**Introducing a new console experience for AWS WAF**
You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html).
# Using AWS Firewall Manager administrators
This page explains what Firewall Manager administrators are and defines related terms.
With AWS Firewall Manager you can have one or multiple administrators who can manage the firewall resources of your organization. If you want to use multiple Firewall Manager administrators in your organization, you can apply administrative scope conditions to each administrator to define the resources that they can manage. This gives you the flexibility to have different administrator roles within your organization, and helps you maintain the principal of least privileged access. For example, you can have one administrator manage a set of organizational units (OUs) for your organization, while delegating another administrator to manage only specific Firewall Manager policy types. For more information about Organizations and management accounts, see [Managing the AWS Accounts in Your Organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts.html).
For the maximum number of administrators that you can have per organization, see [AWS Firewall Manager quotas](fms-limits.md)
**Getting started using Firewall Manager administrators**
Before you begin using Firewall Manager administrators, you must complete the prerequisites listed in [AWS Firewall Manager prerequisites](fms-prereq.md). In the prerequisites, you'll onboard an AWS Organizations organization to Firewall Manager and create a default administrator account for Firewall Manager. A default administrator account has the ability to manage third-party firewalls and has full administrative scope.
**Administrative scope**
*Administrative scope* defines the resources that the Firewall Manager administrator can manage. After an AWS Organizations management account onboards an organization to Firewall Manager, the management account can create additional Firewall Manager administrators with different administrative scopes. An AWS Organizations management account can either grant the administrator **full** or **restricted** administrative scope. Full scope gives the administrator full access to all of the preceding resource types. Restricted scope refers to granting administrative permission to only a subset of the preceding resources. We recommend that you only grant administrators the permissions they need to perform the duties of their role. You can apply any combination of these administrative scope conditions to an administrator:
+ Accounts or OUs in your organization that the administrator can apply policies to.
+ Regions that the administrator can perform actions in.
+ Firewall Manager policy types that the administrator can manage.
**Administrator roles**
There are two types of administrator roles in Firewall Manager: a default administrator, and Firewall Manager administrators.
+ Default administrator - The organization's management account creates a Firewall Manager *default administrator* account when they onboard their organization to Firewall Manager while completing the [AWS Firewall Manager prerequisites](fms-prereq.md). The default administrator can manage third-party firewalls and has full administrative scope, but is otherwise at the same peer level as other administrators, if you choose to have multiple administrators.
+ Firewall Manager administrators - A Firewall Manager administrator can manage the resources that the AWS Organizations management account designates for them in their administrative scope configuration. For the maximum number of administrators that you can have per organization, see [AWS Firewall Manager quotas](fms-limits.md). Upon creation of a Firewall Manager administrator account, the service checks with AWS Organizations to see if the account is already a delegated administrator for Firewall Manager within the organization. If not, then Firewall Manager calls Organizations to set the account as a delegated administrator for Firewall Manager. For information about Organizations delegated administrators, see [AWS Organizations terminology and concepts](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) in the *AWS Organizations User Guide*.
**Existing administrators**
If you are an existing Firewall Manager customer and have set already set an administrator, then this existing administrator will be the Firewall Manager default administrator. There should be no impacts to your existing flow. If you wish to add more administrators, you can do so by following the procedures in this chapter.
# Creating a Firewall Manager administrator account
The following procedure describes how to create a Firewall Manager administrator account using the Firewall Manager console.
**Note**
Only an organization's managment account can create Firewall Manager administrator accounts.
**To create a Firewall Manager administrator account**
1. Sign in to the Firewall Manager AWS Management Console using an existing AWS Organizations management account.
1. Open the Firewall Manager console at [https://console.aws.amazon.com/wafv2/fmsv2](https://console.aws.amazon.com/wafv2/fmsv2).
1. In the navigation pane, choose **Settings**.
1. Choose **Create administrator account**.
1. In the **Details** pane, for **AWS account ID** type the AWS ID of a member account that you'd like to add as a Firewall Manager administrator.
1. For **Administrative scope**, choose one of the following options:
+ **Full** – This grants the administrator the ability to apply policies to all accounts and organizational units (OUs) within the organization, take actions in all Regions, and apply all Firewall Manager policy types, except for third-party firewalls. Only the default administrator can create and manage third-party firewalls. Take caution if granting this level of permissions to the administrator. In the spirit of least privilege, we recommend only granting the administrator the permissions they need to perform the duties of their role.
+ **Restricted** – If applying a **Restricted** scope, then in **Configure administrative scope** configure the accounts and organizational units, Regions, and policy types that the account can manage.
For **Accounts and organizational units**, choose the options as follows:
+ If you want to apply policies to all accounts or organizational units in your organization, choose **Include all accounts under my AWS organization**.
+ If you want to apply policies only to specific accounts or accounts that are in specific AWS Organizations organizational units (OUs), choose **Include only the specified accounts and organizational units**, and then add the accounts and OUs that you want to include. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.
+ If you want to apply policies to all but a specific set of accounts or AWS Organizations organizational units (OUs), choose **Exclude the specified accounts and organizational units, and include all others**, and then add the accounts and OUs that you want to exclude. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.
For **Regions**, choose the options as follows:
+ If you want to allow the administrator to perform actions in all available Regions, choose **Include all Regions**.
+ If you want the administrator to perform actions only in specific Regions, choose **Include only the specified Regions**, and then specify the Regions that you want to include.
**Note**
To include a Region that is disabled by default, you must enable the Region for both the AWS Organizations organization management account and the default administration account. For information about enabling Regions for an account, see [Enable a Region](https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable) in the *Amazon Web Services General Reference*.
For **Policy types**, choose the options as follows:.
+ If you want to allow the administrator to manage all policy types, choose **Include all policy types**.
+ If you want the administrator to manage only specific policy types, choose **Include only the specified policy types**, and then specify the policy types that you want to include.
1. Choose **Create administrator account** to create the administrator account. Upon creation, Firewall Manager calls AWS Organizations to see if the administrator is already a delegated administrator for your organization. If not, Firewall Manager will designate the account as a delegated administrator. For information about delegated administrators in Organizations see [AWS Organizations terminology and concepts](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) in the *AWS Organizations User Guide*.
If you apply **Restricted** administrative scope, Firewall Manager automatically evaluates any new resources against your settings. For example, if you include only specific accounts, Firewall Manager doesn't apply the policy to any new accounts. As another example, if you include an OU, when you add an account to the OU or to any of its child OUs, Firewall Manager automatically includes the account within the administrative scope.
# Updating a Firewall Manager administrator account
The following procedure describes how to update a Firewall Manager administrator account using the Firewall Manager console.
**Note**
To update an administrator's scope to include a Region that's disabled by default, you must enable the Region for both the AWS Organizations organization management account and the default administration account. For information about enabling Regions for an account, see [Enable a Region](https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable) in the *Amazon Web Services General Reference*.
Only an organization's managment account can update Firewall Manager administrator accounts.
**To update an administrator account (console)**
1. Sign in to the Firewall Manager AWS Management Console using an existing AWS Organizations management account.
1. Open the Firewall Manager console at [https://console.aws.amazon.com/wafv2/fmsv2](https://console.aws.amazon.com/wafv2/fmsv2).
1. In the navigation pane, choose **Settings**.
1. in the **Firewall Manager administrators** table, choose the account that you'd like to update.
1. Select **Edit** to change details of administrator's account. You can't change the **account ID**.
1. Choose **Save** to save your changes.
# Revoking a Firewall Manager administrator account
The following procedure describes how to revoke a Firewall Manager administrator account. If you are the default administrator, before you can revoke your account all of the Firewall Manager administrator accounts within your organization must first revoke their own accounts.
**Note**
Only an individual Firewall Manager administrator can revoke their own administrator account.
**To revoke an administrator account (console)**
1. Sign in to the AWS Management Console using your Firewall Manager administrator account, and then open the Firewall Manager console at [https://console.aws.amazon.com/wafv2/fmsv2](https://console.aws.amazon.com/wafv2/fmsv2). For information about setting up a Firewall Manager administrator account, see [AWS Firewall Manager prerequisites](fms-prereq.md).
1. In the navigation pane, choose **Settings**.
1. In the **Administrator account** pane, select **Revoke administrator account** to revoke your account.
**Important**
When you revoke administrator privileges from an administrator account, all Firewall Manager policies created by that account are deleted.
# Changing the default Firewall Manager administrator account
The following procedure describes how to change the default Firewall Manager administrator account.
You can designate only one account in an organization as the default Firewall Manager administrator account. The default administrator account follows the principle of first in, last out. To designate a different default administrator account, each individual administrator account must first revoke their own account. Then, the existing default administrator can revoke their own account, which also will offboard the organization from Firewall Manager. When an administrator revokes their account, all Firewall Manager policies created by that account are deleted. To designate a new default administrator account, you then must sign into Firewall Manager with the AWS Organizations management account to designate a new administrator account. To change the default administrator account for an organization, perform the following procedure.
**To change the default administrator account**
1. Sign in to the Firewall Manager AWS Management Console using an existing AWS Organizations management account.
1. Open the Firewall Manager console at [https://console.aws.amazon.com/wafv2/fmsv2](https://console.aws.amazon.com/wafv2/fmsv2).
1. In the navigation pane, choose **Settings**.
1. Type the ID of the account that you've chosen to use as the Firewall Manager administrator.
**Note**
This account is given permission to create and manage Firewall Manager policies across all accounts within your organization.
1. Choose **Create administrator account**.
1. Type the AWS ID of the account that you've chosen to use as the Firewall Manager administrator.
**Note**
This account is given full administrative scope. Full administrative scope means that this account can apply policies to all accounts and organizational units (OUs) within the organization, take actions in all Regions, and manage all Firewall Manager policy types.
1. Choose **Create administrator account** to create the default administrator account.
# Disqualifying changes to a Firewall Manager administrator account
Some changes to an administrator account can disqualify it from remaining an administrator account.
This section describes the changes that can disqualify the an administrator account, and how AWS and Firewall Manager handle these changes.
## Account removed from the organization in AWS Organizations
If the AWS Firewall Manager administrator account is removed from the organization in AWS Organizations, it can no longer administer policies for the organization. Firewall Manager takes one of the following actions:
+ **Account with no policies** – If the Firewall Manager administrator account has no Firewall Manager policies, Firewall Manager revokes the administrator account.
+ **Account with Firewall Manager policies** – If the Firewall Manager administrator account has Firewall Manager policies, Firewall Manager sends an email to inform you of the situation and to provide options that you can take, with the help of your AWS sales account representative.
## Account closed
If you close the account that you're using for the AWS Firewall Manager administrator, AWS and Firewall Manager handle the closure as follows:
+ AWS revokes the account’s administrator access from Firewall Manager and Firewall Manager deactivates any policies that were managed by the administrator account. The protections that were provided by those policies are stopped across the organization.
+ AWS retains the Firewall Manager policy data for the account for 90 days from the effective date of the administrator account closure. During this 90-day period, you can reopen the closed account.
+ If you reopen the closed account during the 90-day period, AWS reassigns the account as the Firewall Manager administrator and recovers the Firewall Manager policy data for the account.
+ Otherwise, at the end of the 90-day period, AWS permanently deletes all Firewall Manager policy data for the account.