delegated_admins
Creates, updates, deletes or gets a delegated_admin resource or lists delegated_admins in a region
Overview
| Name | delegated_admins |
| Type | Resource |
| Description | The AWS::SecurityHub::DelegatedAdmin resource designates the delegated ASHlong administrator account for an organization. You must enable the integration between ASH and AOlong before you can designate a delegated ASH administrator. Only the management account for an organization can designate the delegated ASH administrator account. For more information, see [Designating the delegated administrator](https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html#designate-admin-instructions) in the *User Guide*.To change the delegated administrator account, remove the current delegated administrator account, and then designate the new account. To designate multiple delegated administrators in different organizations and AWS-Regions, we recommend using [mappings](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/mappings-section-structure.html). Tags aren't supported for this resource. |
| Id | aws.securityhub.delegated_admins |
Fields
| Name | Datatype | Description |
|---|---|---|
delegated_admin_identifier | string | |
admin_account_id | string | The AWS-account identifier of the account to designate as the Security Hub administrator account. |
status | string | |
region | string | AWS region. |
For more information, see AWS::SecurityHub::DelegatedAdmin.
Methods
| Name | Accessible by | Required Params |
|---|---|---|
create_resource | INSERT | AdminAccountId, region |
delete_resource | DELETE | data__Identifier, region |
list_resources | SELECT | region |
get_resource | SELECT | data__Identifier, region |
SELECT examples
Gets all delegated_admins in a region.
SELECT
region,
delegated_admin_identifier,
admin_account_id,
status
FROM aws.securityhub.delegated_admins
WHERE region = 'us-east-1';
Gets all properties from an individual delegated_admin.
SELECT
region,
delegated_admin_identifier,
admin_account_id,
status
FROM aws.securityhub.delegated_admins
WHERE region = 'us-east-1' AND data__Identifier = '<DelegatedAdminIdentifier>';
INSERT example
Use the following StackQL query and manifest file to create a new delegated_admin resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO aws.securityhub.delegated_admins (
AdminAccountId,
region
)
SELECT
'{{ AdminAccountId }}',
'{{ region }}';
/*+ create */
INSERT INTO aws.securityhub.delegated_admins (
AdminAccountId,
region
)
SELECT
'{{ AdminAccountId }}',
'{{ region }}';
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: delegated_admin
props:
- name: AdminAccountId
value: '{{ AdminAccountId }}'
DELETE example
/*+ delete */
DELETE FROM aws.securityhub.delegated_admins
WHERE data__Identifier = '<DelegatedAdminIdentifier>'
AND region = 'us-east-1';
Permissions
To operate on the delegated_admins resource, the following permissions are required:
Create
securityhub:EnableOrganizationAdminAccount,
organizations:DescribeOrganization,
organizations:EnableAWSServiceAccess,
organizations:RegisterDelegatedAdministrator
Read
securityhub:ListOrganizationAdminAccounts,
organizations:DescribeOrganization
Delete
securityhub:DisableOrganizationAdminAccount,
organizations:DescribeOrganization
List
securityhub:ListOrganizationAdminAccounts,
organizations:DescribeOrganization