how i do enable trusted advisor for multiple accounts at org level and collect all findings into dedicated audit account ?


how i do enable trusted advisor for multiple accounts at org level and collect all findings into dedicated audit account ? i have tried setting up this setup but stuck at one point where i cannot delete the existing audit account and re-do it and cannot delete audit account as it throws error while deleting it.

I have verified i have granted enough permissions to audit account and member accounts to send/receive findings into audit account, Please advise if anything else missing currently i see findings only from audit account.


asked 10 months ago732 views
2 Answers
Accepted Answer

Currently the delegated admin functionality only allows you to have access to Tusted Advisor Priority findings. Delegated administrator accounts can review, acknowledge, resolve, dismiss, and reopen recommendations in Trusted Advisor Priority. More details can be found here on delegated admin

One alternative is to deploy the Trusted Advisor Organizational Dashboard which uses the data from the Organizational View Reports to display this Trusted Advisor data in a QuickSight dashboard. You can view a demo of that dashboard here

profile pictureAWS
answered 10 months ago
  • Thanks for the info @paul , is there any possibility to enable trusted advisor findings into security hub findings into centralized audit account ??based on your answer its not possible to get all findings from different accounts into central audit account via trusted advisor ?? right ? so in alternative way you suggested to use "Trusted Advisor Organizational Dashboard " In the delegated administrator account I would expect to see the Organizational View below so that someone can create reports without going to the Organization Account. ? if possible how to do it is viewable via Trusted Advisor data in a QuickSight dashboard. ??


Did you try logging in as root user? Try deregistering the account using deregister CLI as root user.

Is this account supposed to be part of AWS Organization, if not, can you remove it from Organizations first and then try? Was this account provisioned through control tower, if yes, then you can retry provisioning it over after cleaning up the control tower setup.

Based on , what you showed here, this is exactly how Accounts get deregistered.


AWS Trusted Advisor and AWS Organizations Deregister delegated administrators Deregister Delegated Administrator CLI

profile pictureAWS
answered 10 months ago
  • can you also suggest steps to redo this setup ? so you mean deregister only possible if you have root access ?@secondabhi_aws

  • No, this can be done by any user who has appropriate access, just to rule out permission issues, I suggested you to do it through root access. Redo the step means, provision the accounts through control tower again or remove the account from organization?

  • yes that resolved the deregistering the account, but still we are confused like how we can implement the solution via trusted advisor looks like Paul got some alternative way to resolve it.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions