Detections
Analytics
2.1.6 Ensure delegated admins manage AWS Organizations-integrated services
Information
Ensure that AWS services (such as AWS CloudTrail) which integrate with AWS Organizations and support delegated administration are managed through delegated administrator member accounts instead of directly from the Organizations management account. For each such service, the management account should enable trusted access and register a purpose-built member account as the delegated administrator, so that this account can perform service-level administration across all organization accounts.The management account has unique and high privileges to manage AWS Organizations (for example, creating/deleting accounts, managing org structures) and is not subject to guardrails like SCPs. Without delegated administrators, organization-wide security, logging, and management services must be operated directly from the management account, concentrating operational activity and credentials in the most privileged account in the organization. Registering member accounts as delegated administrators for AWS services distributes service-specific administration to dedicated security, logging, or operations accounts that can be restricted by SCPs, monitored like other workload accounts, and aligned with team responsibilities, while reducing day-to-day use of the management account.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Note: This remediation section uses AWS CloudTrail as a concrete example. You must perform similar procedure for all other AWS services that integrate with AWS Organizations and support delegated administration that are in use in your environment.-
In the management account, verify that trusted access for CloudTrail is enabled in AWS Organizations (AWS Organizations -> Services).
-
In the management account CloudTrail console, choose Settings in the left navigation pane. Scroll to Organization delegated administrators.
-
Click on "Register administrator"
- Enter the account ID of the designated Logging or Security account.
- Click on Register administrator. CloudTrail will automatically create the necessary service-linked roles and register the account.
-
In the delegated administrator account, open the CloudTrail console and confirm that the organization trail is visible and administrative actions are accessible.
-
Update operational runbooks so that routine CloudTrail administration is performed from the delegated admin account, not the management account.
Impact:
Configuring a delegated administrator for AWS Services that integrate with AWS Organizations requires creating or identifying a dedicated member account for policy management and granting it specific permissions. Existing workflows, automation, and user access patterns that currently perform tasks directly from the management account must be updated to use the delegated account instead. This introduces short-term operational overhead and testing to ensure policy creation, attachment, and management continue to function correctly from the new account.
See Also
Item Details
Audit Name: CIS Amazon Web Services Foundations v7.0.0 L2
Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY
References: 800-53|AC-2, 800-53|AC-3, 800-53|AC-6, 800-53|AC-6(1), 800-53|AC-6(2), 800-53|AC-6(5), 800-53|AC-6(7), 800-53|AU-9(4)
Plugin: amazon_aws
Control ID: 34034e81a8d292f8dc9e6cdfbef86f35c3a3b69fb67c5fe741af0b8321123852