How do I remove a delegated administrator’s account from my organization?
I want to remove a delegated administrator’s account from my organization.
Short description
To remove a delegated administrator's permissions, first determine the permissions you want to remove. An AWS account can be a delegated administrator for specific AWS services, have policy management permissions through a resource-based delegation policy, or have both. These permissions work independently, so if you remove one permissions type then this doesn't affect the other permissions type.
If you want to remove an account's delegated administrator access for specific AWS services, then use the deregister-delegated-administrator command from the management account.
If you want to remove an account's policy management permissions, then update the resource-based delegation policy to remove the member account.
If the account has service-specific administrator access and policy management permissions, then deregister the account as delegated administrator and update the resource-based delegation policy. When you complete both actions, this removes all delegated administrator privileges.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Deregister the account as delegated administrator for AWS services
Run the following list-delegated-services-for-account command to list all AWS services where the member account is a delegated administrator:
aws organizations list-delegated-services-for-account --account-id ACCOUNT-ID
Note: Replace ACCOUNT-ID with the account ID.
Then, run the following deregister-delegated-administrator command to deregister the delegated administrator for each AWS service:
aws organizations deregister-delegated-administrator --account-id ACCOUNT-ID --service-principal service.amazonaws.com
Note: Replace ACCOUNT-ID with the account ID, and replace service.amazonaws.com with the AWS service.
Update the resource-based delegation policy
To update the resource-based delegation policy, follow the instructions in Update a resource-based delegation policy with AWS Organizations.
Important: If you delete the resource-based delegation policy, then this removes all delegated administrator accounts. It's a best practice to update the policy if you want to maintain delegation for other member accounts.
Related information
- Topics
- Management & Governance
- Language
- English
Excellent guidance. Explained step by step. What a reply. Appreciated.
Nicely done!!
The instructions are clearly to following the state incase of using deregister-delegated-administrator AWS CLI comanand to deregister deligated for a service which is only have a capable for these concept and consistent terminology in which of certain. the Administrator acting and performing policy notice all the application at these services policies will control in my case freezing my account makes a lot trouble without violation abuse. How ever the aws builder ID and administrator which is roots email switching is it could be my violation? Freezing my account to login
Relevant content
- asked 4 years ago
- asked 4 years ago