Setting up Security Lake with AWS Organizations

0

I am attempting to set up Security Lake in an AWS organization. I followed the documentation on https://docs.aws.amazon.com/security-lake/latest/userguide/multi-account-management.html by clicking "getting started" in the Security Lake console and attempting to delegate the administration to another account in the organization. I was inside the management account in my organization and I was using an IAM user that had administrator access and all the required permissions listed in the documentation. But when I tried to perform this action, it gave me an error saying "an error occurred. Only the management account can perform this operation for your organization."

Security Lake Error

I then tried performing the CLI command described in the documentation using the same IAM user.

aws securitylake register-data-lake-delegated-administrator --account-id 123456789 (example account number)

This gave me the error "An error occurred (AccessDeniedException) when calling the RegisterDataLakeDelegatedAdministrator operation: Only the management account for your organization can perform this operation for your organization."

I'm not sure how to proceed because I believe I am using an IAM user that is inside the management account for the organization but it is still giving me an error message.

2 Answers
1
Accepted Answer

It turned out that the problem was that I had enabled Security Lake when the account was a standalone account before I created the organization. So after I created the organization the old Security Lake resources were still in my account, but it did not give me an option to offboard them. To fix this, you need to remove the organization and offboard as a standalone account, and then add the organization again and then you will be able to onboard successfully.

Steven
answered 10 months ago
profile picture
EXPERT
reviewed 4 months ago
profile picture
EXPERT
reviewed 6 months ago
0

can you please confirm that you are trying to enable delegated adminstrator account from Organization Management account. In Organizations, the account that you use to create the organization is called the management account. To integrate Security Lake with Organizations, the management account must designate a delegated Security Lake administrator account for the organization.

AWS
answered a year ago
  • Thanks for your response! I was inside the management account when I tried to delegate the security lake administrator, but I still received an error.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions