Unable to enable Delegated Admin for Inspector2

Question

We tried to enable Delegated Admin for Inspector and got permissions error.
We have tried with 2 accounts (limited account and with admin permissions).
Limited account has required permissions: AmazonInspector2FullAccess
 - https://docs.aws.amazon.com/inspector/latest/user/security-iam-awsmanpol.html

Should I add additional permissions on target account side?

Terraform:

```
resource "aws_inspector2_delegated_admin_account" "delegated_admin_account_for_inspector" {
  account_id = var.delegated_admin_acc_id
}
```

Error message:

```
Error: creating Amazon Inspector Delegated Admin Account (######): operation error Inspector2: EnableDelegatedAdminAccount, https response error StatusCode: 403, RequestID: #####,  AccessDeniedException: Invoking account does not have access to enable delegated administrator account
```

Answer

It is important to note that only the management or master account of your Organisation has the privilege to designate a delegated administrator for Amazon Inspector.

Ensure that the IAM entity performing the steps has the following permissions:

```
{
    "Sid": "PermissionsForInspectorAdmin",
    "Effect": "Allow",
    "Action": [
        "inspector2:EnableDelegatedAdminAccount",
        "organizations:EnableAWSServiceAccess",
        "organizations:RegisterDelegatedAdministrator",
        "organizations:ListDelegatedAdministrators",
        "organizations:ListAWSServiceAccessForOrganization",
        "organizations:DescribeOrganizationalUnit",
        "organizations:DescribeAccount",
        "organizations:DescribeOrganization"
    ],
    "Resource": "*"
}
```

[+] Permissions required to designate a delegated administrator - https://docs.aws.amazon.com/inspector/latest/user/designating-admin.html#delegated-admin-permissions

Unable to enable Delegated Admin for Inspector2

相關內容