software

Why AWS Delegated Administrators Are Essential for AWS Multi-Account Architectures

Published: (December 11, 2025 at 05:45 AM EST)
5 min read
Source: Dev.to

Source: Dev.to

What Are Delegated Administrators?

A delegated administrator is a member account in your AWS Organization designated to manage a specific AWS service across all accounts in the organization. Instead of managing services like GuardDuty, Security Hub, or CloudTrail from the management account, you register a member account as the delegated administrator for that service.

Once registered, that member account gains the permissions necessary to configure, monitor, and manage the service organization‑wide. The delegated administrator can:

  • View findings from all accounts
  • Deploy configurations across the organization
  • Perform administrative operations without requiring access to the management account

This shifts service management from the management account (where SCPs don’t apply and risk is concentrated) to dedicated member accounts (where SCPs can enforce least privilege and blast radius is contained).

Why Delegated Administrators Matter

Management Account Protection

The management account is the root of your AWS Organization. It controls billing, organization structure, account creation, and organization‑wide policies, making it a prime target for attackers.

Service Control Policies (SCPs) have one critical limitation: they don’t apply to the management account. If a principal in the management account has broad IAM permissions, there’s no organizational guardrail preventing destructive actions across your entire infrastructure.

Running security services like GuardDuty, Security Hub, and Config directly from the management account compounds this risk. A compromised management account with these services running gives an attacker visibility into your security tooling and the ability to disable detection across all accounts.

Delegated administrators move this risk out of the management account. Security services run from a dedicated Security account where SCPs can restrict what principals can do. If that account is compromised, the blast radius is limited to security service management, not your entire organization’s billing and account structure.

Multi‑Account Best Practice

Delegated administrators aren’t an optional optimization you add later—they’re a necessity when operating a multi‑account AWS environment securely.

In a well‑architected multi‑account strategy, you organize accounts by function:

  • Security accounts for security services
  • Infrastructure accounts for shared networking and platform services
  • Workload accounts for applications

This structure exists specifically to support patterns like delegated administration. Without delegated administrators, you’re forced to manage organization‑wide services from the management account, which concentrates risk and violates separation of duties. With delegated administrators, you can distribute service management across purpose‑built accounts aligned with team responsibilities.

This isn’t theoretical. It’s the practical reason AWS best practices consistently recommend dedicated Security and Log Archive accounts even for small organizations. These accounts become the delegation targets that enable secure service management at scale without compromising the management account.

Security and Operational Benefits

Separation of Duties Through Account Boundaries

Delegated administrators enable team‑based access patterns that match how organizations actually operate.

  • Security team manages Security Hub, GuardDuty, and IAM Access Analyzer from the Security account.
  • Network team manages Firewall Manager from the Network account.
  • Platform team manages Systems Manager and CloudFormation StackSets from the Shared Services account.

Each team gets the access they need for their services without requiring credentials to the management account. This reduces credential sprawl, simplifies access reviews, and enforces separation of duties through account boundaries rather than complex IAM policies.

Blast Radius Containment

A delegated administrator for Security Hub managing security findings across your organization is powerful, but if that account is compromised, the impact is limited to Security Hub operations. The attacker can’t delete accounts, change billing, or modify organization structure because those capabilities remain in the management account.

SCPs can further restrict delegated administrator accounts to only the services they’re designated to manage. For example, a Security account serving as the Security Hub delegated administrator doesn’t need EC2 launch permissions, S3 bucket creation, or Lambda deployment. SCPs deny these capabilities while allowing security service operations.

Centralized Visibility Without Centralized Risk

Before delegated administrators, centralizing security monitoring meant concentrating security service management in the management account, creating a tension between visibility and risk. With delegation, you get centralized visibility (the delegated administrator sees findings from all accounts) without centralized risk (the management account remains minimal and protected).

Prerequisites for Setting Up Delegated Administrators

AWS Organizations Must Be Enabled

Delegated administration only exists within AWS Organizations. If you’re still running standalone AWS accounts, start by enabling AWS Organizations to establish the centralized management structure required for delegation.

AWS Organizations provides the foundation for multi‑account management: organizational units, policy inheritance, consolidated billing, and the ability to enable services organization‑wide. Without Organizations, you don’t have the structure necessary to designate delegated administrators.

Dedicated Member Accounts Must Exist

Delegated administrators require dedicated member accounts to delegate to. At minimum you need:

  • Security Account – for security service delegation (Security Hub, GuardDuty, Config, IAM Access Analyzer)
  • Log Archive Account – for centralized logging delegation (CloudTrail)
  • Network Account – for network service delegation (Firewall Manager)
  • Shared Services Account – for operational service delegation (Systems Manager, CloudFormation StackSets)

Do not use workload accounts (production, development, staging) as delegated administrators. Mixing delegated administration with application workloads complicates access control and incident response.

For guidance on designing your account structure to support delegation, see our post on AWS multi‑account strategy.

Trusted Access Must Be Enabled

Each AWS service requires trusted access to be enabled in the organization before it can be registered as a delegated administrator. This step allows the service to operate across accounts under the organization’s control.

(Further implementation steps would follow here.)

Back to Blog

Related posts

Read more »

YOW! 2025

My YOW! Experience I’ve been following the YOW! conferences for over a decade. They take place in three Australian cities—Melbourne, Brisbane, and Sydney—and f...