workload-discovery-on-aws icon indicating copy to clipboard operation
workload-discovery-on-aws copied to clipboard

Published 20 hours ago verified publisher icon aws-solutions

AWS Organizations Integration

Open thebutler12 opened this issue 4 years ago • 6 comments

The current process for making AWS accounts and Regions discoverable to Perspective still requires manual effort. You have to deploy AWS CloudFormation templates in every account and region you want to import. We would like to integrate with AWS Organizations to let you deploy AWS Perspective in the root account and be able to make member accounts discoverable to Perspective without the need for manual CloudFormation deployments. We are also keen to hear what else you would like to see from this integration with AWS Organizations, so please provide details in the comments below

thebutler12 avatar Sep 21 '20 16:09 thebutler12

Integration of AWS Organizations would be great especially with auto enrollment. But we would not deploy the solution in the root Account. Instead we would use another account for it where we host the solution. In addition there should be some kind of "Change Information" that a new account has been added. Either in the GUI as notification or via an SNS subscription

ChrisRu82 avatar Sep 24 '20 11:09 ChrisRu82

Thank you, this is really useful feedback.

svozza avatar Sep 24 '20 11:09 svozza

I put the account number in, pick the region, click on import and I get a "We could not complete that action. Please try again. See GitHub issues for help resolving the issue" I have looked in the cloud watch logs and I don't see any obvious failures. I see lambda complete the request for the account ID, but I get that error and it does not move past it.

mainlinecoffee avatar Oct 05 '20 14:10 mainlinecoffee

With Enterprise Support customers, AWS organization would be the norm and integration with AWS Organization. Just adding another influence.

dbrhee avatar Oct 16 '20 17:10 dbrhee

When considering this issue, we should also consider users who wish to import multiple accounts, but do not use AWS Orgs.

ConnorKirk avatar Nov 04 '20 17:11 ConnorKirk

Dual Integration with Organizations and Control Tower. Organizations adds integration with Accounts, while Control Tower can give visibility on which regions are governed/enabled. No need to import all regions of every accounts if only a few are enabled

an-echo avatar Oct 22 '21 19:10 an-echo

This has been implemented in #379 and #381. When deploying the solution in organization mode, the following contraints will apply:

  • Account imports are no longer managed through the Workload Discovery UI.
    • The solution deploys (or the user provides) an organization wide AWS Config aggregator. If a user provides their own organization wide aggregator, the solution must be installed in the same account and region as this aggregator.
    • The solution deploys a StackSet which deploys an IAM role in each account in the organization. The StackSet will also auto-deploy the role to new accounts as they are added to the organization.
  • The solution must be installed in a delegated admin account (recommended) or the management account.
    • If using a delegated admin account StackSets and multi-region AWS Config capabilities must be enabled as documented here:
      • https://docs.aws.amazon.com/config/latest/developerguide/set-up-aggregator-cli.html#register-a-delegated-administrator-cli
      • https://aws.amazon.com/blogs/mt/cloudformation-stacksets-delegated-administration/
  • Due to the way service managed StackSets work, importing the management account requires the user to install the global resources CloudFormation template in the management account.

svozza avatar Feb 02 '23 14:02 svozza