"ListDelegatedAdministrator operation: You don't have permissions to access this resource" error for Config Aggregator in the Organisation

Question

Hello everyone,

I have a problem with AWS Config aggregator permissions.

I have organisation and under this organisation I have many subaccounts and users are logging in using the SSO roles. I'm the administrator in the management account and when I try to create AWS Config Aggregator for all accounts in org in the particular subaccount I get an error:

"An error occurred (AccessDeniedException) when calling the ListDelegatedAdministrator operation: You don't have permissions to access this resource."

Information about setup of the organisation:
- There are no SCP policies configured
- In the Services the Config is enabled
- I run the command "$aws organizations register-delegated-administrator --service-principal config-multiaccountsetup.amazonaws.com --account-id member-account-ID"
But it still shows the same error.

SanghoLEE · Answer

You must be signed in to the management account or a registered delegated administrator and all the features must be enabled in your organization. If the caller is a management account, AWS Config calls EnableAwsServiceAccess API to enable integration between AWS Config and AWS Organizations. If the caller is a registered delegated administrator, AWS Config calls ListDelegatedAdministrators API to verify whether the caller is a valid delegated administrator.

Ensure that the management account registers delegated administrator for AWS Config service principal name (config.amazonaws.com) before the delegated administrator creates an aggregator. To register a delegated administrator, see Registering a Delegated Administrator.

Ref. : https://docs.aws.amazon.com/config/latest/developerguide/aggregated-create.html

"ListDelegatedAdministrator operation: You don't have permissions to access this resource" error for Config Aggregator in the Organisation

Add your answer

Relevant content