Required IAM permissions for delegated administrator setup

The following IAM permissions are required for each role in the Organizations integration:

Management account

The management account needs permissions to:

organizations:EnableAWSServiceAccess
organizations:RegisterDelegatedAdministrator
iam:CreateServiceLinkedRole (for the management account's own SLR)

Delegated administrator account

The DA account uses standard the next generation of Resilience Hub API permissions. Cross-account access is handled by SLRs – no additional IAM configuration is needed for viewing member account data.

Member accounts

Service owners in member accounts:

Create their own invoker roles using the same process as the single-account setup. For details, see Setting up Next generation Resilience Hub.
Can see and apply org-level policies published by the DA.
The SLR handles DA cross-account visibility automatically – no additional IAM changes are required in member accounts.

The following table summarizes what the DA can and cannot do:

Action	Supported
View member account services, findings, and dependencies	Yes
Create org-level systems that reference member services	Yes
Associate member services to org-level systems	Yes
Create org-level policies	Yes
Delete member account services	No
Start assessments on member services	Yes
Modify member account resources	No

Destructive operations on member resources are not supported through DA cross-account access. The DA manages org-level systems and policies and views member data.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Managing member account onboarding

Migrating from AWS Resilience Hub