Delegated administrator for AWS Organizations is generally a good thing, because it limits the need to do things in your organizations management account. This reduces the chance of things going wrong because someone forgot what account they were logged in to, or ran a script against the wrong account!
Delegating access increases your security posture by limiting reasons to log in to your AWS organizations management account, until it doesn't. Unfortunately, in the case of AWS IAM Identity Center (IDC), there's a bunch of tasks that you can't do from an account with delegated access. I've seen multiple customers go through the work of setting this up, only to find out they still need to log in to the management account to modify permissions sets and users in the account, especially for services tied to it like billing and other commercial services.
Delegation ONLY applies to organization instances. Account instances of IDC can't use delegation because they do not have multi-account features.
Limits with Delegation
The actions you CANNOT DO from a delegated administration account are:
- Enabling IAM Identity Center
- Deleting IAM Identity Center configurations
- Managing permission sets provisioned in the management account
- Registering or deregistering other member accounts as delegated administrators
- Enabling or disabling user access in the management account
If I've delegated administration of my Identity Center to another account I expect them to have permission to do all the administration, because that is how it works for other services that support delegation in AWS Organizations.
These limitations do make sense from a security perspective, since they prevent you from escalating your privileges, but they also mean you still need to access the management account to carry out relatively common administration tasks.
Need help with Identity Center setup? Book a call with me.