Detections
Analytics
2.1.5 Ensure delegated admin manages AWS Organizations policies
Information
Ensure that a dedicated member account is configured as a delegated administrator for AWS Organizations to manage organization policies (SCPs, RCPs, tag policies, backup policies, AI opt-out policies) and other Organizations features, instead of performing these tasks directly from the management account. The delegated administrator for AWS Organizations is configured via a resource-based delegation policy in the management account, which grants specific member accounts limited permissions to perform Organizations policy and account management actions across the organization. This allows policy management, OU operations, and other governance tasks to be handled from purpose-built accounts without requiring broad access to the management account.The management account has unique and high privileges to manage AWS Organizations (for example, creating/deleting accounts, managing org structures) and is not subject to guardrails like SCPs. Without a delegated administrator for Organizations, all policy management, OU changes, and account governance must be performed directly from the management account. This results in concentrating operational activity in the most powerful account. Configuring a dedicated member account as a delegated administrator for Organizations policy management distributes these tasks to a purpose-built AWS account that can be protected by SCPs and other controls, reduces the number of users and roles that need management-account access, and supports separation of duties while maintaining centralized control over organization-wide features.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
-Identify a dedicated member account for governance/policy management (for example, create a new "Policy Management" account or use an existing Security account)
-
You must be in the management account with permissions to manage Organizations resource policies. Navigate to AWS Organizations console, then click on Settings and browse to "Delegated administrator for AWS Organizations" section.
-
If no policy exists, click on Delegate. If a policy exists, choose Edit policy.
- In the policy editor, paste or construct a delegation policy statement mentioning the Principal as the AWS account Root which is being delegated access to, and the Actions with the list of least-privileged permissions that could be performed by the delegated AWS account.
- Save and validate the delegation policy.
- Sign in to the delegated administrator account and open the AWS Organizations console.
- Confirm that policy management (Policies, Attach/Detach, etc.) is accessible and that users/roles in this account can perform Organizations tasks without management-account access.
-
Grant IAM roles/users in the delegated admin account only the permissions needed for Organizations policy management.
-
Update procedures so that routine Organizations policy tasks are performed from the delegated account, reserving the management account for tasks that only it can perform
Impact:
Configuring a delegated administrator for AWS Organizations requires creating or identifying a dedicated member account for policy management and granting it specific permissions via a resource-based delegation policy. Existing workflows, automation, and user access patterns that currently perform Organizations policy tasks directly from the management account must be updated to use the delegated account instead. This introduces short-term operational overhead and testing to ensure policy creation, attachment, and management continue to function correctly from the new account.
See Also
Item Details
Audit Name: CIS Amazon Web Services Foundations v7.0.0 L2
Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY
References: 800-53|AC-2, 800-53|AC-3, 800-53|AC-6, 800-53|AC-6(1), 800-53|AC-6(2), 800-53|AC-6(5), 800-53|AC-6(7), 800-53|AU-9(4)
Plugin: amazon_aws
Control ID: 2bdcda73201cad1170c9bfe01232540ee83f8bc5fc51e7776ba11cec753a6565