After an AWS Organizations organization is integrated and configured in Amazon Macie, the AWS Organizations management account can designate a different account as the delegated Macie administrator account for the organization. The new Macie administrator can then configure the organization in Macie again.
As a user of the AWS Organizations management account for an organization, verify that you meet the following permissions requirements before you designate a different Macie administrator account for your organization:
-
You must have the same permissions that were required to initially designate a Macie administrator account for your organization. You must also be allowed to perform the following AWS Organizations action:
organizations:DeregisterDelegatedAdministrator
. This additional action allows you to remove the current designation. -
If your account is currently a Macie member account, the current Macie administrator must remove your account as a Macie member account. Otherwise, you won't be allowed to access Macie operations for designating a different administrator account. After you designate a new administrator account, the new Macie administrator can add your account as a Macie member account again.
If your organization uses Macie in multiple AWS Regions, also ensure that you change the designation in each Region in which your organization uses Macie. The delegated Macie administrator account must be the same in all of those Regions. If you manage multiple organizations in AWS Organizations, also note that an account can be the delegated Macie administrator account for only one organization at a time. To learn about additional requirements, see Considerations for using Macie with AWS Organizations.
Note
When you designate a different Macie administrator account for your organization, you also disable access to existing statistical data, inventory data, and other information that Macie produced and directly provided while performing automated sensitive data discovery for accounts in the organization. The new Macie administrator can't access the existing data. If you change the designation and the new Macie administrator enables automated discovery for the accounts, Macie generates and maintains new data when it performs automated discovery for the accounts.
To change the designation of a Macie administrator account
To designate a different Macie administrator account for your organization, you can use the Amazon Macie console or a combination of the Amazon Macie and AWS Organizations APIs. Only a user of the AWS Organizations management account can change the designation for their organization.
Follow these steps to change the designation by using the Amazon Macie console.
To change the designation
-
Sign in to the AWS Management Console by using your AWS Organizations management account.
-
By using the AWS Region selector in the upper-right corner of the page, choose the Region in which you want to change the designation.
Open the Amazon Macie console at https://console.aws.amazon.com/macie/
. -
Do one of the following, depending on whether Macie is enabled for your management account in the current Region:
-
If Macie isn’t enabled, choose Get started on the welcome page.
-
If Macie is enabled, choose Settings in the navigation pane.
-
-
Under Delegated administrator, choose Remove. To change the designation, you must first remove the current designation.
-
Confirm that you want to remove the current designation.
-
Under Delegated administrator, enter the 12-digit account ID for the AWS account to designate as the new Macie administrator account for the organization.
-
Choose Delegate.
Repeat the preceding steps in each additional Region in which you integrated Macie with AWS Organizations.