I promoted a senior security engineer to be our delegated administrator for GuardDuty, expecting them to see all findings across the organization. Instead, they logged into their account and saw nothing—no findings, no org summary, no ability to manage the service organization-wide. The issue wasn’t permissions; it was that I’d skipped a critical enablement step at the organization level. In this post, I’ll walk through exactly what causes this and how to fix it.
The Problem
You’ve registered a member account as a delegated administrator for a service (e.g., GuardDuty, Security Hub, AWS Config), but:
- The delegated admin account doesn’t see organization-wide data
- They can’t manage the service centrally for other accounts
- The console shows “No findings” or similar, despite activity in other accounts
- IAM policies look correct, but the account still can’t take org-level actions
Why Does This Happen?
- Organization service access not enabled: Before registering a delegated admin, you must enable the service at the organization level using
enable-aws-service-access. Without this, the service doesn’t know it’s running in an organizational context. - Delegated admin registered but service not enabled in their account: The account is registered as delegated admin, but the service isn’t actually enabled in that account’s region. Enabling the service must happen in addition to registration.
- Service-specific enablement requirements: Some services (like GuardDuty) require an additional enable call in the delegated account. Registration + organization enablement aren’t enough.
- Region mismatch: The delegated admin was registered for
us-east-1, but the service is enabled ineu-west-1. Regional configuration matters. - IAM permissions insufficient: The delegated admin role lacks
organizations:*or service-specific permissions likeguardduty:AdminAccess.
The Fix
Step 1: Enable Organization Service Access (Management Account)
In your management account, enable the service at the organization level:
# For GuardDuty
aws organizations enable-aws-service-access \
--service-principal guardduty.amazonaws.com
# For Security Hub
aws organizations enable-aws-service-access \
--service-principal securityhub.amazonaws.com
# For AWS Config
aws organizations enable-aws-service-access \
--service-principal config.amazonaws.com
# Verify it's enabled
aws organizations list-aws-service-access_enabled-for-organization \
--query 'EnabledServicePrincipals[?ServicePrincipal==`guardduty.amazonaws.com`]'
Step 2: Register Delegated Administrator (Management Account)
Still in the management account, register the member account as delegated admin:
# Register a delegated admin for GuardDuty
aws organizations register-delegated-administrator \
--account-id 123456789012 \
--service-principal guardduty.amazonaws.com
# Verify registration
aws organizations list-delegated-administrators \
--service-principal guardduty.amazonaws.com \
--query 'DelegatedAdministrators[*].{AccountId,Name,Email}'
Step 3: Enable the Service in the Delegated Account (Service-Specific)
Some services require explicit enablement in the delegated account. For GuardDuty, enable it in the delegated account:
# In the delegated account (123456789012), enable GuardDuty
aws guardduty create-detector \
--region us-east-1 \
--finding-publishing-frequency FIFTEEN_MINUTES
# For organization admin access, call:
aws guardduty enable-organization-admin-account \
--admin-account-id 123456789012 \
--region us-east-1
For Security Hub, enable it similarly:
# In the delegated account
aws securityhub batch-enable-standards \
--region us-east-1 \
--standards-subscription-requests StandardsArn=arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0
# Enable organization-level access
aws securityhub enable-organization-admin-account \
--admin-account-id 123456789012 \
--region us-east-1
For AWS Config, enable org aggregator access (covered in my previous post on Config).
Step 4: Verify Delegated Admin Status
Check that delegation is working:
# List delegated admins
aws organizations list-delegated-administrators \
--service-principal guardduty.amazonaws.com
# Check delegated services for an account
aws organizations list-delegated-services-for-account \
--account-id 123456789012 \
--query 'DelegatedServices[*].ServicePrincipal'
# In the delegated account, verify the service sees org context
aws guardduty list-organization-admin-accounts \
--region us-east-1 \
--query 'AdminAccounts[*].{AccountId,AdminStatus}'
Step 5: Grant IAM Permissions in Delegated Account
Ensure the delegated admin role/user has sufficient permissions:
# Create an inline policy for org-level GuardDuty access
aws iam put-user-policy \
--user-name delegated-admin-user \
--policy-name GuardDutyOrgAdmin \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"guardduty:*",
"organizations:Describe*",
"organizations:List*"
],
"Resource": "*"
}
]
}'
How to Run This
- In the management account, enable org service access:
aws organizations enable-aws-service-access --service-principal guardduty.amazonaws.com - Register the delegated account:
aws organizations register-delegated-administrator --account-id 123456789012 --service-principal guardduty.amazonaws.com - In the delegated account, enable the service:
aws guardduty create-detector --region us-east-1 - In the delegated account, enable org admin:
aws guardduty enable-organization-admin-account --admin-account-id 123456789012 - Verify status:
aws organizations list-delegated-administrators - Grant IAM permissions if needed
Is This Safe?
Completely safe. These commands register delegation and enable services—no resources are deleted. Permissions are standard organizational roles.
Key Takeaway
Delegated administrator accounts require three steps: (1) enable org service access, (2) register the account as delegated admin, (3) enable the service in the delegated account itself. Each step is required for the delegated account to function properly.