Posted On: Nov 8, 2022
Today, AWS CloudTrail announces support for a delegated administrator account, which provides customers with the ability to manage organization trails and CloudTrail Lake event data stores from an account other than the management account in AWS Organizations. Delegated administrator support enables flexibility for customers by allowing the management account to delegate CloudTrail administrative actions to an organization member account, such as their security and logging member account. With this feature, the management account of an organization remains the owner of all CloudTrail organization resources, even when those organization trails or CloudTrail Lake event data store resources are created and managed through the delegated administrator account. This helps customers with maintaining continuity of organization-wide CloudTrail audit logs, avoiding any disruption when changes are made to their organization in AWS Organizations.
The management account can register or deregister a member account as a delegated administrator for CloudTrail from the Settings page in the CloudTrail console, or through the AWS CLI or API. Once the management account designates a member account as a delegated administrator, users and roles in the delegated administrator account can perform administrative operations such as create, update, query, and delete on their organization’s event data stores and organization trails.
Delegated administrator support is now available in all AWS Regions where AWS CloudTrail is available, except for China (Beijing, operated by Sinnet), and China (Ningxia, operated by NWCD) Regions. There are no additional charges for enabling this feature. To learn more about delegated administrators in CloudTrail Lake and trails, see our documentation.