=X.X.X"
delegated_administrators = local.regional_delegated_administrators
providers = {
aws = aws.us_east_1
}
}
Prerequisites and Dependencies
Service-Linked Roles
Some services require service-linked roles to be created before delegation can work properly. You can automatically create missing service-linked roles by enabling the corresponding service once.
Service Access Principals
Before delegating administrators, ensure the required services are enabled in your organization:
module "ntc_organizations" {
source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-organizations?ref=X.X.X"
# Enable services that will have delegated administrators
service_access_principals = [
"securityhub.amazonaws.com",
"guardduty.amazonaws.com",
"config.amazonaws.com",
"access-analyzer.amazonaws.com",
"inspector2.amazonaws.com",
"ipam.amazonaws.com",
"ram.amazonaws.com",
# ... other services
]
# ... other organization configuration
}
Best Practices
Account Design
- Dedicated accounts: Use dedicated accounts for different service categories (security, networking, logging)
- Consistent naming: Use consistent naming conventions for delegated administrator accounts
- Role separation: Don't mix operational workloads with administrative functions
- Access control: Implement strict access controls for delegated administrator accounts
Service Management
- Regional consistency: Ensure delegated administrators are configured consistently across regions
- Service grouping: Group related services under the same delegated administrator when appropriate
- Documentation: Maintain clear documentation of which services are delegated to which accounts
- Change management: Include delegation changes in your change management process
Security Considerations
- Least privilege: Grant only the minimum necessary permissions to delegated administrators
- Regular audits: Regularly audit delegated administrator configurations and permissions
- Monitoring: Implement comprehensive monitoring for all delegated administrator activities
- Incident response: Include delegated administrators in your incident response procedures
Troubleshooting
Common Issues
Delegation Fails
If delegation registration fails:
- Verify the target account is a member of the organization
- Ensure the service is enabled for organization use
- Check that the service supports delegated administration
- Verify you have the necessary permissions in the management account
Service Not Working After Delegation
If a service doesn't work properly after delegation:
- Check that required service-linked roles exist
- Verify IAM permissions in the delegated administrator account
- Ensure the service is configured correctly in the delegated account
- Check for any SCPs that might block the service
Regional Delegation Issues
If regional delegations are inconsistent:
- Verify the service supports regional delegation
- Check that all required regions are included in your deployment
- Ensure provider configurations are correct for each region
Validation Commands
# Validate delegation status
aws organizations list-delegated-administrators
# Check specific service delegation
aws organizations list-delegated-administrators \
--service-principal guardduty.amazonaws.com
# Verify service access is enabled
aws organizations list-aws-service-access-for-organization
# Check account status
aws organizations describe-account --account-id <delegated-admin-account-id>
Conclusion
Delegated administrators are a fundamental component of a well-architected AWS multi-account environment. By properly implementing delegated administration through NTC Organizations, you can achieve centralized control of AWS services while maintaining proper account separation and security boundaries.
The key to success with delegated administrators is careful planning of your account architecture, consistent implementation across regions, and ongoing monitoring of delegation status and activities. With the right approach, delegated administrators enable powerful centralized management capabilities while adhering to AWS best practices for organizational security and governance.