How to register delegated admin account for AWS Config

Control Tower
How to install AWS Control Tower in existing AWS Organization
May 19, 2020

How to register delegated admin account for AWS Config

AWS Config

AWS Config Rules allows you to evaluate resource configuration based on best practices and perform remediation when the specified configuration policy is not followed. You can use the AWS Config conformance package to create a collection of AWS Config rules and remedial actions in a single package, which can be deployed throughout the AWS Organization. This provides us with a centralised way to deploy and manage configuration rules.

This new feature supports deploying Config Rules and Conformance Packs from a non-master account in AWS Organizations. Previously you need to deploy conformance packs only from AWS Organization primary account.

In below steps we will set a delegated admin account for AWS Config administrations:

  1. Enable AWS Config service access to AWS Organizations

Run this command from the master account in your organization:

aws organizations enable-aws-service-access --service-principal=config-multiaccountsetup.amazonaws.com
  1. Register a delegated admin account

Identify member account in the Organization which will act as delegated admin and copy its Account ID from Organization dashboard. From the master account, register a delegated admin by running below CLI command. Change the admin account ID to your appropriate delegated admin account’s ID.

aws organizations register-delegated-administrator --service-principal=config-multiaccountsetup.amazonaws.com --account-id="{Admin-Account-ID}"

Confirm that the delegated admin registered successfully by running the following command from the master account:

aws organizations list-delegated-administrators --service-principal=config-multiaccountsetup.amazonaws.com
Bitnami