Skip to content

Latest commit

 

History

History

common_register_delegated_administrator

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
customizations_for_aws_control_tower
customizations_for_aws_control_tower
 
 
documentation
documentation
 
 
lambda/src
lambda/src
 
 
templates
templates
 
 
README.md
README.md
 
 

README.md

Register Delegated Administrator Account

Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0

Table of Contents

Introduction

The register delegated administrator account solution is a common solution to register a delegated administrator account (e.g. Security Tooling Account) within the AWS Organizations management account using the AWS Organizations APIs.

Deployed Resource Details

Architecture

1.0 Organization Management Account

1.1 AWS CloudFormation

  • All resources are deployed via AWS CloudFormation as a StackSet and Stack Instance within the management account or a CloudFormation Stack within a specific account.
  • The Customizations for AWS Control Tower solution deploys all templates as a CloudFormation StackSet.
  • For parameter details, review the AWS CloudFormation templates.

1.2 AWS Lambda Function

  • The Lambda function delegates the administrator account for the provided service principals

1.3 Lambda CloudWatch Log Group

  • Contains Lambda function execution logs

1.4 Lambda Execution IAM Role

  • IAM role used by the Lambda function to enable AWS service access for the provided service and register an AWS account as the delegated administrator.

1.5 AWS Organizations

  • AWS Organizations APIs are used to delegate the administrator account

2.0 Delegated Administrator Account (Audit)

2.1 Services Supported

  • The services that support a delegated administrator account can be configured and managed within this account.
  • Service Principal Mapping
Service Service Principal
AWS IAM Access Analyzer access-analyzer.amazonaws.com
AWS Audit Manager auditmanager.amazonaws.com
AWS CloudFormation StackSets stacksets.cloudformation.amazonaws.com
AWS Config config.amazonaws.com
AWS Config Conformance Packs config-multiaccountsetup.amazonaws.com
Amazon Macie macie.amazonaws.com
AWS Security Hub securityhub.amazonaws.com
Amazon S3 Storage Lens storage-lens.s3.amazonaws.com

Implementation Instructions

Prerequisites

  1. Download and Stage the SRA Solutions. Note: This only needs to be done once for all the solutions.
  2. Verify that the SRA Prerequisites Solution has been deployed.

Solution Deployment

Choose a Deployment Method:

AWS CloudFormation

In the management account (home region), launch the sra-common-register-delegated-administrator-ssm.yaml template. This uses an approach where some of the CloudFormation parameters are populated from SSM parameters created by the SRA Prerequisites Solution. The Audit account is set as the delegated administrator account for all the associated SRA solutions.

aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/common/common_register_delegated_administrator/templates/sra-common-register-delegated-administrator-ssm.yaml --stack-name sra-common-register-delegated-administrator-ssm --capabilities CAPABILITY_NAMED_IAM

Verify Solution Deployment

  • Verify the configuration using the following AWS CLI shell script

    # Export management account AWS credentials before running the below command
for accountId in $(aws organizations list-delegated-administrators --query 'DelegatedAdministrators[*].Id' \
--output text); do echo -e "$accountId\n Service Principals: " \
$(aws organizations list-delegated-services-for-account --account-id $accountId \
--query 'DelegatedServices[*].ServicePrincipal'); done

Solution Delete Instructions

  1. In the management account (home region), delete the AWS CloudFormation Stack created in the solution deployment.
  2. In the management account (home region), delete the AWS CloudWatch Log Group (e.g. /aws/lambda/<solution_name>) for the deployed Lambda function.

References