How do I remove a delegated administrator’s account from my AWS Organizations?

3 minute read
1

I want to remove a delegated administrator’s account from my AWS Organizations.

Short description

You can delegate policy management for AWS Organizations to specified member accounts from the AWS Organization's management account. These delegated accounts can perform policy actions that are by default available only to the management account. You can remove the delegated administrator's account when you don't need it. For more information, see Delegated administrator for AWS Organizations.

When you use a management account to create a delegated administrator for AWS Organizations, you create or update a resource-based delegation policy for it. Within this policy, you specify the member accounts that can perform actions on policies.

You must use the management account to remove the resource-based delegation policy or the delegated administrator for an AWS service.
Note: A deleted policy can't be recovered.

Resolution

Remove the resource-based policy using the AWS Organizations console

  1. Sign in to the AWS Organizations console within the management account.
  2. Choose Settings.
  3. In the Delegated administrator for AWS Organizations section, choose Delete.
  4. In the Delete policy confirmation box, enter Delete. Then, choose Delete policy.

Remove the resource-based delegation policy using AWS CLI

Use the following AWS Command Line Interface (AWS CLI) command to remove the resource-based delegation policy:

aws organizations delete-resource-policy

Note: Use the AWS CLI to remove the delegated administrator for the AWS services.

If you receive errors when you run the AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Remove a delegated administrator for an AWS service

To remove the delegated administrator for an AWS service, first list all the AWS services where the specified account is a delegated administrator. Then, deregister the delegated administrator.

List services for the delegated administrator

Use the list-delegated-services-for-account AWS CLI command to list all the services where the specified account is a delegated administrator:

$ aws organizations list-delegated-services-for-account --account-id <insert the account id>

After you list those services, you can then deregister the delegated administrator for each service.

Deregister delegated administrator for an AWS service

Use the deregister-delegated-administrator AWS CLI command to deregister the delegated administrator for a service:

$aws organizations deregister-delegated-administrator --account-id <insert account id> --service-principal <service.amazonaws.com>

Note: To deregister multiple services, run the AWS CLI command for each service.

Related information

AWS Organizations terminology and concepts

AWS OFFICIAL
AWS OFFICIALUpdated 9 months ago