Profile Applicability:

  • Level 1

Description:

AWS Organizations allows you to centrally manage multiple AWS accounts, and delegated administrators are trusted accounts within an organization that are granted the ability to perform certain administrative tasks across the organization. Delegated administrators can manage services like AWS IAM Identity Center (formerly AWS SSO), AWS Config, and others without full administrative access to the entire organization. This SOP ensures that the delegated administrators are properly trusted and have the correct permissions to manage resources within an AWS Organization.

Rationale:

  • Security: Ensuring that only trusted accounts are delegated administrative permissions helps protect the organization’s resources and sensitive information.

  • Governance: Properly managing delegated administrators ensures that account management responsibilities are appropriately distributed while preventing unauthorized access.

  • Compliance: In many regulated environments, delegating administrative responsibilities to trusted accounts is required for compliance with industry standards (e.g., SOC 2, HIPAA, and PCI-DSS).

Impact:

Pros:

  • Improved Access Control: Delegating administrative tasks to trusted accounts ensures that access is given to the right personnel while minimizing the risk of unauthorized actions.

  • Enhanced Security: By ensuring proper delegation, you can limit the scope of administrative privileges and reduce the chance of insider threats or mismanagement of resources.

  • Operational Efficiency: Delegated administrators can manage specific services, ensuring that there is no need to grant full administrative rights, which reduces administrative overhead.

Cons:

  • Complexity in Management: Properly configuring and managing delegated administrators requires additional monitoring and oversight.

  • Risk of Misconfiguration: If not configured correctly, a delegated administrator might gain more permissions than intended, potentially creating security gaps.

Default Value:

By default, AWS Organizations does not automatically assign any delegated administrators. Administrators must explicitly assign trusted accounts as delegated administrators to manage services.

Pre-requisite:

  • AWS IAM Permissions:

    • organizations:DescribeDelegatedAdminAccount

    • organizations:ListDelegatedAdminAccounts

    • organizations:DescribeOrganization

    • organizations:ListAccounts

  • AWS CLI installed and configured.

  • AWS Organizations setup with accounts and organizational units (OUs).

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS Organizations under Security, Identity, & Compliance.

  3. In the Organizations Console, go to Delegated Administrators under the Accounts section.

  4. Verify if any delegated administrators are listed and confirm their trusted status.

  5. Review the accounts to ensure that only trusted accounts have been delegated administrative roles. If any untrusted accounts are listed, proceed with the Implementation Steps to remove them.

Using AWS CLI:

  1. To list delegated administrators for your organization, run the following command:

    aws organizations list-delegated-admin-accounts --query 'DelegatedAdminAccounts[*].{AccountId:AccountId,Name:Name}'

  2. If the accounts listed are not trusted, you will need to review and remove any untrusted accounts.

  3. To describe a specific delegated administrator account, run:

    aws organizations describe-delegated-admin-account --account-id <account-id>

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS Organizations.

  3. In the Organizations Console, select Delegated Administrators under Accounts.

  4. Review the list of delegated administrators to ensure they are trusted and have appropriate roles.

  5. If you find an untrusted account listed as a delegated administrator:

    • Click on the account name and review its permissions.

    • Remove the account if it should not have administrative privileges by selecting Remove Delegated Admin.

Using AWS CLI:

  1. To remove a delegated administrator account, run:

    aws organizations deregister-delegated-admin-account --account-id <account-id>

  2. If there are any untrusted delegated administrator accounts, remove them from the organization and reassign administrative duties to trusted accounts.

  3. Verify the account removal by listing the delegated administrators again:

    aws organizations list-delegated-admin-accounts --query 'DelegatedAdminAccounts[*].{AccountId:AccountId,Name:Name}'

Backout Plan:

Using AWS Console:

  1. If changes to the delegated administrators need to be reverted, sign in to the AWS Management Console.

  2. Navigate to AWS Organizations, select the Delegated Administrators section, and remove any untrusted or unapproved accounts from the list of delegated administrators.

  3. Review and confirm that trust relationships are correctly configured for remaining delegated administrators.

Using AWS CLI:

  1. To remove an untrusted delegated administrator account, run the following command:

    aws organizations deregister-delegated-administrator --account-id <ACCOUNT_ID> --service-principal <SERVICE_PRINCIPAL> --region <REGION>

  2. Verify that the account is no longer listed as a delegated administrator:

    aws organizations list-delegated-administrators --region <REGION>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.