I want to remove a delegated administrator’s account from my AWS Organizations.
Short description
You can delegate policy management for AWS Organizations to specified member accounts from the AWS Organization's management account. These delegated accounts can perform policy actions that are by default available only to the management account. You can remove the delegated administrator's account when you don't need it. For more information, see Delegated administrator for AWS Organizations.
When you use a management account to create a delegated administrator for AWS Organizations, you create or update a resource-based delegation policy for it. Within this policy, you specify the member accounts that can perform actions on policies.
You must use the management account to remove the resource-based delegation policy or the delegated administrator for an AWS service.
Note: A deleted policy can't be recovered.
Resolution
Remove the resource-based policy using the AWS Organizations console
- Sign in to the AWS Organizations console within the management account.
- Choose Settings.
- In the Delegated administrator for AWS Organizations section, choose Delete.
- In the Delete policy confirmation box, enter Delete. Then, choose Delete policy.
Remove the resource-based delegation policy using AWS CLI
Use the following AWS Command Line Interface (AWS CLI) command to remove the resource-based delegation policy:
aws organizations delete-resource-policy
Note: Use the AWS CLI to remove the delegated administrator for the AWS services.
If you receive errors when you run the AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
Remove a delegated administrator for an AWS service
To remove the delegated administrator for an AWS service, first list all the AWS services where the specified account is a delegated administrator. Then, deregister the delegated administrator.
List services for the delegated administrator
Use the list-delegated-services-for-account AWS CLI command to list all the services where the specified account is a delegated administrator:
$ aws organizations list-delegated-services-for-account --account-id <insert the account id>
After you list those services, you can then deregister the delegated administrator for each service.
Deregister delegated administrator for an AWS service
Use the deregister-delegated-administrator AWS CLI command to deregister the delegated administrator for a service:
$aws organizations deregister-delegated-administrator --account-id <insert account id> --service-principal <service.amazonaws.com>
Note: To deregister multiple services, run the AWS CLI command for each service.
Related information
AWS Organizations terminology and concepts