Adding a delegated administrator
If you use AWS Organizations and want to enable multi-account support for AWS Audit Manager, you can designate a member account in your organization as the delegated administrator for Audit Manager.
If you want to use Audit Manager in more than one AWS Region, you must designate a delegated administrator account separately in each Region. In your Audit Manager settings, you should use the same delegated administrator account across all Regions.
Prerequisites
Take note of the following factors that define how the delegated administrator operates in Audit Manager:
-
Your account must be part of an organization.
-
Before you designate a delegated administrator, you must enable all features in your organization. You must also configure your organization's Security Hub settings. This way, Audit Manager can collect Security Hub evidence from your member accounts.
-
The delegated administrator account must have access on the KMS key that you provided when setting up Audit Manager.
-
You can't use your AWS Organizations management account as a delegated administrator in Audit Manager.
Procedure
You can add a delegated administrator using the Audit Manager console, the AWS Command Line Interface (AWS CLI), or the Audit Manager API.
Note
After you add a delegated administrator in your Audit Manager settings, your management account can no longer create additional assessments in Audit Manager. Additionally, evidence collection stops for any existing assessments created by the management account. Audit Manager collects and attaches evidence to the delegated administrator account, which is the main account for managing your organization's assessments.
Next steps
To change your delegated administrator account, see Changing a delegated administrator.
To remove your delegated administrator account, see Removing a delegated administrator.
Additional resources
