AWS Organization has only trusted delegated administrators
organizations_delegated_administrators
AWS Organizations delegated administrators are compared against a predefined trusted list to identify delegations that are not explicitly approved. The evaluation also notes when no delegated administrators exist.
Risk
Unapproved delegated administrators can alter SCPs, invite/move accounts, and create privileged roles, enabling privilege escalation. This undermines guardrails, risking loss of integrity, exposure of confidentiality across accounts, and impacts availability through organization-wide policy changes.
prowler aws --checks organizations_delegated_administrators
Recommendation
Restrict delegation to vetted accounts using least privilege and separation of duties. Maintain a centrally governed approved allowlist, review it regularly, and remove unused delegations. Enforce strong authentication for admin roles and monitor Organizations policy changes for defense in depth.
Remediation
- Sign in to the AWS Management Console with the organization management account
- Open AWS Organizations
- In the left pane, select Delegated administrators
- Select the untrusted account (by Account ID) from the list
- For each service shown for that account, choose Deregister delegated administrator and confirm
- Repeat for all untrusted accounts until only trusted accounts (or none) remain
Source Code
Resource Type
Other