# Using Amazon S3 Storage Lens with AWS Organizations
Amazon S3 Storage Lens is a cloud-storage analytics feature that you can use to gain organization-wide visibility into object-storage usage and activity. You can use S3 Storage Lens metrics to generate summary insights, such as finding out how much storage you have across your entire organization or which are the fastest-growing buckets and prefixes. You can also use Amazon S3 Storage Lens to collect storage metrics and usage data for all AWS accounts that are part of your AWS Organizations hierarchy. To do this, you must be using AWS Organizations, and you must enable S3 Storage Lens trusted access by using your AWS Organizations management account.
After enabling trusted access, add delegated administrator access to accounts in your organization. The delegated administrator accounts are used to create S3 Storage Lens configurations and dashboards that collect organization-wide storage metrics and user data. For more information about enabling trusted access, see [Amazon S3 Storage Lens and AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-s3lens.html) in the *AWS Organizations User Guide*.
**Topics**
+ [
# Enabling trusted access for S3 Storage Lens
](storage_lens_with_organizations_enabling_trusted_access.md)
+ [
# Disabling trusted access for S3 Storage Lens
](storage_lens_with_organizations_disabling_trusted_access.md)
+ [
# Registering a delegated administrator for S3 Storage Lens
](storage_lens_with_organizations_registering_delegated_admins.md)
+ [
# Deregistering a delegated administrator for S3 Storage Lens
](storage_lens_with_organizations_deregistering_delegated_admins.md)
# Enabling trusted access for S3 Storage Lens
By enabling trusted access, you allow Amazon S3 Storage Lens to access your AWS Organizations hierarchy, membership, and structure through AWS Organizations API operations. S3 Storage Lens then becomes a trusted service for your entire organization's structure.
Whenever a dashboard configuration is created, S3 Storage Lens creates service-linked roles in your organization's management or delegated administrator accounts. The service-linked role grants S3 Storage Lens permission to perform the following actions:
+ Describe organizations
+ List accounts
+ Verify a list of AWS service access for the organizations
+ Get delegated administrators for the organizations
S3 Storage Lens can then ensure that it has access to collect the cross-account metrics for the accounts in your organization. For more information, see [ Using service-linked roles for Amazon S3 Storage Lens](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-service-linked-roles.html).
After enabling trusted access, you can assign delegated administrator access to accounts in your organization. When an account is marked as a delegated administrator for a service, the account receives authorization to access all read-only organization API operations. This access provides the delegated administrator visibility to the members and structures of your organization so that they too can create S3 Storage Lens dashboards.
**Note**
Trusted access can only be enabled by the [management account](https://docs.aws.amazon.com/managedservices/latest/userguide/management-account.html).
Only the management account and delegated administrators can create S3 Storage Lens dashboards or configurations for your organization.
# Using the S3 console
**To enable S3 Storage Lens to have AWS Organizations trusted access**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. On the left navigation pane, navigate to **Storage Lens**.
1. Choose **AWS Organizations settings**. The **AWS Organizations access for Storage Lens** page displays.
1. Under **AWS Organizations trusted access**, choose **Edit**.
The **AWS Organizations access** page displays.
1. Choose **Enable** to enable trusted access for your S3 Storage Lens dashboard.
1. Choose **Save changes**.
# Using the AWS CLI
**Example**
The following example shows you how to enable AWS Organizations trusted access for S3 Storage Lens in AWS CLI.
```
aws organizations enable-aws-service-access --service-principal storage-lens.s3.amazonaws.com
```
# Using the AWS SDK for Java
**Example – Enable AWS Organizations trusted access for S3 Storage Lens using SDK for Java**
The following example shows you how to enable trusted access for S3 Storage Lens in SDK for Java. To use this example, replace the `user input placeholders` with your own information.
```
import com.amazonaws.AmazonServiceException;
import com.amazonaws.SdkClientException;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.regions.Regions;
import com.amazonaws.services.organizations.AWSOrganizations;
import com.amazonaws.services.organizations.AWSOrganizationsClient;
import com.amazonaws.services.organizations.model.EnableAWSServiceAccessRequest;
public class EnableOrganizationsTrustedAccess {
private static final String S3_STORAGE_LENS_SERVICE_PRINCIPAL = "storage-lens.s3.amazonaws.com";
public static void main(String[] args) {
try {
AWSOrganizations organizationsClient = AWSOrganizationsClient.builder()
.withCredentials(new ProfileCredentialsProvider())
.withRegion(Regions.US_EAST_1)
.build();
organizationsClient.enableAWSServiceAccess(new EnableAWSServiceAccessRequest()
.withServicePrincipal(S3_STORAGE_LENS_SERVICE_PRINCIPAL));
} catch (AmazonServiceException e) {
// The call was transmitted successfully, but AWS Organizations couldn't process
// it and returned an error response.
e.printStackTrace();
} catch (SdkClientException e) {
// AWS Organizations couldn't be contacted for a response, or the client
// couldn't parse the response from AWS Organizations.
e.printStackTrace();
}
}
}
```
# Disabling trusted access for S3 Storage Lens
Removing an account as a delegated administrator or disabling trusted access limits the account owner's S3 Storage Lens dashboard metrics to work only on an account level. Each account holder is then only be able to see the benefits of S3 Storage Lens through the limited scope of their account, and not their entire organization.
When you disable trusted access in S3 Storage Lens, any dashboards requiring trusted access are no longer updated. Any organizational dashboards that are created are also no longer updated. Instead, you're only able to query [historic data for the S3 Storage Lens dashboard](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage_lens_basics_metrics_recommendations.html#storage_lens_basics_data_queries), while the data is still available.
**Note**
Disabling trusted access for S3 Storage Lens also automatically stops all organization-level dashboards from collecting and aggregating storage metrics. This is because S3 Storage Lens no longer has trusted access to the organization accounts.
Your management and delegate administrator accounts can still see the historic data for any disabled dashboards. They can also query this historic data while it is still available.
# Using the S3 console
**To disable trusted access for S3 Storage Lens**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. On the left navigation pane, navigate to **Storage Lens**.
1. Choose **AWS Organizations settings**. The **AWS Organizations access for Storage Lens** page displays.
1. Under **AWS Organizations trusted access**, choose **Edit**.
The **AWS Organizations access** page displays.
1. Choose **Disable** to disable trusted access for your S3 Storage Lens dashboard.
1. Choose **Save changes**.
# Using the AWS CLI
**Example**
The following example disables trusted access for S3 Storage Lens using the AWS CLI.
```
aws organizations disable-aws-service-access --service-principal storage-lens.s3.amazonaws.com
```
# Using the AWS SDK for Java
**Example – Disable AWS Organizations trusted access for S3 Storage Lens**
The following example shows you how to disable AWS Organizations trusted access for S3 Storage Lens in SDK for Java. To use this example, replace the `user input placeholders` with your own information.
```
import com.amazonaws.AmazonServiceException;
import com.amazonaws.SdkClientException;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.regions.Regions;
import com.amazonaws.services.organizations.AWSOrganizations;
import com.amazonaws.services.organizations.AWSOrganizationsClient;
import com.amazonaws.services.organizations.model.DisableAWSServiceAccessRequest;
public class DisableOrganizationsTrustedAccess {
private static final String S3_STORAGE_LENS_SERVICE_PRINCIPAL = "storage-lens.s3.amazonaws.com";
public static void main(String[] args) {
try {
AWSOrganizations organizationsClient = AWSOrganizationsClient.builder()
.withCredentials(new ProfileCredentialsProvider())
.withRegion(Regions.US_EAST_1)
.build();
// Make sure to remove any existing delegated administrator for S3 Storage Lens
// before disabling access; otherwise, the request will fail.
organizationsClient.disableAWSServiceAccess(new DisableAWSServiceAccessRequest()
.withServicePrincipal(S3_STORAGE_LENS_SERVICE_PRINCIPAL));
} catch (AmazonServiceException e) {
// The call was transmitted successfully, but AWS Organizations couldn't process
// it and returned an error response.
e.printStackTrace();
} catch (SdkClientException e) {
// AWS Organizations couldn't be contacted for a response, or the client
// couldn't parse the response from AWS Organizations.
e.printStackTrace();
}
}
}
```
# Registering a delegated administrator for S3 Storage Lens
You can create organization-level dashboards by using your organization’s management account or delegated administrator accounts. Delegated administrator accounts allow other accounts besides your management account to create organization-level dashboards. Only the management account of an organization can register and deregister other accounts as delegated administrators for the organization.
After enabling trusted access, you can register delegate administrator access to accounts in your organization by using the AWS Organizations REST API, AWS CLI, or SDKs from the [management account](https://docs.aws.amazon.com/managedservices/latest/userguide/management-account.html). (For more information, see [https://docs.aws.amazon.com/organizations/latest/APIReference/API_RegisterDelegatedAdministrator.html](https://docs.aws.amazon.com/organizations/latest/APIReference/API_RegisterDelegatedAdministrator.html) in the *AWS Organizations API Reference*.) When an account is registered as a delegated administrator, the account receives authorization to access all read-only AWS Organizations API operations. This provides visibility to the members and structures of your organization so that they can create S3 Storage Lens dashboards on your behalf.
**Note**
Before you can designate a delegated administrator by using the AWS Organizations REST API, AWS CLI, or SDKs, you must call the [https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html) operation.
# Using the S3 console
**To register delegated administrators for S3 Storage Lens**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. On the left navigation pane, navigate to **Storage Lens**.
1. Choose **AWS Organizations settings**.
1. Under **Delegated administrators**, choose **Register account**.
1. Add an AWS account ID to register the account as a delegated administrator. The delegated administrator is able to create organization-level dashboards for all accounts and storage in your organization.
1. Choose **Register account**.
# Using the AWS CLI
**Example**
The following example shows you how to register Organizations delegated administrators for S3 Storage Lens using the AWS CLI. To use this example, replace the `user input placeholders` with your own information.
```
aws organizations register-delegated-administrator --service-principal storage-lens.s3.amazonaws.com --account-id 111122223333
```
# Using the AWS SDK for Java
**Example – Register Organizations delegated administrators for S3 Storage Lens**
The following example shows you how to register AWS Organizations delegated administrators for S3 Storage Lens in SDK for Java. To use this example, replace the `user input placeholders` with your own information.
```
import com.amazonaws.AmazonServiceException;
import com.amazonaws.SdkClientException;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.regions.Regions;
import com.amazonaws.services.organizations.AWSOrganizations;
import com.amazonaws.services.organizations.AWSOrganizationsClient;
import com.amazonaws.services.organizations.model.RegisterDelegatedAdministratorRequest;
public class RegisterOrganizationsDelegatedAdministrator {
private static final String S3_STORAGE_LENS_SERVICE_PRINCIPAL = "storage-lens.s3.amazonaws.com";
public static void main(String[] args) {
try {
String delegatedAdminAccountId = "111122223333"; // Account Id for the delegated administrator.
AWSOrganizations organizationsClient = AWSOrganizationsClient.builder()
.withCredentials(new ProfileCredentialsProvider())
.withRegion(Regions.US_EAST_1)
.build();
organizationsClient.registerDelegatedAdministrator(new RegisterDelegatedAdministratorRequest()
.withAccountId(delegatedAdminAccountId)
.withServicePrincipal(S3_STORAGE_LENS_SERVICE_PRINCIPAL));
} catch (AmazonServiceException e) {
// The call was transmitted successfully, but AWS Organizations couldn't process
// it and returned an error response.
e.printStackTrace();
} catch (SdkClientException e) {
// AWS Organizations couldn't be contacted for a response, or the client
// couldn't parse the response from AWS Organizations.
e.printStackTrace();
}
}
}
```
# Deregistering a delegated administrator for S3 Storage Lens
After enabling trusted access, you can also deregister delegate administrator access to accounts in your organization. Delegated administrator accounts allow other accounts besides your [management account](https://docs.aws.amazon.com/managedservices/latest/userguide/management-account.html) to create organization-level dashboards. Only the management account of an organization can deregister accounts as delegated administrators for the organization.
You can deregister a delegated administrator by using the AWS Organizations AWS Management Console, REST API, AWS CLI, or AWS SDKS from the management account. For more information, see [https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeregisterDelegatedAdministrator.html](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeregisterDelegatedAdministrator.html) in the *AWS Organizations API Reference*.
When an account is deregistered as a delegated administrator, the account loses access to the following:
+ All read-only AWS Organizations API operations that provide visibility to the members and structures of your organization.
+ All organization-level dashboards created by the delegated administrator. Deregistering a delegated administrator also automatically stops all organization-level dashboards created by that delegated administrator from aggregating new storage metrics.
**Note**
The deregistered delegated administrator will still be able to see the historic data for the disabled dashboards that they created if data is still available for querying.
# Using the S3 console
**To deregister delegated administrators for S3 Storage Lens**
1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. On the left navigation pane, navigate to **Storage Lens**.
1. Choose **AWS Organizations settings**.
1. Under **Delegated administrators**, choose the account that you wish to deregister.
1. Choose **De-register account**. The deregistered account is no longer a delegated administrator and is now unable to create organization-level dashboards for all accounts and storage in your organization.
1. Choose **Register account**.
# Using the AWS CLI
**Example**
The following example shows you how to deregister Organizations delegated administrators for S3 Storage Lens using the AWS CLI. To use this example, replace `111122223333` with your own AWS account ID.
```
aws organizations deregister-delegated-administrator --service-principal storage-lens.s3.amazonaws.com --account-id 111122223333
```
# Using the AWS SDK for Java
**Example – Deregister Organizations delegated administrators for S3 Storage Lens**
The following example shows you how to deregister Organizations delegated administrators for S3 Storage Lens using SDK for Java. To use this example, replace the `user input placeholders` with your own information.
```
import com.amazonaws.AmazonServiceException;
import com.amazonaws.SdkClientException;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.regions.Regions;
import com.amazonaws.services.organizations.AWSOrganizations;
import com.amazonaws.services.organizations.AWSOrganizationsClient;
import com.amazonaws.services.organizations.model.DeregisterDelegatedAdministratorRequest;
public class DeregisterOrganizationsDelegatedAdministrator {
private static final String S3_STORAGE_LENS_SERVICE_PRINCIPAL = "storage-lens.s3.amazonaws.com";
public static void main(String[] args) {
try {
String delegatedAdminAccountId = "111122223333"; // Account Id for the delegated administrator.
AWSOrganizations organizationsClient = AWSOrganizationsClient.builder()
.withCredentials(new ProfileCredentialsProvider())
.withRegion(Regions.US_EAST_1)
.build();
organizationsClient.deregisterDelegatedAdministrator(new DeregisterDelegatedAdministratorRequest()
.withAccountId(delegatedAdminAccountId)
.withServicePrincipal(S3_STORAGE_LENS_SERVICE_PRINCIPAL));
} catch (AmazonServiceException e) {
// The call was transmitted successfully, but AWS Organizations couldn't process
// it and returned an error response.
e.printStackTrace();
} catch (SdkClientException e) {
// AWS Organizations couldn't be contacted for a response, or the client
// couldn't parse the response from AWS Organizations.
e.printStackTrace();
}
}
}
```