Which AWS Account or Organization Unit should be Account Management delegated admin

Question

Hello.
I would like to ask for best practise regarding Account management delegated admin (Account that will be able to create AWS account and move the in different OU's instead of main AWS account). Which account or account in which organization unit should be this delegated admin?

I was not able to find this information in the [Enabling a delegated admin account for AWS Account Management documentation](https://docs.aws.amazon.com/accounts/latest/reference/using-orgs-delegated-admin.html).
Nor in the [Best Practices for Organizational Units with AWS Organizations](https://aws.amazon.com/blogs/mt/best-practices-for-organizational-units-with-aws-organizations/) or [Dedicated accounts structure](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/dedicated-accounts.html).

I have found, that SSO delegated administrator should be the security account [here](https://aws.amazon.com/blogs/security/getting-started-with-aws-sso-delegated-administration/). But that is different use case.

Thank you for your help,
Tomas

Answer

Only the management account has access to create AWS accounts in the AWS organization, invite other existing accounts to the AWS organization, remove accounts from the AWS organization and move accounts to different OUs. Hence, this role could not be delegated to another member account. Hence, you should follow the security best practices for your Org Management account. Please refer here for more details.

Please refer here for the list of services that supports delegated admin.

Thank you

SUPPORT ENGINEER

AWS-User-4405679

answered 2 years ago

Please refer [here](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html) for the list of services that supports delegated admin.

Thank you

Which AWS Account or Organization Unit should be Account Management delegated admin

Relevant content