Which AWS Account or Organization Unit should be Account Management delegated admin
Hello. I would like to ask for best practise regarding Account management delegated admin (Account that will be able to create AWS account and move the in different OU's instead of main AWS account). Which account or account in which organization unit should be this delegated admin?
I was not able to find this information in the Enabling a delegated admin account for AWS Account Management documentation. Nor in the Best Practices for Organizational Units with AWS Organizations or Dedicated accounts structure.
I have found, that SSO delegated administrator should be the security account here. But that is different use case.
Thank you for your help, Tomas
Only the management account has access to create AWS accounts in the AWS organization, invite other existing accounts to the AWS organization, remove accounts from the AWS organization and move accounts to different OUs. Hence, this role could not be delegated to another member account. Hence, you should follow the security best practices for your Org Management account. Please refer here for more details.
Please refer here for the list of services that supports delegated admin.
Thank you
Relevant questions
Effect Of Service Control Policy on Delegated Administrator Account
Accepted Answerasked 6 months agoWhich AWS Account or Organization Unit should be Account Management delegated admin
asked a month agoIAM Access Analyzer Delegated admin and Org configuration, doesnt pick up root account
asked a month agoCannot add AWS Management Account as member of Security Hub
Accepted Answerasked 4 months agoInspector2 dashboard issue in the delegated admin account
asked 7 months agoTransfer AWS Billing to another account within Organization
asked 6 months agoAWS Backup in the Management Account
Accepted Answerasked a year agoOrganization Level Admin Accounts
asked 6 days agoEnable IAM Access Analyzer to delegated admin account error: Access Analyzer Service Linked Role is not in the organizational management account
asked a month agoMigrate existing SSO config to delegated AWS Account
asked 12 days ago
This announcement you mentioned is only relevant for AWS SSO service (that SSO management can be delegated to another account in the Org, and it doesn't have to be existing Management Payer account anymore, as it used to be in the past).