Why am I getting errors setting up an AWS Organizations member account as a delegated administrator for AWS Config rules?

Last updated: 2020-08-07

I followed the instructions to deploy AWS Config Rules and conformance packs using a delegated admin. However, I received an error similar to the following:

  • An error occurred (AccessDeniedException) when calling the DeregisterDelegatedAdministrator operation: You don't have permissions to access this resource.
  • An error occurred (InvalidInputException) when calling the RegisterDelegatedAdministrator operation: You specified an unrecognized service principal.
  • An error occurred (ConstraintViolationException) when calling the RegisterDelegatedAdministrator operation: You have exceeded the allowed number of delegated administrators for the delegated service.

Resolution

Follow these troubleshooting steps for the specific error message received.

Important: Before you begin, be sure that you installed and configured the AWS Command Line Interface (AWS CLI).

"An error occurred (AccessDeniedException) when calling the DeregisterDelegatedAdministrator operation: You don't have permissions to access this resource."

This error means that you ran the register-delegated-administrator command from an AWS Organizations member account similar to the following:  

$aws organizations register-delegated-administrator --service-principal config-multiaccountsetup.amazonaws.com --account-id member-account-ID

You can delegate an administrator only from the AWS Organizations primary account. Run the register-delegated-administrator command from the AWS Organizations primary account.  

"An error occurred (InvalidInputException) when calling the RegisterDelegatedAdministrator operation: You specified an unrecognized service principal."

This error can occur if your AWS Organizations organization doesn't have all features and trusted access enabled.

1.    Run the enable-aws-service-access command similar to the following:

$aws organizations enable-aws-service-access --service-principal=config-multiaccountsetup.amazonaws.com

2.    Run the register-delegated-administrator command from the AWS Organizations primary account to delegate the member account to deploy AWS Organization conformance packs and AWS Config rules:

$aws organizations register-delegated-administrator --service-principal config-multiaccountsetup.amazonaws.com --account-id member-account-ID

"An error occurred (ConstraintViolationException) when calling the RegisterDelegatedAdministrator operation: You have exceeded the allowed number of delegated administrators for the delegated service."

This error means that the maximum member account limit of 3 is reached for registered delegated administrators.

1.    To determine which delegated administrators are registered, run the list-delegated-administrators similar to the following:

$aws organizations list-delegated-administrators --service-principal=config-multiaccountsetup.amazonaws.com

You receive an output similar to the following:

{
    "DelegatedAdministrators": [
        {
            "Id": "987654321098",
            "Arn": "arn:aws:organizations::123456789012:account/o-anz8bj0hfs/987654321098",
            "Email": "youremailalias@example.com",
            "Name": "your-account-name",
            "Status": "ACTIVE",
            "JoinedMethod": "CREATED",
            "JoinedTimestamp": 1557432887.92,
            "DelegationEnabledDate": 1590681859.773
        }
    ]
}

2.    To de-register a delegated administrator, run the deregister-delegated-administrator command:

$aws organizations deregister-delegated-administrator --service-principal config-multiaccountsetup.amazonaws.com --account-id member-account-ID

3.    Rerun the register-delegated-administrator command to delegate an account as an administrator:  

$aws organizations register-delegated-administrator --service-principal config-multiaccountsetup.amazonaws.com --account-id member-account-ID