CloudQuery is joining env zero! We're moving from data to decisions.

Read the Announcement ❯

Read the Announcement ❯

Back to blog
AWS
Security

AWS Delegated Administrator: Setup Guide

Jason Kao

Jason Kao

14 min read

What Is AWS Delegated Administrator? #

AWS Organizations lets you group multiple AWS accounts under a single management structure. By default, most cross-account management tasks must run from the management account (sometimes called the root account). This creates a security bottleneck: every administrator who needs to manage GuardDuty findings, Config rules, or IAM Access Analyzer results needs access to the most privileged account in the organization.
AWS Delegated Administrator solves this by letting you register a member account to act as the administrator for a specific service. That member account can then manage the service across the entire organization without touching the management account. As of early 2026, 37 AWS services support delegated administration, up from roughly a dozen when the feature first launched.
This guide covers:
  • Why delegation matters for security and operations
  • The three methods for setting up delegated administration
  • The full list of services that support delegation in 2026
  • Step-by-step setup via CLI, Console, and Terraform
  • IAM policies for managing delegated administrators
  • Common patterns: security account, cost management, SSO delegation
  • Troubleshooting common issues
  • How to audit delegated administrators with the CloudQuery Platform

Why Should You Use Delegated Administrator? #

Before AWS released delegated administration, any action to manage Organizations, enable security services, or apply policies across accounts had to originate in the management account. AWS recommends limiting management account usage to tasks that can only be performed there. Here is why.

What Makes the Management Account a High-Value Target? #

The management account has several properties that make it uniquely dangerous if compromised:
  • Unrestricted scope: Service Control Policies (SCPs) do not apply to the management account. Any IAM principal in the management account operates outside SCP restrictions.
  • Default cross-account access: When you create a member account through Organizations, AWS creates an OrganizationAccountAccessRole with AdministratorAccess that the management account can assume. An attacker with sts:AssumeRole in the management account could gain admin access to every member account.
  • Organization-wide controls: The management account can create, modify, and delete SCPs, Resource Control Policies (RCPs), and declarative policies that affect all member accounts.
  • Reconnaissance capability: The management account can list all accounts, OUs, policies, and their relationships across the entire organization.
By delegating management to member accounts, you reduce the blast radius of a compromise and follow the AWS Security Reference Architecture guidance to limit management account usage.

What Delegated Administrator Cannot Do #

Some tasks still require the management account. This list is not exhaustive but covers the most common cases:
  • Creating, closing, or moving accounts between OUs
  • Inviting external accounts to join the organization
  • Creating or deleting organizational units
  • Enabling or disabling Organization policy types (SCPs, RCPs, tag policies, backup policies, declarative policies) unless explicitly delegated via resource-based delegation policy
  • Managing the organization's root credentials via centralized root access management

What Are the Risks of Delegated Administrator Accounts? #

Delegation reduces risk from management account overuse, but introduces its own considerations:
  • Overprivileged delegation: If a delegated administrator account also runs application workloads, a compromise of that workload could expose organization-wide service management. Use dedicated accounts for delegation, separate from workload accounts.
  • SCP impact: Unlike the management account, delegated administrator accounts are subject to SCPs. A misconfigured SCP can block the delegated administrator from performing its duties.
  • Service-specific limits: Some services allow only one delegated administrator at a time (e.g., IAM Identity Center). Others allow up to three (e.g., CloudTrail). Exceeding the limit requires deregistering the existing administrator first.

How Does Delegation Work? The Three Methods #

There are three ways to delegate organization management. They are not mutually exclusive and delegate different capabilities.

Method 1: Organizations RegisterDelegatedAdministrator API #

This is the most common method. You call organizations:RegisterDelegatedAdministrator from the management account, specifying the member account ID and the service principal.
Before registering, most services require you to enable trusted access first:
# Step 1: Enable trusted access for the service
aws organizations enable-aws-service-access \
  --service-principal access-analyzer.amazonaws.com \
  --region us-east-1

# Step 2: Register the delegated administrator
aws organizations register-delegated-administrator \
  --account-id 123456789012 \
  --service-principal access-analyzer.amazonaws.com \
  --region us-east-1
You can verify the registration:
# List all delegated administrators
aws organizations list-delegated-administrators

# List delegated administrators for a specific service
aws organizations list-delegated-administrators \
  --service-principal access-analyzer.amazonaws.com

Method 2: Service-Specific APIs #

Some services have their own delegation APIs that call organizations:RegisterDelegatedAdministrator internally along with service-specific setup. These service-specific actions lack naming consistency - GuardDuty uses EnableOrganizationAdminAccount, CloudTrail uses RegisterOrganizationDelegatedAdmin, and Firewall Manager uses AssociateAdminAccount.
GuardDuty:
# Enable GuardDuty delegated admin (run from management account)
aws guardduty enable-organization-admin-account \
  --admin-account-id 123456789012 \
  --region us-east-1
Security Hub:
# Enable Security Hub delegated admin
aws securityhub enable-organization-admin-account \
  --admin-account-id 123456789012 \
  --region us-east-1
CloudTrail:
# Register CloudTrail delegated admin
aws cloudtrail register-organization-delegated-admin \
  --member-account-id 123456789012

Method 3: Organization Resource-Based Delegation Policies #

Resource-based delegation policies, released in November 2022, allow you to delegate Organizations-level actions (not only service-specific management) to member accounts. This is the only method that can delegate policy management, resource tagging, and organizational read access.
You create these via organizations:PutResourcePolicy:
aws organizations put-resource-policy \
  --content file://delegation-policy.json
The delegatable actions fall into three categories:
Policy Management: organizations:CreatePolicy, organizations:AttachPolicy, organizations:UpdatePolicy, organizations:DeletePolicy, organizations:DetachPolicy, organizations:EnablePolicyType, organizations:DisablePolicyType. Supported policy types include SERVICE_CONTROL_POLICY, BACKUP_POLICY, TAG_POLICY, and AISERVICES_OPT_OUT_POLICY.
Resource Tagging: organizations:TagResource and organizations:UntagResource for accounts, organization roots, OUs, and policies.
Organizational Read Access: A broad set of organizations:Describe* and organizations:List* actions for viewing accounts, OUs, policies, handshakes, and organization structure.
Delegation policy granting full read and policy management access:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DelegateOrgPolicyManagement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": [
        "organizations:List*",
        "organizations:Describe*",
        "organizations:CreatePolicy",
        "organizations:AttachPolicy",
        "organizations:UpdatePolicy",
        "organizations:DeletePolicy",
        "organizations:DetachPolicy",
        "organizations:EnablePolicyType",
        "organizations:DisablePolicyType",
        "organizations:TagResource",
        "organizations:UntagResource",
        "organizations:ListTargetsForPolicy"
      ],
      "Resource": "*"
    }
  ]
}

Which AWS Services Support Delegated Administrator in 2026? #

As of early 2026, 37 services support delegated administration. The table below groups them by method: services that only require organizations:RegisterDelegatedAdministrator versus services that have their own delegation APIs.

Services Using organizations #

These services are registered using the Organizations API with their service principal:

Services With Service-Specific Delegation APIs #

These services have their own API actions that internally call organizations:RegisterDelegatedAdministrator along with service-specific configuration:

What Are the Common Delegation Patterns? #

AWS recommends grouping delegation by functional account, rather than delegating everything to a single account. The AWS Security Reference Architecture outlines the following pattern:

Security Account #

Delegate security services to a dedicated security tooling account:
  • Security Hub, GuardDuty, Inspector, Macie, Detective
  • IAM Access Analyzer, Audit Manager
  • Security Lake, Security Incident Response
  • Firewall Manager
# Register the security account for multiple services
for principal in \
  securityhub.amazonaws.com \
  guardduty.amazonaws.com \
  inspector2.amazonaws.com \
  macie.amazonaws.com \
  detective.amazonaws.com \
  access-analyzer.amazonaws.com; do
  aws organizations enable-aws-service-access \
    --service-principal "$principal"
  aws organizations register-delegated-administrator \
    --account-id 111111111111 \
    --service-principal "$principal"
done

Log Archive Account #

Delegate logging services to the log archive account:
  • CloudTrail (organization trail management)
  • AWS Config (organization-wide configuration rules and conformance packs)

Shared Services Account #

Delegate operational services to a shared services account:
  • CloudFormation StackSets, Systems Manager, AWS Backup
  • Service Catalog, License Manager
  • IAM Identity Center (SSO)

Network Account #

Delegate network management:
  • VPC IPAM, Network Manager, Reachability Analyzer, Firewall Manager

How Do You Set Up Delegation With Terraform? #

The Terraform AWS provider includes an aws_organizations_delegated_administrator resource for services that use the Organizations API:
# Enable trusted access first
resource "aws_organizations_organization" "org" {
  aws_service_access_principals = [
    "securityhub.amazonaws.com",
    "guardduty.amazonaws.com",
    "access-analyzer.amazonaws.com",
    "config.amazonaws.com",
    "ssm.amazonaws.com",
  ]

  feature_set = "ALL"
}

# Register delegated administrator for IAM Access Analyzer
resource "aws_organizations_delegated_administrator" "access_analyzer" {
  account_id        = "111111111111"
  service_principal = "access-analyzer.amazonaws.com"
}

# Register delegated administrator for AWS Config
resource "aws_organizations_delegated_administrator" "config" {
  account_id        = "111111111111"
  service_principal = "config.amazonaws.com"
}
For services with custom APIs, Terraform provides service-specific resources. GuardDuty:
resource "aws_guardduty_organization_admin_account" "security" {
  admin_account_id = "111111111111"
}
And Security Hub:
resource "aws_securityhub_organization_admin_account" "security" {
  admin_account_id = "111111111111"
}
For services without native Terraform resources, you can use awscc provider resources or the aws_organizations_delegated_administrator generic resource with the appropriate service principal.

What IAM Permissions Are Required to Manage Delegation? #

Managing delegated administrators requires permissions in the management account. The following policy covers registration and deregistration across all supported services. We recommend creating a dedicated IAM role for this purpose rather than using the root user or AdministratorAccess.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "OrgDelegatedAdminReadOnly",
      "Effect": "Allow",
      "Action": ["organizations:List*", "organizations:Describe*"],
      "Resource": "*"
    },
    {
      "Sid": "OrgDelegatedAdminRegistration",
      "Effect": "Allow",
      "Action": [
        "organizations:RegisterDelegatedAdministrator",
        "organizations:DeregisterDelegatedAdministrator",
        "organizations:EnableAWSServiceAccess",
        "organizations:DisableAWSServiceAccess"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ResourceBasedDelegation",
      "Effect": "Allow",
      "Action": [
        "organizations:PutResourcePolicy",
        "organizations:DeleteResourcePolicy",
        "organizations:DescribeResourcePolicy"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ServiceSpecificDelegation",
      "Effect": "Allow",
      "Action": [
        "securitylake:CreateDataLakeDelegatedAdmin",
        "securitylake:DeleteDataLakeDelegatedAdmin",
        "cloudtrail:RegisterOrganizationDelegatedAdmin",
        "cloudtrail:DeregisterOrganizationDelegatedAdmin",
        "fms:AssociateAdminAccount",
        "fms:DisassociateAdminAccount",
        "guardduty:EnableOrganizationAdminAccount",
        "guardduty:DisableOrganizationAdminAccount",
        "detective:EnableOrganizationAdminAccount",
        "detective:DisableOrganizationAdminAccount",
        "ec2:EnableIpamOrganizationAdminAccount",
        "ec2:DisableIpamOrganizationAdminAccount",
        "securityhub:EnableOrganizationAdminAccount",
        "securityhub:DisableOrganizationAdminAccount",
        "auditmanager:RegisterOrganizationAdminAccount",
        "auditmanager:DeregisterOrganizationAdminAccount",
        "inspector2:EnableDelegatedAdminAccount",
        "inspector2:DisableDelegatedAdminAccount",
        "macie2:EnableOrganizationAdminAccount",
        "macie2:DisableOrganizationAdminAccount"
      ],
      "Resource": "*"
    },
    {
      "Sid": "DependentActions",
      "Effect": "Allow",
      "Action": ["iam:GetRole", "iam:CreateServiceLinkedRole"],
      "Resource": "*"
    }
  ]
}

How Do You Deregister a Delegated Administrator? #

Deregistration mirrors registration. For the Organizations API, use organizations:DeregisterDelegatedAdministrator. For service-specific APIs:
  • CloudTrail - cloudtrail:DeregisterOrganizationDelegatedAdmin
  • Firewall Manager - fms:DisassociateAdminAccount
  • GuardDuty - guardduty:DisableOrganizationAdminAccount
  • Detective - detective:DisableOrganizationAdminAccount
  • VPC IPAM - ec2:DisableIpamOrganizationAdminAccount
  • Security Hub - securityhub:DisableOrganizationAdminAccount
  • Audit Manager - auditmanager:DeregisterOrganizationAdminAccount
  • Inspector - inspector2:DisableDelegatedAdminAccount
  • Macie - macie2:DisableOrganizationAdminAccount
  • Security Lake - securitylake:DeleteDataLakeDelegatedAdmin

What Changed in AWS Organizations in 2024 and 2025? #

AWS released several major governance features since the original version of this guide:

Resource Control Policies (RCPs) - November 2024 #

Resource Control Policies are a new deny-only policy type that restricts access to resources across the organization. While SCPs control what actions principals can take, RCPs control what actions can be taken on specific resources. At launch, RCPs supported Amazon S3, AWS STS, AWS KMS, Amazon SQS, and AWS Secrets Manager, with Amazon ECR and Amazon OpenSearch Serverless added in June 2025. RCPs became available in AWS GovCloud (US) Regions in May 2025.

Declarative Policies - December 2024 #

Declarative policies enforce a desired baseline configuration for AWS services across the organization. Unlike SCPs, which block API calls after the fact, declarative policies prevent non-compliant configurations at the service level. At launch, they support EC2, EBS, and VPC configurations. AWS Control Tower also added managed controls using declarative policies at launch.

Direct Account Transfers - November 2025 #

AWS Organizations now supports transferring accounts directly between organizations without first removing the account from the source organization. This simplifies M&A scenarios and organizational restructuring.

Expanded Delegated Administrator Coverage #

Since 2023, AWS has added delegated administrator support for several additional services including AWS Health, Amazon CloudWatch, AWS Cost Optimization Hub, Amazon EKS, AWS Resource Explorer, AWS Security Incident Response, EC2 Capacity Manager, and AWS User Notifications, bringing the total to 37 services.

How Do You Troubleshoot Delegated Administrator Issues? #

"AccessDeniedException" When Registering #

This usually means the calling principal lacks the required IAM permissions. Confirm you are running the command from the management account and that your IAM role has the organizations:RegisterDelegatedAdministrator permission along with any service-specific permissions. Also verify that all features are enabled in your organization.

"AccountAlreadyRegisteredException" #

The account is already registered as a delegated administrator for this service. Run aws organizations list-delegated-administrators --service-principal <principal> to check the current registrations.

"MAX_DELEGATED_ADMINISTRATORS_FOR_SERVICE_LIMIT_EXCEEDED" #

You have reached the maximum number of delegated administrators for this service. Some services, like IAM Identity Center, allow only one. CloudTrail allows up to three per organization. You must deregister an existing delegated administrator before registering a new one.

"AccountNotFoundException" or "AccountNotRegisteredException" #

Confirm the account ID is correct and that it is a member of your organization. You cannot register the management account itself as a delegated administrator, and suspended accounts cannot be registered.

Delegation Works in One Region but Not Another #

Some services require delegation to be set up per region. Security Hub, GuardDuty, Inspector, Macie, and Detective are regional services. You must register the delegated administrator in each region where you want to use the service.

KMS Key Access Denied After Delegation #

If a service like Audit Manager uses a customer-managed KMS key, the delegated administrator account must have access to that key. Update the KMS key policy to include the delegated administrator account.
Audit Your AWS Delegated Administrators
Connect your cloud accounts and get full visibility into your infrastructure. Or check out the documentation.
Schedule a Demo

Frequently Asked Questions #

Can I delegate multiple services to the same account? #

Yes. A single member account can serve as the delegated administrator for multiple services. AWS recommends grouping services by function - security services to a security account, logging services to a log archive account - following the AWS Security Reference Architecture.

Does delegated administrator work across all AWS Regions? #

It depends on the service. Regional services like Security Hub, GuardDuty, Inspector, Macie, and Detective require you to register the delegated administrator in each Region where you want coverage. Global services like IAM Access Analyzer and AWS Organizations itself only need registration once.

What happens if the delegated administrator account is compromised? #

The blast radius is limited to the services delegated to that account, rather than the entire organization. This is the core security benefit over using the management account directly. The attacker would gain management access to the delegated services but would not be able to modify SCPs, close accounts, or perform other management-account-only actions.

Can I use resource-based delegation policies and RegisterDelegatedAdministrator together? #

Yes. These are complementary methods. RegisterDelegatedAdministrator delegates service-specific management (like managing GuardDuty across the organization), while resource-based delegation policies delegate Organizations-level actions (like managing SCPs or viewing the organization structure). You can use both on the same account.

How many delegated administrators can I have per service? #

The limit varies by service. Most services allow one delegated administrator. CloudTrail allows up to three. IAM Identity Center allows exactly one. Check the service documentation for the specific limit.

Do SCPs affect delegated administrator accounts? #

Yes. Unlike the management account, delegated administrator accounts are subject to SCPs. A misconfigured SCP can block the delegated administrator from performing its duties. Test your SCPs carefully before enabling delegation, and consider attaching an SCP exception for the delegated administrator OU.

How do I audit which accounts are delegated administrators? #

Use aws organizations list-delegated-administrators to see all delegated accounts, and aws organizations list-delegated-services --account-id <id> to see which services a specific account manages. The CloudQuery Platform can sync this data into a queryable database for continuous monitoring.

Can I delegate AWS Organizations policy management itself? #

Yes, through resource-based delegation policies. You can delegate actions like organizations:CreatePolicy, organizations:AttachPolicy, and organizations:EnablePolicyType to a member account. This is the only method that supports delegating Organizations-level operations like SCP management.

How Do You Audit Delegated Administrators With the CloudQuery Platform? #

The CloudQuery Platform syncs your AWS Organization configuration into a queryable database, making it straightforward to audit delegated administrator settings across your accounts.
To set up the CloudQuery Platform with your AWS environment, see the AWS integration documentation.
A sample AWS Source configuration file for organization data:
kind: source
spec:
  name: 'aws'
  path: 'cloudquery/aws'
  registry: 'cloudquery'
  version: 'v33.16.1'
  destinations: ['postgresql']
  tables:
    - 'aws_organizations*'
  spec:
    accounts:
      - id: '123456789012'
        local_profile: 'cq-read-role'

Finding All Delegated Administrator Accounts #

SELECT
  account_id,
  name,
  status,
  delegation_enabled_date,
  joined_method
FROM aws_organizations_delegated_administrators;

Finding Which Services Each Account Administers #

SELECT
  da.account_id,
  da.name,
  ds.service_principal
FROM aws_organizations_delegated_administrators da
JOIN aws_organizations_delegated_services ds
  ON da.account_id = ds.account_id;

Finding Organization Resource-Based Delegation Policies #

SELECT * FROM aws_organizations_resource_policies;
These queries help answer audit questions like "which accounts have delegated administrator access?" and "are there any services where no delegated administrator is configured?" The CloudQuery Platform provides scheduled syncs and a dashboard for continuous visibility into your organization structure. Schedule a demo to get started.

Moving Forward #

AWS Delegated Administrator lets you move management responsibilities out of the organization management account and into purpose-built member accounts. This reduces the blast radius of a management account compromise and aligns with the AWS Security Reference Architecture.
Key takeaways:
  • 37 services now support delegated administration, up from roughly a dozen in 2023. Check the current list as AWS adds services regularly.
  • Three delegation methods exist: the Organizations RegisterDelegatedAdministrator API, service-specific APIs, and resource-based delegation policies. They are complementary, not mutually exclusive.
  • Use dedicated accounts for delegation, grouped by function (security, logging, shared services, networking) rather than a single "do everything" account.
  • New policy types like RCPs and declarative policies (both launched late 2024) add more governance options but are managed from the management account or delegated via resource-based policies.
  • Audit your delegation setup regularly using the CloudQuery Platform to catch drift or overprivileged configurations.
Ready to get started? Schedule a demo or contact our team with questions.
Turn cloud chaos into clarity

Find out how CloudQuery can help you get clarity from a chaotic cloud environment with a personalized conversation and demo.

CloudQuery Updates, In Your Inbox Weekly

Product

Resources

Legal

© 2026 CloudQuery, Inc. All rights reserved.