Administrator: A person responsible for carrying out the administration of a business or organization. It’s not different when it comes to AWS account management. The administrator or Admin of the account is a more powerful person who takes care of billing, licensing, cost, configuration, etc.
There was a time when a company used to have one or two AWS accounts to create hundreds of Virtual Private Clouds (VPCs) to segregate different applications and workloads. Later, AWS comes with easy-to-create AWS account approaches. Now creating an AWS account has become extremely easy and just a matter of minutes of activity.
That brings the other level of challenges to managing those hundreds of accounts. That’s where we use AWS Organization. AWS Organization has many more features, that’s a topic for other days.
So, there is the concept of a Management Account in the AWS organization. The management account has wide permissions and access to accounts within the organization.
For this reason, it should only be used for absolutely essential administrative tasks, such as managing accounts, Organizational Units (OUs), or organizational policies. But there are also other tasks that are managed by AWS Management Account for a member account. That means, we need to add more people to the Management account. That’s against the AWS Organizations’ best practices.
Now there is a way, we can delegate tasks or responsibilities to member accounts. The designated member accounts then become Delegated Administrators, meaning that they can perform a specific activity or manage a specific AWS service across accounts, on behalf of the organization. That’s called Delegated Admin.
Now we will look into some AWS services that we can use for Delegated Administration.
AWS Config:
AWS Config is a service that enables you to audit, assess, and evaluate the configurations of your AWS resources. It also supports multi-account, multi-region data aggregation in AWS Config. It means you can view compliance status across your enterprise and identify non-compliant accounts.
Now AWS Config supports delegated administrator accounts for AWS Config. Before, you needed to deploy data aggregation solutions that replicated organization-wide account data and then pushed it to a designated account.
License management
AWS License Manager is a service that makes it easy to manage software licenses from different software vendors (like Microsoft, SAP, Oracle, and IBM) centrally across AWS and your on-premises environments.
Earlier, customers used to manage license administration using the Management Account. AWS License Manager now supports Delegated Administrator. It means license administrators can manage and distribute licenses across all of their AWS accounts from a delegated member account in the organization. These features helped organizations achieve the flexibility of reducing users in the management account and administering license management activities using the delegated member account.
AWS Systems Manager Explorer
AWS Systems Manager Explorer is a customizable operations dashboard that reports information about your AWS resources. It displays an aggregated view of operations data (OpsData) for your AWS accounts and across AWS Regions.
Now you can configure a delegated administrator for Explorer. You no longer need to be logged into the AWS Organizations management account to administer resource data syncs in Explorer.
Delegated Admin Account is a very interesting topic and AWS is adding more services in this space. It already supports AWS IAM Identity Center, AWS Single Sign-On, and Amazon Inspector.
I will recommend you keep a close eye on the blog page as I am going to update this from time to time.
Cheers,
Pravin Mishra