# Designating a delegated administrator account for Amazon Inspector
<a name="designating-admin"></a>

 The delegated administrator is an account that manages a service for an organiztion. This topic describes how to designate a delegated administrator for Amazon Inspector. 

## Considerations
<a name="delegated-admin-considerations"></a>

 Before designating a delegated administrator, note the following: 

**The delegated administrator can manage a maximum of 10,000 members.**  
 If you exceed 10,000 member accounts, you receive a notification through the Amazon CloudWatch Personal Health Dashboard and email to the delegated administrator account.   
 When Amazon Inspector is enabled through AWS Organizations policies for organizations with more than 10,000 accounts (up to 50,000), the policy applies to all accounts. However, only 10,000 accounts will be associated with the Amazon Inspector organization. i.e. the delegated administrator can view findings and account status for only these 10,000 accounts in the Amazon Inspector console. 

**The delegated administrator is Regional.**  
 Amazon Inspector is a Regional service. You must repeat the steps in the procedure in every AWS Region where you plan to use Amazon Inspector. 

**An organization can have only one delegated administrator.**  
 If designate an account as the delegated administrator in one AWS Region, that account must be the delegated administrator in all other AWS Regions. 

**Changing a delegated administrator does not deactivate Amazon Inspector for member accounts.**  
 If you remove a delegated administrator, member accounts become standalone accounts and scan settings aren't affected. 

**Your AWS Organization must have all features activated.**  
This is the default setting for AWS Organizations. If it's not activated, see [Activating all features in your organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html). 

**Organization policies take precedence over delegated administrator settings.**  
 If your organization uses AWS Organizations policies to enable Amazon Inspector, the policy settings determine which scan types are enabled. We recommend designating the delegated administrator before creating organization policies to ensure consistent governance. For more information, see [Organization policy governance model](admin-member-relationship.md#org-policy-overview). 

## Permissions required to designate a delegated administrator
<a name="delegated-admin-permissions"></a>

 You must have permission to activate Amazon Inspector and to designate an Amazon Inspector delegated administrator. Add the following statement to the end of your IAM policy to grant these permissions. For more information, see [Managing IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html). 

```
{
    "Sid": "PermissionsForInspectorAdmin",
    "Effect": "Allow",
    "Action": [
        "inspector2:EnableDelegatedAdminAccount",
        "organizations:EnableAWSServiceAccess",
        "organizations:RegisterDelegatedAdministrator",
        "organizations:ListDelegatedAdministrators",
        "organizations:ListAWSServiceAccessForOrganization",
        "organizations:DescribeOrganizationalUnit",
        "organizations:DescribeAccount",
        "organizations:DescribeOrganization"
    ],
    "Resource": "*"
}
```

## Designating a delegated administrator for your AWS organization
<a name="delegated-admin-proc"></a>

 The following procedure describes how to designate a delegated administrator for your organization. Before you complete the procedure, make sure you are in the same organization as the member accounts you want the delegated administrator to manage. 

**Note**  
 You must use the AWS Organizations management account to complete this procedure. Only the AWS Organizations management account can designate a delegated administrator. Permissions might be required to designate a delegated administrator. For more information, see [Permissions required to designate a delegated administrator](#delegated-admin-permissions). 

 When you activate Amazon Inspector for the first time, Amazon Inspector creates the service linked role `AWSServiceRoleForAmazonInspector` for the account. For information about how Amazon Inspector uses service-linked roles, see [Using service-linked roles for Amazon Inspector](using-service-linked-roles.md). 

------
#### [ Console ]

**To designate a delegated administrator for Amazon Inspector**

1.  Sign in to the AWS Organizations management account, and then open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.aws.amazon.com/inspector/v2/home). 

1.  Use the AWS Region selector to specify the AWS Region where you want to designate the delegated administrator. 

1.  From the navigation pane, choose **General settings**. 

1.  Under **Delegated administrator**, enter the 12-digit ID of the AWS account you want to designate as the delegated administrator. 

1.  Choose **Delegate**, and then choose **Delegate** again. 

 When you designate a delegated administrator, [all scan types](https://docs.aws.amazon.com/inspector/latest/user/scanning-resources.html) are activated for the account by default. If you want to activate Amazon Inspector for the AWS Organizations management account, complete the following procedure. 

**To activate Amazon Inspector for the AWS Organizations management account**

1.  Sign in to the delegated administrator account, and then open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.aws.amazon.com/inspector/v2/home). 

1.  From the navigation pane, choose **Account management**. 

1.  Under **Accounts**, select the AWS Organizations management account, and then choose **Activate**. 

1.  Select which scan types you want to activate for the AWS Organizations management account, and then choose **Submit**. 

------
#### [ API ]

**Designate a delegated administrator using the API**
+  Run the [EnableDelegatedAdminAccount](https://docs.aws.amazon.com/inspector/v2/APIReference/API_EnableDelegatedAdminAccount.html) API operation using the credentials of the AWS account of the Organizations management account. You can also use the AWS Command Line Interface to do this by running the following CLI command:`aws inspector2 enable-delegated-admin-account --delegated-admin-account-id 11111111111`. 
**Note**  
 Make sure to specify the account ID of the account that you want to make an Amazon Inspector delegated administrator. 

------

# Activating Amazon Inspector scans for member accounts
<a name="adding-member-accounts"></a>

 You can activate Amazon Inspector for member accounts in your organization through multiple methods. The method you choose depends on your governance requirements and organizational structure. 

**AWS Organizations policies (Recommended for centralized governance)**  
 Use AWS Organizations policies to automatically enable Amazon Inspector across your organization with centralized control. This approach ensures consistent scanning coverage and automatically applies to new accounts. For detailed instructions, see the AWS Organizations documentation for creating Amazon Inspector policies. 

**Delegated administrator activation**  
 As the delegated administrator, you can manually activate Amazon Inspector for specific member accounts or all member accounts through the Amazon Inspector console or API. This approach provides flexibility when organization policies are not in use. 

**Member account self-activation**  
 Member accounts can activate Amazon Inspector for their own account when not restricted by organization policies. Once activated, the account becomes associated with the delegated administrator. 

## Activate scanning for member accounts
<a name="w2aac45c13c11b7"></a>

 The following procedures describe how to activate scanning for member accounts using the delegated administrator and member account methods. For information about Amazon Inspector scanning types, see [Automated scan types in Amazon Inspector](scanning-resources.md). 

**To automatically activate scanning for all member accounts**

1.  Sign in using the delegated administrator account credentials, and then open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.aws.amazon.com/inspector/v2/home). 

1.  Use the region selector to choose the AWS Region where you want to activate scanning for all member accounts. 

1.  From the navigation pane, choose **Account management**. The **Accounts** tab displays all member accounts associated with the AWS Organizations management account. 

1.  Under **Organization**, select the box next to **Account number**. Then choose **Activate** to select which scanning options you want to apply to member accounts. You can select the following scanning types: 
   +  Amazon EC2 scanning 
   +  Amazon ECR scanning 
   +  Lambda standard scanning 
   +  Lambda code scanning 

   1.  After you select your preferred scanning types, choose **Save**. 
**Note**  
 If you have multiple pages of accounts, you must repeat this step on each page. You can choose the gear icon to change the number of accounts displayed on each page. 

1.  Turn on the **Automatically activate Inspector for new member accounts** setting, and select which scanning options you want to apply to new member accounts added to your organization. You can select the following scanning types: 
   +  Amazon EC2 scanning 
   +  Amazon ECR scanning 
   +  Lambda standard scanning 
   +  Lambda code scanning 

   1.  After you select your preferred scanning types, choose **Activate**. 
**Note**  
 The **Automatically activate Inspector for new member accounts** setting activates Amazon Inspector for all future members of your organization.   
 If the number of member accounts is more than 5,000, this setting is automatically turned off. If the total number of member accounts decreases to less than 5,000, the setting is automatically reactivated. 

1.  (Recommended) Repeat each of these steps in each AWS Region where you want to activate scanning for member accounts. 

**To activate scanning for specific member accounts**

1.  Sign in using the delegated administrator account credentials, and then open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.aws.amazon.com/inspector/v2/home). 

1.  Use the region selector to choose the AWS Region where you want to activate scanning for all member accounts. 

1.  From the navigation pane, choose **Account management**. The **Accounts** tab displays all member accounts associated with the AWS Organizations management account. 

1.  Under **Organization**, select the box next to each member account number you want to activate scanning for. Then choose **Activate** to select which scanning options you want to apply to member accounts. You can select the following scanning types: 
   +  Amazon EC2 scanning 
   +  Amazon ECR scanning 
   +  Lambda standard scanning 
   +  Lambda code scanning 

   1.  After you select your preferred scanning types, choose **Save**. 
**Note**  
 If you have multiple pages of accounts, you must repeat this step on each page. You can choose the gear icon to change the number of accounts displayed on each page. 

1.  (Recommended) Repeat each of these steps in each AWS Region where you want to activate scanning for specific members. 

**To activate scanning as a member account**

1.  Sign in using your credentials, and then open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.aws.amazon.com/inspector/v2/home). 

1.  Use the region selector to choose the AWS Region where you want to activate scanning for all member accounts. 

1.  From the navigation pane, choose **Account management**. The **Accounts** tab displays all member accounts associated with the AWS Organizations management account. 

1.  Under **Organization**, select the box next to your account number. Then choose **Activate** to select which scanning options you want to apply. You can select the following scanning types: 
   +  Amazon EC2 scanning 
   +  Amazon ECR scanning 
   +  Lambda standard scanning 
   +  Lambda code scanning 

   1.  After you select your preferred scanning types, choose **Save**. 

1.  (Recommended) Repeat these steps in each Region where you want to activate scanning for your member account. 
**Note**  
 If your AWS Organizations management account has a delegated administrator account for Amazon Inspector, you can activate your account as a member account to view scan details. 

**Important**  
 If organization policies are managing Amazon Inspector enablement for your accounts, the delegated administrator and member accounts cannot modify policy-managed scan types using Amazon Inspector enablement/disablement APIs. API requests will fail with an error indicating the resource is managed by organization policy. You can still enable additional scan types not managed by the policy. 

# Disassociating member accounts in Amazon Inspector
<a name="disassociating-member-accounts"></a>

 As the delegated administrator, you might need to disassociate a member account from your account. When you disassociate a member account, Amazon Inspector is still activated in the account, and the account becomes a standalone account. You also don't have permission to manage Amazon Inspector for the account anymore. However, you can associate previously disassociated member accounts with your account at any time. This section describes how to disassociate member accounts as the delegated administrator. 

**Note**  
 To disassociate policy-managed accounts, there should be no Amazon Inspector organization policy attached to that account for the scan type. 

------
#### [ Console ]

**To disassociate member accounts using the console**

1.  Sign in using the delegated administrator account credentials, and then open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.aws.amazon.com/inspector/v2/home) 

1.  Use the region selector to choose the AWS Region where you want to disassociate member accounts. 

1.  From the navigation pane, choose **Account management**. 

1.  Under **Organization**, select the box next to each account number you want to disassociate. 

1.  Choose **Actions** menu, and then choose **Disassociate account**. 

------
#### [ API ]

**To disassociate member accounts using the API**

Run the [DisassociateMember](https://docs.aws.amazon.com/inspector/v2/APIReference/API_DisassociateMember.html) API operation. In the request, provide the account IDs you're disassociating.

------

# Removing the delegated administrator in Amazon Inspector
<a name="remove-delegated-admin"></a>

 You might need to remove the Amazon Inspector delegated administrator account. You can do this from the AWS Organizations management account. When you remove the Amazon Inspector delegated administrator account, Amazon Inspector is still activated in the account and in all of its member accounts. The delegated administrator account and all of its member accounts become standalone accounts and retain their original scan settings. 

**Note**  
 If AWS Organizations policies are managing Amazon Inspector enablement, removing the delegated administrator does not affect policy enforcement. Accounts will remain enabled according to the organization policy settings, though member account findings will no longer be visible in a central delegated administrator console until a new delegated administrator is designated. 

 This section describes how to remove the delegated administrator account. 

## Remove the Amazon Inspector delegated administrator
<a name="w2aac45c13c15b9"></a>

 The following procedures describe how to remove the Amazon Inspector delegated administrator and how to associate member accounts from the delegated administrator account. 

 For information about how to assign an Amazon Inspector delegated admninistrator, see [Designating a delegated administrator account for Amazon Inspector](https://docs.aws.amazon.com/inspector/latest/user/designating-admin.html). 

**Note**  
 After you assign an Amazon Inspector delegated administrator, the Amazon Inspector delegated administrator must associate member accounts manually. 

**To remove the delegated administrator**

1.  Sign in to the AWS Management Console using the AWS Organizations management account. 

1.  Open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.aws.amazon.com/inspector/v2/home). 

1.  Use the region selector to choose the AWS Region where you want to remove the delegated administrator. 

1.  From the navigation pane, choose **General settings**. 

1.  Under **Delegated administrator**, choose **Remove**, and then confirm your action. 

**To associate members with a new delegated administrator**

1.  Sign in using the delegated administrator account credentials, and then open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.aws.amazon.com/inspector/v2/home). 

1.  Use the region selector to choose the AWS Region where you want to associate members. 

1.  From the navigation pane, choose **Account management**. 

1.  Under **Organization**, select the box next to **Account number**. 

1.  Choose **Actions**, and then choose **Add member**.