Skip to main content

delegated_admins

Creates, updates, deletes or gets a delegated_admin resource or lists delegated_admins in a region

Overview

Namedelegated_admins
TypeResource
Description
The AWS::SecurityHub::DelegatedAdmin resource designates the delegated ASHlong administrator account for an organization. You must enable the integration between ASH and AOlong before you can designate a delegated ASH administrator. Only the management account for an organization can designate the delegated ASH administrator account. For more information, see Designating the delegated administrator in the User Guide.To change the delegated administrator account, remove the current delegated administrator account, and then designate the new account.
To designate multiple delegated administrators in different organizations and AWS-Regions, we recommend using mappings.
Tags aren't supported for this resource.
Idawscc.securityhub.delegated_admins

Fields

NameDatatypeDescription
delegated_admin_identifierstring
admin_account_idstringThe AWS-account identifier of the account to designate as the Security Hub administrator account.
statusstring
regionstringAWS region.

For more information, see AWS::SecurityHub::DelegatedAdmin.

Methods

NameResourceAccessible byRequired Params
create_resourcedelegated_adminsINSERTAdminAccountId, region
delete_resourcedelegated_adminsDELETEIdentifier, region
list_resourcesdelegated_admins_list_onlySELECTregion
get_resourcedelegated_adminsSELECTIdentifier, region

SELECT examples

Gets all properties from an individual delegated_admin.

SELECT
  region,
  delegated_admin_identifier,
  admin_account_id,
  status
FROM awscc.securityhub.delegated_admins
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ delegated_admin_identifier }}';

INSERT example

Use the following StackQL query and manifest file to create a new delegated_admin resource, using stack-deploy.

/*+ create */
INSERT INTO awscc.securityhub.delegated_admins (
  AdminAccountId,
  region
)
SELECT
  '{{ admin_account_id }}',
  '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

DELETE example

/*+ delete */
DELETE FROM awscc.securityhub.delegated_admins
WHERE
  Identifier = '{{ delegated_admin_identifier }}' AND
  region = '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

Additional Parameters

Mutable resources in the Cloud Control provider support additional optional parameters which can be supplied with INSERT, UPDATE, or DELETE operations. These include:

ParameterDescription
ClientToken
A unique identifier to ensure the idempotency of the resource request.This allows the provider to accurately distinguish between retries and new requests.
A client token is valid for 36 hours once used.
After that, a resource request with the same client token is treated as a new request.
If you do not specify a client token, one is generated for inclusion in the request.
RoleArn
The ARN of the IAM role used to perform this resource operation.The role specified must have the permissions required for this operation.
If you do not specify a role, a temporary session is created using your AWS user credentials.
TypeVersionId
For private resource types, the type version to use in this resource operation.If you do not specify a resource version, the default version is used.

Permissions

To operate on the delegated_admins resource, the following permissions are required:

securityhub:EnableOrganizationAdminAccount,
organizations:DescribeOrganization,
organizations:EnableAWSServiceAccess,
organizations:RegisterDelegatedAdministrator