By using AWS re:Post, you agree to the Terms of Use
/Which AWS Account or Organization Unit should be Account Management delegated admin/

Which AWS Account or Organization Unit should be Account Management delegated admin


Hello. I would like to ask for best practise regarding Account management delegated admin (Account that will be able to create AWS account and move the in different OU's instead of main AWS account). Which account or account in which organization unit should be this delegated admin?

I was not able to find this information in the Enabling a delegated admin account for AWS Account Management documentation. Nor in the Best Practices for Organizational Units with AWS Organizations or Dedicated accounts structure.

I have found, that SSO delegated administrator should be the security account here. But that is different use case.

Thank you for your help, Tomas

  • This announcement you mentioned is only relevant for AWS SSO service (that SSO management can be delegated to another account in the Org, and it doesn't have to be existing Management Payer account anymore, as it used to be in the past).

1 Answers

Only the management account has access to create AWS accounts in the AWS organization, invite other existing accounts to the AWS organization, remove accounts from the AWS organization and move accounts to different OUs. Hence, this role could not be delegated to another member account. Hence, you should follow the security best practices for your Org Management account. Please refer here for more details.

Please refer here for the list of services that supports delegated admin.

Thank you

answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions