# Managing multiple Macie accounts with AWS Organizations
Managing accounts with AWS Organizations

If you use AWS Organizations to centrally manage multiple AWS accounts, you can integrate Amazon Macie with AWS Organizations, and then centrally manage Macie for accounts in your organization. With this configuration, a designated Macie administrator can enable and manage Macie for as many as 10,000 accounts. The administrator can also access Amazon Simple Storage Service (Amazon S3) inventory data and discover sensitive data in S3 buckets that the accounts own. For details about tasks that the administrator can perform, see [Macie administrator and member account relationships](accounts-mgmt-relationships.md).

AWS Organizations is a global account management service that enables AWS administrators to consolidate and centrally manage multiple AWS accounts. It provides account management and consolidated billing features that are designed to support budgetary, security, and compliance needs. It’s offered at no additional charge and it integrates with multiple AWS services, including Macie, AWS Security Hub CSPM, and Amazon GuardDuty. To learn more, see the [AWS Organizations User Guide](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html).

To integrate Macie with AWS Organizations, you start by designating an account as the delegated Macie administrator account for the organization. The Macie administrator then enables Macie for other accounts in the organization, adds those accounts as Macie member accounts, and configures Macie settings and resources for the accounts.

**Tip**  
If you already associated a Macie administrator account with member accounts by using invitations, you can designate that account as the delegated Macie administrator account for your organization in AWS Organizations. If you do this, all currently associated member accounts remain members and you can take full advantage of the benefits of managing accounts by using AWS Organizations. For more information, see [Transitioning from an invitation-based organization](accounts-mgmt-ao-notes.md#accounts-mgmt-ao-notes-transition-invitations).

The topics in this section explain how to integrate Macie with AWS Organizations and how to administer and manage Macie for accounts in an organization.

**Topics**
+ [Considerations and recommendations](accounts-mgmt-ao-notes.md)
+ [Integrating and configuring an organization](accounts-mgmt-ao-integrate.md)
+ [Reviewing organization accounts](accounts-mgmt-ao-review.md)
+ [Managing member accounts](accounts-mgmt-ao-administer.md)
+ [Changing the administrator account](accounts-mgmt-ao-admin-change.md)
+ [Disabling integration with AWS Organizations](accounts-mgmt-ao-disable.md)

# Considerations for using Macie with AWS Organizations
Considerations and recommendations

Before you integrate Amazon Macie with AWS Organizations and configure your organization in Macie, consider the following requirements and recommendations. Also ensure that you understand the [relationship between Macie administrator and member accounts](accounts-mgmt-relationships.md).

**Topics**
+ [Designating an administrator account](#accounts-mgmt-ao-notes-admin-designate)
+ [Changing or removing the administrator account designation](#accounts-mgmt-ao-notes-admin-remove)
+ [Adding and removing member accounts](#accounts-mgmt-ao-notes-members-manage)
+ [Transitioning from an invitation-based organization](#accounts-mgmt-ao-notes-transition-invitations)

## Designating a Macie administrator account
Designating an administrator account

While you determine which account should be the delegated Macie administrator account for your organization, keep the following in mind:
+ An organization can have only one delegated Macie administrator account.
+ An account can’t be a Macie administrator and member account at the same time.
+ Only the AWS Organizations management account for an organization can designate the delegated Macie administrator account for the organization. Only the management account can subsequently change or remove that designation.
+ The AWS Organizations management account for an organization can also be the delegated Macie administrator account for the organization. However, we don't recommend this configuration based on AWS security best practices and the principle of least privilege. Users who have access to the management account for billing purposes are likely to be different from users who need access to Macie for information security purposes.

  If you prefer this configuration, you must enable Macie for the organization's management account in at least one AWS Region before you designate the account as the delegated Macie administrator account. Otherwise, the account won't be able to access and manage Macie settings and resources for member accounts.
+ Unlike AWS Organizations, Macie is a Regional service. This means that the designation of a Macie administrator account is a Regional designation. It also means that associations between Macie administrator and member accounts are Regional. For example, if the management account designates a Macie administrator account in the US East (N. Virginia) Region, the Macie administrator can manage Macie for member accounts only in that Region.

  To centrally manage Macie accounts in multiple AWS Regions, the management account must sign in to each Region where the organization currently uses or will use Macie, and then designate the Macie administrator account in each of those Regions. The Macie administrator can then configure the organization in each of those Regions. For a list of Regions where Macie is currently available, see [Amazon Macie endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/macie.html) in the *AWS General Reference*.
+ An account can be associated with only one Macie administrator account at a time. If your organization uses Macie in multiple Regions, the designated Macie administrator account must be the same in all of those Regions. However, your organization’s management account must designate the administrator account separately in each Region.
+ An account can be the delegated Macie administrator account for only one organization at a time. If you manage multiple organizations in AWS Organizations, you must designate a different Macie administrator account for each organization. This is due to an AWS Organizations requirement—an account can be a member of only one organization at a time.

If the Macie administrator’s AWS account is suspended, isolated, or closed, all associated Macie member accounts are automatically removed as Macie member accounts but Macie continues to be enabled for the accounts. If [automated sensitive data discovery](discovery-asdd.md) was enabled for one or more member accounts, it's disabled for the accounts. This also disables access to statistical data, inventory data, and other information that Macie produced and directly provided while performing automated discovery for the accounts. To restore access to this data, the following must occur within 30 days:

1. The Macie administrator’s AWS account is restored.

1. The AWS Organizations management account designates the account as the Macie administrator account again.

1. The Macie administrator configures the organization and enables automated discovery for the appropriate accounts again.

After 30 days, Macie permanently deletes data that it previously produced and directly provided while performing automated discovery for the applicable accounts.

## Changing or removing the designation of a Macie administrator account
Changing or removing the administrator account designation

Only the AWS Organizations management account for an organization can change or remove the designation of a delegated Macie administrator account for the organization.

If the management account changes or removes the designation:
+ All associated member accounts are removed as Macie member accounts but Macie continues to be enabled for the accounts. The accounts become standalone Macie accounts. To pause or stop using Macie, a user of a member account must suspend (pause) or disable (stop) Macie for the account.
+ Automated sensitive data discovery is disabled for each account that it was enabled for. This also disables access to statistical data, inventory data, and other information that Macie produced and directly provided while performing automated discovery for each account. To restore access to this data, the management account must designate the same Macie administrator account again within 30 days. In addition, the Macie administrator must configure the organization again and re-enable automated discovery for each account within 30 days. After 30 days, the data expires and Macie permanently deletes it.

## Adding and removing Macie member accounts
Adding and removing member accounts

As you add, remove, and otherwise manage member accounts for your organization, keep the following in mind:
+ A Macie administrator account can be associated with no more than 10,000 Macie member accounts in each AWS Region. If your organization exceeds this quota, the Macie administrator won’t be able to add member accounts until they remove the necessary number of existing member accounts in the Region. When an organization meets this quota, we notify the Macie administrator by creating an AWS Health event for their account. We also send email to the address that’s associated with their account.

  If you’re the Macie administrator for an organization, you can determine how many member accounts are currently associated with your account by using the **Accounts** page on the Amazon Macie console or the [ListMembers](https://docs.aws.amazon.com/macie/latest/APIReference/members.html) operation of the Amazon Macie API. For more information, see [Reviewing Macie accounts for an organization](accounts-mgmt-ao-review.md).
+ An account can be associated with only one Macie administrator account at a time. This means that an account can’t accept a Macie invitation from another account if it’s already associated with the Macie administrator account for an organization in AWS Organizations.

  Similarly, if an account already accepted an invitation, the Macie administrator for an organization in AWS Organizations can’t add the account as a Macie member account. The account must first disassociate from its current, invitation-based administrator account.
+ To add the AWS Organizations management account as a Macie member account, a user of the management account must first enable Macie for the account. The Macie administrator isn’t allowed to enable Macie for the management account.
+ If the Macie administrator removes a Macie member account:
  + Macie continues to be enabled for the account. The account becomes a standalone Macie account. To pause or stop using Macie, a user of the account must suspend (pause) or disable (stop) Macie for the account.
  + Automated sensitive data discovery is disabled for the account, if it was enabled. This also disables access to statistical data, inventory data, and other information that Macie produced and directly provided while performing automated discovery for the account.
+ A member account can’t disassociate from its Macie administrator account. Only the Macie administrator can remove an account as a Macie member account.

## Transitioning from an invitation-based organization
Transitioning from an invitation-based organization

If you already associated a Macie administrator account with member accounts by using Macie membership invitations, we recommend that you designate that account as the delegated Macie administrator account for your organization in AWS Organizations. This simplifies the transition from an invitation-based organization.

If you do this, all currently associated member accounts continue to be members. If a member account is part of your organization in AWS Organizations, the account’s association automatically changes from **By invitation** to **Via AWS Organizations** in Macie. If a member account isn’t part of your organization in AWS Organizations, the account’s association continues to be **By invitation**. In both cases, the accounts continue to be associated with the delegated Macie administrator account as member accounts. For sensitive data discovery, this also means that the accounts can continue to access statistical and other data that Macie produced and directly provided while performing automated sensitive data discovery for the accounts. In addition, if the Macie administrator configured sensitive data discovery jobs to analyze data for the accounts, subsequent job runs will continue to include resources that the accounts own.

We recommend this approach because an account can’t be associated with more than one Macie administrator account at the same time. If you designate a different account as the Macie administrator account for your organization in AWS Organizations, the designated administrator won’t be able to manage accounts that are already associated with another Macie administrator account by invitation. Each member account must first disassociate from its current, invitation-based administrator account. The Macie administrator for your organization in AWS Organizations can then add the account as a Macie member account and begin managing the account.

After you integrate Macie with AWS Organizations and you configure your organization in Macie, you can optionally designate a different Macie administrator account for the organization. You can also continue to use invitations to associate and manage member accounts that aren't part of your organization in AWS Organizations.

# Integrating and configuring an organization in Macie
Integrating and configuring an organization

To start using Amazon Macie with AWS Organizations, the AWS Organizations management account for the organization designates an account as the delegated Macie administrator account for the organization. This enables Macie as a trusted service in AWS Organizations. It also enables Macie in the current AWS Region for the designated administrator account, and it allows the designated administrator account to enable and manage Macie for other accounts in the organization in that Region. For information about how these permissions are granted, see [Using AWS Organizations with other AWS services](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html) in the *AWS Organizations User Guide*.

The delegated Macie administrator then configures the organization in Macie, primarily by adding the organization’s accounts as Macie member accounts in the Region. The administrator can then access certain Macie settings, data, and resources for those accounts in that Region. They can also perform automated sensitive data discovery and run sensitive data discovery jobs to detect sensitive data in Amazon Simple Storage Service (Amazon S3) buckets that the accounts own.

This topic explains how to designate a delegated Macie administrator for an organization and how to add the organization's accounts as Macie member accounts. Before you perform these tasks, ensure that you understand the [relationship between Macie administrator and member accounts](accounts-mgmt-relationships.md). It’s also a good idea to review the [considerations and recommendations](accounts-mgmt-ao-notes.md) for using Macie with AWS Organizations.

**Topics**
+ [Step 1: Verify your permissions](#accounts-mgmt-ao-admin-designate-permissions)
+ [Step 2: Designate the delegated Macie administrator account](#accounts-mgmt-ao-admin-designate)
+ [Step 3: Automatically enable and add new organization accounts](#accounts-mgmt-ao-members-autoenable)
+ [Step 4: Enable and add existing organization accounts](#accounts-mgmt-ao-members-add-existing)

To integrate and configure the organization in multiple Regions, the AWS Organizations management account and the delegated Macie administrator repeat these steps in each additional Region.

## Step 1: Verify your permissions
Step 1: Verify your permissions

Before you designate the delegated Macie administrator account for your organization, verify that you (as a user of the AWS Organizations management account) are allowed to perform the following Macie action: `macie2:EnableOrganizationAdminAccount`. This action allows you to designate the delegated Macie administrator account for your organization by using Macie.

Also verify that you're allowed to perform the following AWS Organizations actions:
+ `organizations:DescribeOrganization`
+ `organizations:EnableAWSServiceAccess`
+ `organizations:ListAWSServiceAccessForOrganization`
+ `organizations:RegisterDelegatedAdministrator`

These actions allow you to: retrieve information about your organization; integrate Macie with AWS Organizations; retrieve information about which AWS services you've integrated with AWS Organizations; and, designate a delegated Macie administrator account for your organization.

To grant these permissions, include the following statement in an AWS Identity and Access Management (IAM) policy for your account:

```
{
   "Sid": "Grant permissions to designate a delegated Macie administrator",
   "Effect": "Allow",
   "Action": [
      "macie2:EnableOrganizationAdminAccount",
      "organizations:DescribeOrganization",
      "organizations:EnableAWSServiceAccess",
      "organizations:ListAWSServiceAccessForOrganization",
      "organizations:RegisterDelegatedAdministrator"
   ],
   "Resource": "*"
}
```

If you want to designate your AWS Organizations management account as the delegated Macie administrator account for the organization, your account also needs permission to perform the following IAM action: `CreateServiceLinkedRole`. This action allows you to enable Macie for the management account. However, based on AWS security best practices and the principle of least privilege, we don't recommend that you do this.

If you decide to grant this permission, add the following statement to the IAM policy for your AWS Organizations management account:

```
{
   "Sid": "Grant permissions to enable Macie",
   "Effect": "Allow",
   "Action": [
      "iam:CreateServiceLinkedRole"
   ],
   "Resource": "arn:aws:iam::111122223333:role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie",
   "Condition": {
      "StringLike": {
         "iam:AWSServiceName": "macie.amazonaws.com"
      }
   }
}
```

In the statement, replace *111122223333* with the account ID for the management account.

If you want to administer Macie in an opt-in AWS Region (Region that's disabled by default), also update the value for the Macie service principal in the `Resource` element and the `iam:AWSServiceName` condition. The value must specify the Region code for the Region. For example, to administer Macie in the Middle East (Bahrain) Region, which has the Region code *me-south-1*, do the following:
+ In the `Resource` element, replace

  `arn:aws:iam::111122223333:role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie`

  with

  `arn:aws:iam::111122223333:role/aws-service-role/macie.me-south-1.amazonaws.com/AWSServiceRoleForAmazonMacie`

  Where *111122223333* specifies the account ID for the management account and *me-south-1* specifies the Region code for the Region.
+ In the `iam:AWSServiceName` condition, replace `macie.amazonaws.com` with `macie.me-south-1.amazonaws.com`, where *me-south-1* specifies the Region code for the Region.

For a list of Regions where Macie is currently available and the Region code for each one, see [Amazon Macie endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/macie.html) in the *AWS General Reference*. To determine whether a Region is an opt-in Region, see [Enable or disable AWS Regions in your account](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html) in the *AWS Account Management User Guide*.

## Step 2: Designate the delegated Macie administrator account for the organization
Step 2: Designate the delegated Macie administrator account

After you verify your permissions, you (as a user of the AWS Organizations management account) can designate the delegated Macie administrator account for your organization.

**To designate the delegated Macie administrator account for an organization**  
To designate the delegated Macie administrator account for your organization, you can use the Amazon Macie console or the Amazon Macie API. Only a user of the AWS Organizations management account can perform this task.

------
#### [ Console ]

Follow these steps to designate the delegated Macie administrator account by using the Amazon Macie console.

**To designate the delegated Macie administrator account**

1. Sign in to the AWS Management Console using your AWS Organizations management account.

1. By using the AWS Region selector in the upper-right corner of the page, choose the Region in which you want to designate the delegated Macie administrator account for your organization.

1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).

1. Do one of the following, depending on whether Macie is enabled for your management account in the current Region:
   + If Macie isn’t enabled, choose **Get started** on the welcome page.
   + If Macie is enabled, choose **Settings** in the navigation pane.

1. Under **Delegated administrator**, enter the 12-digit account ID for the AWS account that you want to designate as the Macie administrator account.

1. Choose **Delegate**.

Repeat the preceding steps in each additional Region in which you want to integrate your organization with Macie. You must designate the same Macie administrator account in each of those Regions.

------
#### [ API ]

To designate the delegated Macie administrator account programmatically, use the [EnableOrganizationAdminAccount](https://docs.aws.amazon.com/macie/latest/APIReference/admin.html) operation of the Amazon Macie API. To designate the account in multiple Regions, submit the designation for each Region in which you want to integrate your organization with Macie. You must designate the same Macie administrator account in each of those Regions.

When you submit the designation, use the required `adminAccountId` parameter to specify the 12-digit account ID for the AWS account to designate as the Macie administrator account for the organization. Also ensure that you specify the Region that the designation applies to.

To designate the Macie administrator account by using the [AWS Command Line Interface (AWS CLI)](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html), run the [enable-organization-admin-account](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/macie2/enable-organization-admin-account.html) command. For the `admin-account-id` parameter, specify the 12-digit account ID for the AWS account to designate. Use the `region` parameter to specify the Region that the designation applies to. For example:

```
C:\> aws macie2 enable-organization-admin-account --region us-east-1 --admin-account-id 111122223333
```

Where *us-east-1* is the Region that the designation applies to (the US East (N. Virginia) Region) and *111122223333* is the account ID for the account to designate.

------

After you designate the Macie administrator account for your organization, the Macie administrator can begin configuring the organization in Macie.

## Step 3: Automatically enable and add new organization accounts as Macie member accounts
Step 3: Automatically enable and add new organization accounts

By default, Macie isn’t automatically enabled for new accounts when the accounts are added to your organization in AWS Organizations. In addition, the accounts aren’t automatically added as Macie member accounts. The accounts appear in the Macie administrator's account inventory. However, Macie isn't necessarily enabled for the accounts and the Macie administrator can’t necessarily access Macie settings, data, and resources for the accounts.

If you’re the delegated Macie administrator for the organization, you can change this configuration setting. You can turn on automatic enablement for your organization. If you do this, Macie is automatically enabled for new accounts when the accounts are added to your organization in AWS Organizations. In addition, the accounts are automatically associated with your Macie administrator account as member accounts. Turning on this setting doesn't affect existing accounts in your organization. To enable and manage Macie for existing accounts, you must manually add the accounts as Macie member accounts. The [next step](#accounts-mgmt-ao-members-add-existing) explains how to do this.

**Note**  
If you turn on automatic enablement, note the following exception. If a new account is already associated with a different Macie administrator account, Macie doesn’t automatically add the account as a member account in your organization. The account must disassociate from its current Macie administrator account before it can be part of your organization in Macie. You can then manually add the account. To identify accounts where this is the case, you can [review the account inventory](accounts-mgmt-ao-review.md) for your organization.

**To automatically enable and add new organization accounts as Macie member accounts**  
To automatically enable and add new accounts as Macie member accounts, you can use the Amazon Macie console or the Amazon Macie API. Only the delegated Macie administrator for the organization can perform this task.

------
#### [ Console ]

To perform this task by using the console, you must be allowed to perform the following AWS Organizations action: `organizations:ListAccounts`. This action allows you to retrieve and display information about the accounts in your organization. If you have these permissions, follow these steps to automatically enable and add new organization accounts as Macie member accounts.

**To automatically enable and add new organization accounts**

1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).

1. By using the AWS Region selector in the upper-right corner of the page, choose the Region in which you want to automatically enable and add new accounts as Macie member accounts.

1. In the navigation pane, choose **Accounts**.

1. On the **Accounts** page, in the **New accounts** section, choose **Edit**.

1. In the **Edit settings for new accounts** dialog box, select **Enable Macie**.

   To also enable automated sensitive data discovery automatically for new member accounts, select **Enable automated sensitive data discovery**. If you enable this feature for an account, Macie continually selects sample objects from the account's S3 buckets and analyzes the objects to determine whether they contain sensitive data. For more information, see [Performing automated sensitive data discovery](discovery-asdd.md).

1. Choose **Save**.

Repeat the preceding steps in each additional Region in which you want to configure your organization in Macie.

To subsequently change these settings, repeat the preceding steps and clear the checkbox for each setting.

------
#### [ API ]

To automatically enable and add new Macie member accounts programmatically, use the [UpdateOrganizationConfiguration](https://docs.aws.amazon.com/macie/latest/APIReference/admin-configuration.html) operation of the Amazon Macie API. When you submit your request, set the value for the `autoEnable` parameter to `true`. (The default value is `false`.) Also ensure that you specify the Region that your request applies to. To automatically enable and add new accounts in additional Regions, submit the request for each additional Region.

If you use the AWS CLI to submit the request, run the [update-organization-configuration](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/macie2/update-organization-configuration.html) command and specify the `auto-enable` parameter to enable and add new accounts automatically. For example:

```
$ aws macie2 update-organization-configuration --region us-east-1 --auto-enable
```

Where *us-east-1* is the Region in which to automatically enable and add new accounts, the US East (N. Virginia) Region.

To subsequently change this setting and stop enabling and adding new accounts automatically, run the same command again and use the `no-auto-enable` parameter, instead of the `auto-enable` parameter, in each applicable Region.

You can also enable automated sensitive data discovery automatically for new member accounts. If you enable this feature for an account, Macie continually selects sample objects from the account's S3 buckets and analyzes the objects to determine whether they contain sensitive data. For more information, see [Performing automated sensitive data discovery](discovery-asdd.md). To enable this feature automatically for member accounts, use the [UpdateAutomatedDiscoveryConfiguration](https://docs.aws.amazon.com/macie/latest/APIReference/automated-discovery-configuration.html) operation or, if you're using the AWS CLI, run the [update-automated-discovery-configuration](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/macie2/update-automated-discovery-configuration.html) command.

------

## Step 4: Enable and add existing organization accounts as Macie member accounts
Step 4: Enable and add existing organization accounts

When you integrate Macie with AWS Organizations, Macie isn’t automatically enabled for all the existing accounts in your organization. In addition, the accounts aren’t automatically associated with the delegated Macie administrator account as Macie member accounts. Therefore, the final step of integrating and configuring your organization in Macie is to add existing organization accounts as Macie member accounts. When you add an existing account as a Macie member account, Macie is automatically enabled for the account and you (as the delegated Macie administrator) gain access to certain Macie settings, data, and resources for the account.

Note that you can’t add an account that’s currently associated with another Macie administrator account. To add the account, work with the account owner to first disassociate the account from its current administrator account. In addition, you can’t add an existing account if Macie is currently suspended for the account. The account owner must first re-enable Macie for the account. Finally, if you want to add the AWS Organizations management account as a member account, a user of that account must first enable Macie for the account.

**To enable and add existing organization accounts as Macie member accounts**  
To enable and add existing organization accounts as Macie member accounts, you can use the Amazon Macie console or the Amazon Macie API. Only the delegated Macie administrator for the organization can perform this task.

------
#### [ Console ]

To perform this task by using the console, you must be allowed to perform the following AWS Organizations action: `organizations:ListAccounts`. This action allows you to retrieve and display information about the accounts in your organization. If you have these permissions, follow these steps to enable and add existing accounts as Macie member accounts.

**To enable and add existing organization accounts**

1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).

1. By using the AWS Region selector in the upper-right corner of the page, choose the Region in which you want to enable and add existing accounts as Macie member accounts.

1. In the navigation pane, choose **Accounts**. The **Accounts** page opens and displays a table of the accounts that are associated with your Macie account.

   If an account is part of your organization in AWS Organizations, its **Type** is **Via AWS Organizations**. If an account is already a Macie member account, its **Status** is **Enabled** or **Paused (suspended)**.

1. In the **Existing accounts** table, select the checkbox for each account that you want to add as a Macie member account.

1. On the **Actions** menu, choose **Add member**.

1. Confirm that you want to add the selected accounts as member accounts.

After you confirm the addition of the selected accounts, the status of the accounts changes to **Enabling in process** and then **Enabled**. After you add a member account, you can also enable automated sensitive data discovery for the account: in the **Existing accounts** table, select the checkbox for each account to enable it for, and then choose **Enable automated sensitive data discovery** on the **Actions** menu. If you enable this feature for an account, Macie continually selects sample objects from the account's S3 buckets and analyzes the objects to determine whether they contain sensitive data. For more information, see [Performing automated sensitive data discovery](discovery-asdd.md).

Repeat the preceding steps in each additional Region in which you want to configure your organization in Macie.

------
#### [ API ]

To programmatically enable and add one or more existing accounts as Macie member accounts, use the [CreateMember](https://docs.aws.amazon.com/macie/latest/APIReference/members.html) operation of the Amazon Macie API. When you submit your request, use the supported parameters to specify the 12-digit account ID and email address of each AWS account to enable and add. Also specify the Region that the request applies to. To enable and add existing accounts in additional Regions, submit the request for each additional Region.

To retrieve the account ID and email address of an AWS account to enable and add, you can optionally use the [ListMembers](https://docs.aws.amazon.com/macie/latest/APIReference/members.html) operation of the Amazon Macie API. This operation provides details about the accounts that are associated with your Macie account, including accounts that aren’t Macie member accounts. If the value for the `relationshipStatus` property of an account isn’t `Enabled` or `Paused`, the account isn’t a Macie member account.

To enable and add one or more existing accounts by using the AWS CLI, run the [create-member](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/macie2/create-member.html) command. Use the `region` parameter to specify the Region in which to enable and add the accounts. Use the `account` parameters to specify the account ID and email address for each AWS account to add. For example:

```
C:\> aws macie2 create-member --region us-east-1 --account={\"accountId\":\"123456789012\",\"email\":\"janedoe@example.com\"}
```

Where *us-east-1* is the Region in which to enable and add the account as a Macie member account (the US East (N. Virginia) Region), and the `account` parameters specify the account ID (*123456789012*) and email address (*janedoe@example.com*) for the account.

If your request succeeds, the status (`relationshipStatus`) of the specified account changes to `Enabled` in your account inventory.

To also enable automated sensitive data discovery for one or more of the accounts, use the [BatchUpdateAutomatedDiscoveryAccounts](https://docs.aws.amazon.com/macie/latest/APIReference/automated-discovery-accounts.html) operation or, if you're using the AWS CLI, run the [batch-update-automated-discovery-accounts](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/macie2/batch-update-automated-discovery-accounts.html) command. If you enable this feature for an account, Macie continually selects sample objects from the account's S3 buckets and analyzes the objects to determine whether they contain sensitive data. For more information, see [Performing automated sensitive data discovery](discovery-asdd.md).

------

# Reviewing Macie accounts for an organization
Reviewing organization accounts

After an AWS Organizations organization is [integrated and configured](accounts-mgmt-ao-integrate.md) in Amazon Macie, the delegated Macie administrator can access an inventory of the organization's accounts in Macie. As the Macie administrator for an organization, you can use this inventory to review statistics and details for your organization's Macie accounts in an AWS Region. You can also use it to [perform certain management tasks](accounts-mgmt-ao-administer.md) for the accounts.

**To review the Macie accounts for an organization**  
To review the accounts for your organization, you can use the Amazon Macie console or the Amazon Macie API. If you prefer to use the console, you must be allowed to perform the following AWS Organizations action: `organizations:ListAccounts`. This action allows you to retrieve and display information about accounts that are part of your organization in AWS Organizations.

------
#### [ Console ]

Follow these steps to review your organization's Macie accounts by using the Amazon Macie console.

**To review your organization's accounts**

1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).

1. By using the AWS Region selector in the upper-right corner of the page, choose the Region in which you want to review your organization's accounts.

1. In the navigation pane, choose **Accounts**.

The **Accounts** page opens and displays aggregated statistics and a table of the accounts that are associated with your Macie account in the current AWS Region.

At the top of the **Accounts** page, you'll find the following aggregated statistics.

**Via AWS Organizations**  
**Active** reports the total number of accounts that are associated with your account through AWS Organizations and are currently Macie member accounts in your organization. Macie is enabled for these accounts and you’re the Macie administrator of the accounts.  
**All** reports the total number of accounts that are associated with your account through AWS Organizations. This includes accounts that aren’t currently Macie member accounts. It also includes member accounts that Macie is currently suspended for.

**By invitation**  
**Active** reports the total number of accounts that are associated with your account by Macie invitation and are currently Macie member accounts in your organization. These accounts aren’t associated with your account through AWS Organizations. Macie is enabled for the accounts and you’re the Macie administrator of the accounts because they accepted a Macie membership invitation from you.  
**All** reports the total number of accounts that are associated with your account by Macie invitation, including accounts that haven’t responded to an invitation from you.

**Active/All**  
**Active** reports the total number of accounts that Macie is currently enabled for in your organization, including your own account. You’re the Macie administrator of these accounts through AWS Organizations or by Macie invitation.  
**All** reports the total number of accounts that are associated with your account, through AWS Organizations or by Macie invitation, plus your own account. This includes accounts that are part of your organization in AWS Organizations and aren’t currently Macie member accounts. It also includes any accounts that haven’t responded to a Macie membership invitation from you.

In the table, you’ll find details about each account in the current Region. The table includes all the accounts that are associated with your Macie account through AWS Organizations or by Macie invitation.

**Account ID**  
The account ID and email address for the AWS account.

**Name**  
The account name for the AWS account. This value is typically **N/A** for your own account, and any accounts that are associated with your account by Macie invitation.

**Type**  
How the account is associated with your account, through AWS Organizations or by Macie invitation. For your own account, this value is **Current account**.

**Status**  
The status of the relationship between your account and the account. For an account in an AWS Organizations organization (**Type** is **Via AWS Organizations**), possible values are:  
+ **Account suspended** – The AWS account is suspended.
+ **Enabled** – The account is a Macie member account. Macie is enabled for the account and you’re the Macie administrator of the account.
+ **Enabling in process** – Macie is processing a request to enable and add the account as a Macie member account.
+ **Not a member** – The account is part of your organization in AWS Organizations but it isn’t a Macie member account.
+ **Paused (suspended)** – The account is a Macie member account but Macie is currently suspended for the account.
+ **Region disabled** – The account is part of your organization in AWS Organizations but the current Region is disabled for the AWS account.
+ **Removed (disassociated)** – The account was previously a Macie member account but was subsequently removed as a member account. You disassociated the account from your Macie administrator account. Macie continues to be enabled for the account.

**Last status update**  
When you or the associated account most recently performed an action that affected the relationship between your accounts.

**Automated sensitive data discovery**  
Whether automated sensitive data discovery is currently enabled or disabled for the account.

To sort the table by a specific field, choose the column heading for the field. To change the sort order, choose the column heading again. To filter the table, place your cursor in the filter box, and then add a filter condition for a field. To further refine the results, add filter conditions for additional fields.

------
#### [ API ]

To review your organization’s accounts programmatically, use the [ListMembers](https://docs.aws.amazon.com/macie/latest/APIReference/members.html) operation of the Amazon Macie API and specify the Region that your request applies to. To review the accounts in additional Regions, submit your request in each additional Region.

When you submit your request, use the `onlyAssociated` parameter to specify which accounts to include in the response. By default, Macie returns details about only those accounts that are Macie member accounts in the specified Region through AWS Organizations or by Macie invitation. To retrieve these details for all the accounts that are associated with your Macie account, including accounts that aren’t member accounts, include the `onlyAssociated` parameter in your request and set the parameter’s value to `false`.

To review your organization’s accounts by using the [AWS Command Line Interface (AWS CLI)](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html), run the [list-members](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/macie2/list-members.html) command. For the `only-associated` parameter, specify whether to include all associated accounts or only Macie member accounts. To include only member accounts, omit this parameter or set the parameter’s value to `true`. To include all accounts, set this value to `false`. For example:

```
C:\> aws macie2 list-members --region us-east-1 --only-associated false
```

Where *us-east-1* is the Region that the request applies to, the US East (N. Virginia) Region.

If your request succeeds, Macie returns a `members` array. The array contains a `member` object for each account that meets the criteria specified in the request. In that object, the `relationshipStatus` field indicates the current status of the relationship between your account and the other account in the specified Region. For an account in an AWS Organizations organization, possible values are:
+ `AccountSuspended` – The AWS account is suspended.
+ `Created` – Macie is processing a request to enable and add the account as a Macie member account.
+ `Enabled` – The account is a Macie member account. Macie is enabled for the account and you’re the Macie administrator of the account.
+ `Paused` – The account is a Macie member account but Macie is currently suspended (paused) for the account.
+ `RegionDisabled` – The account is part of your organization in AWS Organizations but the current Region is disabled for the AWS account.
+ `Removed` – The account was previously a Macie member account but was subsequently removed as a member account. You disassociated the account from your Macie administrator account. Macie continues to be enabled for the account.

For information about other fields in the `member` object, see [Members](https://docs.aws.amazon.com/macie/latest/APIReference/members.html) in the *Amazon Macie API Reference*.

------

# Managing Macie member accounts for an organization
Managing member accounts

After an AWS Organizations organization is [integrated and configured](accounts-mgmt-ao-integrate.md) in Amazon Macie, the organization’s delegated Macie administrator can access certain Macie settings, data, and resources for member accounts. As the Macie administrator for an organization, you can use Macie to centrally perform certain account management and administration tasks for the accounts. For example, you can:
+ Add and remove accounts as Macie member accounts.
+ Manage the status of Macie for individual accounts, such as enable or suspend Macie for an account.
+ Monitor Macie quotas and estimated usage costs for individual accounts and the organization overall.

You can also review Amazon Simple Storage Service (Amazon S3) inventory data and policy findings for Macie member accounts. And you can discover sensitive data in S3 buckets that the accounts own. For a detailed list of tasks that you can perform, see [Macie administrator and member account relationships](accounts-mgmt-relationships.md).

By default, Macie gives you visibility into relevant data and resources for all the Macie member accounts in your organization. You can also drill down to review data and resources for individual accounts. For example, if you [use the Summary dashboard](monitoring-s3-dashboard.md) to assess your organization’s Amazon S3 security posture, you can filter the data by account. Similarly, if you [monitor estimated usage costs](account-mgmt-costs.md), you can access breakdowns of estimated costs for individual member accounts.

In addition to tasks that are common to administrator and member accounts, you can perform various administrative tasks for your organization.

**Topics**
+ [Adding member accounts](#accounts-mgmt-ao-members-add)
+ [Suspending Macie for member accounts](#accounts-mgmt-ao-members-suspend)
+ [Removing member accounts](#accounts-mgmt-ao-members-remove)

As the Macie administrator for an organization, you can perform these tasks by using the Amazon Macie console or the Amazon Macie API. If you prefer to use the console, you must be allowed to perform the following AWS Organizations action: `organizations:ListAccounts`. This action allows you to retrieve and display information about accounts that are part of your organization in AWS Organizations.

## Adding Macie member accounts to an organization
Adding member accounts

In some cases, you might need to manually add an account as an Amazon Macie member account. This is the case for accounts that you previously removed (disassociated) as member accounts. This is also the case if you didn’t configure Macie to [automatically enable and add new member accounts](accounts-mgmt-ao-integrate.md#accounts-mgmt-ao-members-autoenable) when accounts are added to your organization in AWS Organizations.

When you add an account as a Macie member account:
+ Macie is enabled for the account in the current AWS Region, if it isn’t already enabled in the Region.
+ The account is associated with your Macie administrator account as a member account in the Region. The member account doesn’t receive an invitation or other notification that you established this relationship between your accounts.
+ Automated sensitive data discovery might be enabled for the account in the Region. This depends on configuration settings that you specified for the organization. For more information, see [Configuring automated sensitive data discovery](discovery-asdd-account-manage.md).

Note that you can’t add an account that’s already associated with another Macie administrator account. The account must first disassociate from its current administrator account. In addition, you can’t add the AWS Organizations management account as a member account unless Macie is already enabled for the account. To learn about additional requirements, see [Considerations for using Macie with AWS Organizations](accounts-mgmt-ao-notes.md).

**To add a Macie member account to an organization**  
To add one or more Macie member accounts to your organization, you can use the Amazon Macie console or the Amazon Macie API.

------
#### [ Console ]

Follow these steps to add one or more Macie member accounts by using the Amazon Macie console.

**To add a Macie member account**

1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).

1. By using the AWS Region selector in the upper-right corner of the page, choose the Region in which you want to add a member account.

1. In the navigation pane, choose **Accounts**. The **Accounts** page opens and displays a table of the accounts that are associated with your account.

1. (Optional) To more easily identify accounts that are part of your organization in AWS Organizations and aren’t Macie member accounts, use the filter box above the **Existing accounts** table to add the following filter conditions:
   + **Type = Organization**
   + **Status = Not a Member**

   To also display accounts that you previously removed and might want to add as member accounts, also add a **Status = Removed** filter condition.

1. In the **Existing accounts** table, select the checkbox for each account that you want to add as a member account.

1. On the **Actions** menu, choose **Add member**.

1. Confirm that you want to add the selected accounts as member accounts.

After you confirm your selections, the status of the selected accounts changes to **Enabling in process**, and then **Enabled** in your account inventory.

To add a member account in additional Regions, repeat the preceding steps in each additional Region.

------
#### [ API ]

To add one or more Macie member accounts programmatically, use the [CreateMember](https://docs.aws.amazon.com/macie/latest/APIReference/members.html) operation of the Amazon Macie API.

When you submit your request, use the supported parameters to specify the 12-digit account ID and email address for each AWS account that you want to add. Also specify the Region that the request applies to. To add an account in additional Regions, submit your request in each additional Region.

To retrieve the account ID and email address of an account to add, you can correlate the output of the [ListAccounts](https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListAccounts.html) operation of the AWS Organizations API and the [ListMembers](https://docs.aws.amazon.com/macie/latest/APIReference/members.html) operation of the Amazon Macie API. For the **ListMembers** operation of the Macie API, include the `onlyAssociated` parameter in your request and set the parameter’s value to `false`. If the operation succeeds, Macie returns a `members` array that provides details about all the accounts that are associated with your Macie administrator account in the specified Region, including accounts that aren't currently member accounts. Note the following in the array:
+ If the value for the `relationshipStatus` property of an account isn’t `Enabled` or `Paused`, the account is associated with your account but it isn’t a Macie member account.
+ If an account isn’t included in the array but is included in the output of the **ListAccounts** operation of the AWS Organizations API, the account is part of your organization in AWS Organizations but it isn’t associated with your account and, therefore, isn’t a Macie member account.

To add a member account by using the AWS Command Line Interface (AWS CLI), run the [create-member](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/macie2/create-member.html) command. Use the `region` parameter to specify the Region in which to add the account. Use the `account` parameters to specify the account ID and email address for each account to add. For example:

```
C:\> aws macie2 create-member --region us-east-1 --account={\"accountId\":\"123456789012\",\"email\":\"janedoe@example.com\"}
```

Where *us-east-1* is the Region in which to add the account as a member account (the US East (N. Virginia) Region), and the `account` parameters specify the account ID (*123456789012*) and email address (*janedoe@example.com*) for the account.

If your request succeeds, the status (`relationshipStatus`) of the specified account changes to `Enabled` in your account inventory.

------

## Suspending Macie for member accounts in an organization
Suspending Macie for member accounts

As the Amazon Macie administrator for an organization in AWS Organizations, you can suspend Macie for a member account in your organization. If you do this, you can also re-enable Macie for the account at a later time.

When you suspend Macie for a member account:
+ Macie loses access to and stops providing metadata about the account's Amazon S3 data in the current AWS Region.
+ Macie stops performing all activities for the account in the Region. This includes monitoring S3 buckets for security and access control, performing automated sensitive data discovery, and running sensitive data discovery jobs that are currently in progress.
+ Macie cancels all sensitive data discovery jobs that were created by the account in the Region. A job can't be resumed or restarted after it's cancelled. If you created jobs to analyze data that the member account owns, Macie doesn’t cancel your jobs. Instead, the jobs skip resources that are owned by the account.

While it's suspended, Macie retains the session identifier, settings, and resources that it stores or maintains for the account in the applicable Region. Macie also retains certain data for the account in the Region. For example, the account's findings remain intact and aren't affected for up to 90 days. If automated sensitive data discovery was enabled for the account, existing results also remain intact and aren't affected for up to 30 days. Your organization doesn’t incur Macie charges for the account in that Region while Macie is suspended for the account in the Region.

**To suspend Macie for a member account in an organization**  
To suspend Macie for a member account in an organization, you can use the Amazon Macie console or the Amazon Macie API.

------
#### [ Console ]

Follow these steps to suspend Macie for a member account by using the Amazon Macie console.

**To suspend Macie for a member account**

1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).

1. By using the AWS Region selector in the upper-right corner of the page, choose the Region in which you want to suspend Macie for a member account.

1. In the navigation pane, choose **Accounts**. The **Accounts** page opens and displays a table of the accounts that are associated with your account.

1. In the **Existing accounts** table, select the checkbox for the account to suspend Macie for.

1. On the **Actions** menu, choose **Suspend Macie**.

1. Confirm that you want to suspend Macie for the account.

After you confirm the suspension, the status of the account changes to **Paused (suspended)** in your account inventory. To suspend Macie for the account in additional Regions, repeat the preceding steps in each additional Region.

To later re-enable Macie for the account, return to the **Accounts** page on the console. Select the checkbox for the account, and then choose **Enable Macie** on the **Actions** menu. To re-enable Macie for the account in additional Regions, repeat these steps in each additional Region.

------
#### [ API ]

To suspend Macie for a member account programmatically, use the [UpdateMemberSession](https://docs.aws.amazon.com/macie/latest/APIReference/macie-members-id.html) operation of the Amazon Macie API. You can also use this operation to later re-enable Macie for the account.

When you submit your request, use the `id` parameter to specify the 12-digit account ID for the AWS account that you want to suspend Macie for. For the `status` parameter, specify `PAUSED`. Also specify the Region that the request applies to. To suspend Macie for the account in additional Regions, submit your request in each additional Region.

To retrieve the account ID for the account, you can use the [ListMembers](https://docs.aws.amazon.com/macie/latest/APIReference/members.html) operation of the Amazon Macie API. If you do this, consider filtering the results by including the `onlyAssociated` parameter in your request. If you set this parameter’s value to `true`, Macie returns a `members` array that provides details about only those accounts that are currently member accounts.

To suspend Macie for a member account by using the AWS CLI, run the [update-member-session](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/macie2/update-member-session.html) command. Use the `region` parameter to specify the Region in which to suspend Macie for the account. Use the `id` parameter to specify the account ID for the account. For the `status` parameter, specify `PAUSED`. For example:

```
C:\> aws macie2 update-member-session --region us-east-1 --id 123456789012 --status PAUSED
```

Where *us-east-1* is the Region in which to suspend Macie (the US East (N. Virginia) Region), *123456789012* is the account ID for the account to suspend Macie for, and `PAUSED` is the new status of Macie for the account.

If your request succeeds, Macie returns an empty response and the status of the specified account changes to `Paused` in your account inventory. To later re-enable Macie for the account, run the **update-member-session** command again and specify `ENABLED` for the `status` parameter.

------

## Removing Macie member accounts from an organization
Removing member accounts

If you want to stop accessing Amazon Macie settings, data, and resources for a member account, you can remove the account as a Macie member account. You do this by disassociating the account from your Macie administrator account. Note that only you can do this for a member account. An AWS Organizations member account can’t disassociate from its Macie administrator account.

When you remove a Macie member account, Macie remains enabled for the account in the current AWS Region. However, the account is disassociated from your Macie administrator account and it becomes a standalone Macie account. This means that you lose access to all Macie settings, data, and resources for the account, including metadata and policy findings for the account’s Amazon S3 data. This also means that you can no longer use Macie to discover sensitive data in S3 buckets that the account owns. If you already created sensitive data discovery jobs to do this, the jobs skip buckets that the account owns. If you enabled automated sensitive data discovery for the account, both you and the member account lose access to statistical data, inventory data, and other information that Macie produced and directly provided while performing automated discovery for the account.

After you remove a Macie member account, the account continues to appear in your account inventory. Macie doesn't notify the account's owner that you removed the account. Therefore, consider contacting the account owner to ensure that they begin managing settings and resources for their account.

You can add the account to your organization again at a later time. If you do this and you enable automated sensitive data discovery for the account again within 30 days, you also regain access to data and information that Macie previously produced and directly provided while performing automated discovery for the account. In addition, subsequent runs of your existing jobs start including the account's S3 buckets again.

**To remove a Macie member account from an organization**  
To remove a Macie member account from your organization, you can use the Amazon Macie console or the Amazon Macie API.

------
#### [ Console ]

Follow these steps to remove a Macie member account by using the Amazon Macie console.

**To remove a Macie member account**

1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).

1. By using the AWS Region selector in the upper-right corner of the page, choose the Region in which you want to remove a member account.

1. In the navigation pane, choose **Accounts**. The **Accounts** page opens and displays a table of the accounts that are associated with your account.

1. In the **Existing accounts** table, select the checkbox for the account that you want to remove as a member account.

1. On the **Actions** menu, choose **Disassociate account**.

1. Confirm that you want to remove the selected account as a member account.

After you confirm your selection, the status of the account changes to **Removed (disassociated)** in your account inventory.

To remove the member account in additional Regions, repeat the preceding steps in each additional Region.

------
#### [ API ]

To remove a Macie member account programmatically, use the [DisassociateMember](https://docs.aws.amazon.com/macie/latest/APIReference/members-disassociate-id.html) operation of the Amazon Macie API.

When you submit your request, use the `id` parameter to specify the 12-digit AWS account ID for the member account to remove. Also specify the Region that the request applies to. To remove the account in additional Regions, submit your request in each additional Region.

To retrieve the account ID for the member account to remove, you can use the [ListMembers](https://docs.aws.amazon.com/macie/latest/APIReference/members.html) operation of the Amazon Macie API. If you do this, consider filtering the results by including the `onlyAssociated` parameter in your request. If you set this parameter’s value to `true`, Macie returns a `members` array that provides details about only those accounts that are currently Macie member accounts.

To remove a Macie member account by using the AWS CLI, run the [disassociate-member](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/macie2/disassociate-member.html) command. Use the `region` parameter to specify the Region in which to remove the account. Use the `id` parameter to specify the account ID for the member account to remove. For example:

```
C:\> aws macie2 disassociate-member --region us-east-1 --id 123456789012
```

Where *us-east-1* is the Region in which to remove the account (the US East (N. Virginia) Region) and *123456789012* is the account ID for the account to remove.

If your request succeeds, Macie returns an empty response and the status of the specified account changes to `Removed` in your account inventory.

------

# Changing the Macie administrator account for an organization
Changing the administrator account

After an AWS Organizations organization is [integrated and configured](accounts-mgmt-ao-integrate.md) in Amazon Macie, the AWS Organizations management account can designate a different account as the delegated Macie administrator account for the organization. The new Macie administrator can then configure the organization in Macie again.

As a user of the AWS Organizations management account for an organization, verify that you meet the following permissions requirements before you designate a different Macie administrator account for your organization:
+ You must have the [same permissions](accounts-mgmt-ao-integrate.md#accounts-mgmt-ao-admin-designate-permissions) that were required to initially designate a Macie administrator account for your organization. You must also be allowed to perform the following AWS Organizations action: `organizations:DeregisterDelegatedAdministrator`. This additional action allows you to remove the current designation.
+ If your account is currently a Macie member account, the current Macie administrator must remove your account as a Macie member account. Otherwise, you won't be allowed to access Macie operations for designating a different administrator account. After you designate a new administrator account, the new Macie administrator can add your account as a Macie member account again.

If your organization uses Macie in multiple AWS Regions, also ensure that you change the designation in each Region in which your organization uses Macie. The delegated Macie administrator account must be the same in all of those Regions. If you manage multiple organizations in AWS Organizations, also note that an account can be the delegated Macie administrator account for only one organization at a time. To learn about additional requirements, see [Considerations for using Macie with AWS Organizations](accounts-mgmt-ao-notes.md).

**Note**  
When you designate a different Macie administrator account for your organization, you also disable access to existing statistical data, inventory data, and other information that Macie produced and directly provided while performing [automated sensitive data discovery](discovery-asdd.md) for accounts in the organization. The new Macie administrator can't access the existing data. If you change the designation and the new Macie administrator enables automated discovery for the accounts, Macie generates and maintains new data when it performs automated discovery for the accounts.

**To change the designation of a Macie administrator account**  
To designate a different Macie administrator account for your organization, you can use the Amazon Macie console or a combination of the Amazon Macie and AWS Organizations APIs. Only a user of the AWS Organizations management account can change the designation for their organization.

------
#### [ Console ]

Follow these steps to change the designation by using the Amazon Macie console.

**To change the designation**

1. Sign in to the AWS Management Console by using your AWS Organizations management account.

1. By using the AWS Region selector in the upper-right corner of the page, choose the Region in which you want to change the designation.

1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).

1. Do one of the following, depending on whether Macie is enabled for your management account in the current Region:
   + If Macie isn’t enabled, choose **Get started** on the welcome page.
   + If Macie is enabled, choose **Settings** in the navigation pane.

1. Under **Delegated administrator**, choose **Remove**. To change the designation, you must first remove the current designation.

1. Confirm that you want to remove the current designation.

1. Under **Delegated administrator**, enter the 12-digit account ID for the AWS account to designate as the new Macie administrator account for the organization.

1. Choose **Delegate**.

Repeat the preceding steps in each additional Region in which you integrated Macie with AWS Organizations.

------
#### [ API ]

To change the designation programmatically, you use two operations of the Amazon Macie API and one operation of the AWS Organizations API. This is because you have to remove the current designation in both Macie and AWS Organizations before you submit the new designation.

To remove the current designation:

1. Use the [DisableOrganizationAdminAccount](https://docs.aws.amazon.com/macie/latest/APIReference/admin.html) operation of the Macie API. For the required `adminAccountId` parameter, specify the 12-digit account ID for the AWS account that’s currently designated as the Macie administrator account for the organization.

1. Use the [DeregisterDelegatedAdministrator](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeregisterDelegatedAdministrator.html) operation of the AWS Organizations API. For the `AccountId` parameter, specify the 12-digit account ID for the account that’s currently designated as the Macie administrator account for the organization. This value should match the account ID that you specified in the preceding Macie request. For the `ServicePrincipal` parameter, specify the Macie service principal (`macie.amazonaws.com`).

After you remove the current designation, submit the new designation by using the [EnableOrganizationAdminAccount](https://docs.aws.amazon.com/macie/latest/APIReference/admin.html) operation of the Macie API. For the required `adminAccountId` parameter, specify the 12-digit account ID for the AWS account to designate as the new Macie administrator account for the organization.

To change the designation by using the AWS Command Line Interface (AWS CLI), run the [disable-organization-admin-account](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/macie2/disable-organization-admin-account.html) command of the Macie API and the [deregister-delegated-administrator](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/organizations/deregister-delegated-administrator.html) command of the AWS Organizations API. These commands remove the current designation in Macie and AWS Organizations, respectively. For the `admin-account-id` and `account-id` parameters, specify the 12-digit account ID for the AWS account to remove as the current Macie administrator account. Use the `region` parameter to specify the Region that the removal applies to. For example:

```
C:\> aws macie2 disable-organization-admin-account --region us-east-1 --admin-account-id 111122223333 && aws organizations deregister-delegated-administrator --region us-east-1 --account-id 111122223333 --service-principal macie.amazonaws.com
```

Where:
+ *us-east-1* is the Region that the removal applies to, the US East (N. Virginia) Region.
+ *111122223333* is the account ID for the account to remove as the Macie administrator account.
+ `macie.amazonaws.com` is the Macie service principal.

After you remove the current designation, submit the new designation by running the [enable-organization-admin-account](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/macie2/enable-organization-admin-account.html) command of the Macie API. For the `admin-account-id` parameter, specify the 12-digit account ID for the AWS account to designate as the new Macie administrator account for the organization. Use the `region` parameter to specify the Region that the designation applies to. For example:

```
C:\> aws macie2 enable-organization-admin-account --region us-east-1 --admin-account-id 444455556666
```

Where *us-east-1* is the Region that the designation applies to (the US East (N. Virginia) Region) and *444455556666* is the account ID for the account to designate as the new Macie administrator account.

------

# Disabling Macie integration with AWS Organizations
Disabling integration with AWS Organizations

After an AWS Organizations organization is integrated with Amazon Macie, the AWS Organizations management account can subsequently disable the integration. As a user of the AWS Organizations management account, you can do this by disabling trusted service access for Macie in AWS Organizations.

When you disable trusted service access for Macie, the following occurs:
+ Macie loses its status as a trusted service in AWS Organizations.
+ The organization's Macie administrator account loses access to all Macie settings, data, and resources for all Macie member accounts in all AWS Regions.
+ All Macie member accounts become standalone Macie accounts. If Macie was enabled for a member account in one or more Regions, Macie continues to be enabled for the account in those Regions. However, the account is no longer associated with a Macie administrator account in any Region. In addition, the account loses access to statistical data, inventory data, and other information that Macie produced and directly provided while performing automated sensitive data discovery for the account.

For additional information about the results of disabling trusted service access, see [Using AWS Organizations with other AWS services](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html) in the *AWS Organizations User Guide*. 

**To disable trusted service access for Macie**  
To disable trusted service access, you can use the AWS Organizations console or the AWS Organizations API. Only a user of the AWS Organizations management account can disable trusted service access for Macie. For details about the permissions that you need, see [Permissions required to disable trusted access](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html#orgs_trusted_access_disable_perms) in the *AWS Organizations User Guide*.

Before you disable trusted service access, optionally work with the delegated Macie administrator for your organization to suspend or disable Macie for member accounts and to clean up Macie resources for the accounts.

------
#### [ Console ]

To disable trusted service access by using the AWS Organizations console, follow these steps.

**To disable trusted service access**

1. Sign in to the AWS Management Console using your AWS Organizations management account.

1. Open the AWS Organizations console at [https://console.aws.amazon.com/organizations/](https://console.aws.amazon.com/organizations/).

1. In the navigation pane, choose **Services**.

1. Under **Integrated services**, choose **Amazon Macie**.

1. Choose **Disable trusted access**.

1. Confirm that you want to disable trusted access.

------
#### [ API ]

To disable trusted service access programmatically, use the [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html) operation of the AWS Organizations API. For the `ServicePrincipal` parameter, specify the Macie service principal (`macie.amazonaws.com`).

To disable trusted service access by using the [AWS Command Line Interface (AWS CLI)](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html), run the [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html) command of the AWS Organizations API. For the `service-principal` parameter, specify the Macie service principal (`macie.amazonaws.com`). For example:

```
C:\> aws organizations disable-aws-service-access --service-principal macie.amazonaws.com
```

------