# AWS services that you can use with AWS Organizations
With AWS Organizations you can perform account management activities at scale by consolidating multiple AWS accounts into a single organization. Consolidating accounts simplifies how you use other AWS services. You can leverage the multi-account management services available in AWS Organizations with select AWS services to perform tasks on all accounts that are members of your organization.
The following table lists AWS services that you can use with AWS Organizations, and the benefit of using each service on an organization-wide level.
**Trusted access** – You can enable a compatible AWS service to perform operations across all of the AWS accounts in your organization. For more information, see [Using AWS Organizations with other AWS services](orgs_integrate_services.md).
**Delegated administrator for AWS services** – A compatible AWS service can register an AWS member account in the organization as an administrator for the organization's accounts in that service. For more information, see [Delegated administrator for AWS services that work with Organizations](orgs_integrate_delegated_admin.md).
****
| AWS service | Benefits of using with AWS Organizations | Supports trusted access | Supports delegated administrator |
| --- | --- | --- | --- |
| [AWS Account Management](services-that-can-integrate-account.md) Manage the details and metadata for all of the AWS accounts for your organization. | Manage account details, alternate contacts, and Regions for all of the AWS accounts in your organization. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-account.md#integrate-enable-ta-account) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-account.md#integrate-enable-da-account) |
| [AWS Application Migration Service](services-that-can-integrate-application-migration.md) AWS Application Migration Service allows companies to lift-and-shift to AWS a large number of physical, virtual, or cloud servers without compatibility issues, performance disruption, or long cutover windows. | You can manage large-scale migrations across multiple accounts. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-application-migration.md#integrate-enable-ta-application-migration) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-application-migration.md#integrate-enable-da-application-migration) |
| [AWS Artifact](services-that-can-integrate-artifact.md) Download AWS security compliance reports such as ISO and PCI reports. | You can accept agreements on behalf of all accounts within your organization. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-artifact.md#integrate-enable-ta-artifact) | ![\[No\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-no.png) No |
| [AWS Audit Manager](services-that-can-integrate-audit-manager.md) Automate the continuous collection of evidence to help you audit your use of cloud services. | Continuously audit your AWS use across multiple accounts in your organization to simplify how you assess risk and compliance. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-audit-manager.md#integrate-enable-ta-audit-manager) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-audit-manager.md#integrate-enable-da-audit-manager) |
| [AWS Backup](services-that-can-integrate-backup.md) Manage and monitor backups across all of the accounts in your organization. | You can configure and manage backup plans for your entire organization, or for groups of accounts in your organization units (OUs). You can centrally monitor backups for all of your accounts. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-backup.md#integrate-enable-ta-backup) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](https://docs.aws.amazon.com/aws-backup/latest/devguide/manage-cross-account.html#backup-delegatedadmin) |
| [AWS Billing and Cost Management](services-that-can-integrate-awsaccountbilling.md) Provides an overview of your AWS cloud financial management data and to help you make faster and more informed decisions. | Allows split cost allocation data to retrieve AWS Organizations information, if applicable, and collect telemetry data for the split cost allocation data services that you have opted into. For more information, see [ What is AWS Billing and Cost Management?](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-what-is.html) in the *Billing and Cost Management user guide*. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-awsaccountbilling.md) | ![\[No\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-no.png) No |
| [AWS CloudFormation Stacksets](services-that-can-integrate-cloudformation.md) Create, update, or delete stacks across multiple accounts and Regions with a single operation. | A user in the management account or a delegated administrator account can create a stack set with service-managed permissions that deploys stack instances to accounts in your organization. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-cloudformation.md#integrate-enable-ta-cloudformation) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-cloudformation.md#integrate-enable-da-cloudformation) |
| [AWS CloudTrail](services-that-can-integrate-cloudtrail.md) Enable governance, compliance, and operational and risk auditing of your account. | A user in a management account or delegated administrator account can create an organization trail or event data store that logs all events for all accounts in the organization. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-cloudtrail.md#integrate-enable-ta-cloudtrail) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-cloudtrail.md#integrate-enable-da-cloudtrail) |
| [Amazon CloudWatch](services-that-can-integrate-cloudwatch.md) Monitor your AWS resources and the applications you run on AWS in real time. You can use CloudWatch to collect and track metrics, which are variables that you can measure for your resources and applications. | Integrating with Organizations has two benefits in CloudWatch. First, by integrating with Organizations, you can use CloudWatch to discover and understand the state of telemetry configuration for your AWS resources from a central view in the CloudWatch console. Second, when you can use Network Flow Monitor in CloudWatch to get visibility into network performance metrics, by integrating with Organizations, you can view network performance information for resources in multiple accounts instead of just one account. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-cloudwatch.md#integrate-enable-ta-cloudwatch) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-cloudwatch.md#integrate-enable-da-cloudwatch) |
| [AWS Compute Optimizer](services-that-can-integrate-compute-optimizer.md) Get AWS compute optimization recommendations. | You can analyze all resources that are in your organization's accounts to get optimization recommendations. For more information, see [Accounts Supported by Compute Optimizer](https://docs.aws.amazon.com/compute-optimizer/latest/ug/getting-started.html#supported-accounts) in the *AWS Compute Optimizer User Guide*. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-compute-optimizer.md#integrate-enable-ta-compute-optimizer) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-compute-optimizer.md#integrate-enable-da-compute-optimizer) |
| [AWS Config](services-that-can-integrate-config.md) Assess, audit, and evaluate the configurations of your AWS resources. | You can get an organization-wide view of your compliance status. You can also use [AWS Config API operations](https://docs.aws.amazon.com/config/latest/APIReference/welcome.html) to manage AWS Config rules and conformance packs across all AWS accounts in your organization. You can use a delegated administrator account to aggregate resource configuration and compliance data from all member accounts of an organization in AWS Organizations. For more information, see [Register a delegated administrator](https://docs.aws.amazon.com/config/latest/developerguide/aggregated-register-delegated-administrator.html) in the AWS Config Developer Guide. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-config.md#integrate-enable-ta-config) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes Learn more: [Config rules](https://docs.aws.amazon.com/config/latest/developerguide/config-rule-multi-account-deployment.html) [Conformance packs](https://docs.aws.amazon.com/config/latest/developerguide/conformance-pack-organization-apis.html) [Multi-account multi-region data aggregation](https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html) |
| [AWS Control Tower](services-that-can-integrate-CTower.md) Set up and govern a secure, compliant, multi-account AWS environment. | You can set up a landing zone, a multi-account environment for all of your AWS resources. This environment includes an organization and organization entities. You can use this environment to enforce compliance regulations on all of your AWS accounts. For more information, see [How AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/how-control-tower-works.html) and [Manage Accounts Through AWS Organizations](https://docs.aws.amazon.com/controltower/latest/userguide/organizations.html) in the *AWS Control Tower User Guide*. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-with-control-tower.html) | ![\[No\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-no.png) No |
| [AWS Cost Optimization Hub](services-that-can-integrate-coh.md) Gather cost recommendations across AWS optimization products. | You can easily identify, filter, and aggregate AWS cost optimization recommendations across your AWS Organizations member accounts and AWS Regions. For more information, see [ Cost Optimization Hub ](https://docs.aws.amazon.com/cost-management/latest/userguide/cost-optimization-hub.html) in the *Cost Optimization Hub user guide*. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-coh.md#integrate-enable-ta-coh) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-coh.md#integrate-enable-da-coh) |
| [Amazon Detective](services-that-can-integrate-detective.md) Generate visualizations from your log data to analyze, investigate, and quickly identify the root cause of security findings or suspicious activities. | You can integrate Amazon Detective with AWS Organizations to ensure that your Detective behavior graph provides visibility into the activity for all of your organization accounts. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-detective.md#integrate-enable-ta-detective) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-detective.md#integrate-enable-da-detective) |
| [Amazon DevOps Guru](services-that-can-integrate-devops.md) Analyze operational data and application metrics and events to identify behaviors that deviate from normal operating patterns. Users are notified when DevOps Guru detects an operational issue or risk. | You can integrate with AWS Organizations to manage insights from all accounts across your entire organization. You delegate an administrator to view, sort, and filter insights from all accounts to obtain organization-wide health of all monitored applications. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-devops.md#integrate-enable-ta-devops) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-devops.md#integrate-enable-da-devops) |
| [AWS Directory Service](services-that-can-integrate-directory-service.md) Set up and run directories in the AWS Cloud or connect your AWS resources with an existing on-premises Microsoft Active Directory. | You can integrate Directory Service with AWS Organizations for seamless directory sharing across multiple accounts and any VPC in a Region. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-directory-service.md#integrate-disable-ta-directory-service) | ![\[No\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-no.png) No |
| [Amazon EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-cross-account.html) Monitor your AWS resources and the applications that you run on AWS in real time. | You can enable sharing of all Amazon EventBridge events, formerly Amazon CloudWatch Events, across all accounts in your organization. For more information, see [Sending and receiving Amazon EventBridge events between AWS accounts](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-cross-account.html) in the *Amazon EventBridge User Guide*. | ![\[No\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-no.png) No | ![\[No\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-no.png) No |
| [Amazon Elastic Compute Cloud](services-that-can-integrate-ec2.md) Amazon VPC IP Address Manager (IPAM) provides on-demand, scalable computing capacity in the AWS Cloud. | Enable the Organizations admin to create a report of what the existing configuration is for accounts across their organization when using the declarative policies feature. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-ec2.md#integrate-enable-ta-ec2) | ![\[No\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-no.png) No |
| [EC2 Capacity Manager](services-that-can-integrate-ec2-capacity-manager.md) EC2 Capacity Manager aggregated away to view, analyze, and manage your capacity usage across EC2 On-Demand, Spot, and Capacity Reservations. | Using EC2 Capacity Manager with AWS Organization integration allows you to view, analyze, and manage capacity usage across your entire organization. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-ec2-capacity-manager.md#integrate-enable-ta-ec2-capacity-manager) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-ec2-capacity-manager.md#integrate-enable-da-ec2-capacity-manager) |
| [Amazon Elastic Kubernetes Service](services-that-can-integrate-eks.md) The Amazon EKS Dashboard provides aggregated visibility and management of Kubernetes clusters across the AWS Cloud. | Enable the Organizations admin to view consolidated dashboard data about cluster resources, including version distribution, health status, and upgrade requirements across their organization. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-eks.md#integrate-enable-ta-eks) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-eks.md#integrate-enable-da-eks) |
| [AWS Firewall Manager](services-that-can-integrate-fms.md) Centrally configure and manage firewall rules for web applications across your accounts and applications. | You can centrally configure and manage AWS WAF rules across the accounts in your organization. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-fms.md#integrate-enable-ta-fms) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-fms.md#integrate-enable-da-fms) |
| [Amazon GuardDuty](services-that-can-integrate-guardduty.md) GuardDuty is a continuous security monitoring service that analyzes and processes information from a variety of data sources. It uses threat intelligence feeds and machine learning to identify unexpected and potentially unauthorized and malicious activity within your AWS environment. | You can designate a member account to view and manage GuardDuty for all of the accounts in your organization. Adding member accounts automatically enables GuardDuty for those accounts in the selected AWS Region. You can also automate GuardDuty activation for new accounts added to your organization. For more information, see [GuardDuty and Organizations](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html) in the *Amazon GuardDuty User Guide*. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-guardduty.md#integrate-enable-ta-guardduty) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-guardduty.md#integrate-enable-da-guardduty) |
| [AWS Health](services-that-can-integrate-health.md) Get visibility into events that might affect your resource performance or availability issues for AWS services. | You can aggregate AWS Health events across accounts in your organization. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-health.md#integrate-enable-ta-health) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-health.md#integrate-enable-da-health) |
| [AWS Identity and Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/) Securely control access to AWS resources. | You can use [service last accessed data](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html) in IAM to help you better understand AWS activity across your organization. You can use this data to create and update [service control policies (SCPs)](orgs_manage_policies_scps.md) that restrict access to only the AWS services that your organization's accounts use. For an example, see [Using Data to Refine Permissions for an Organizational Unit](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor-example-scenarios.html#access_policies_access-advisor-reduce-permissions-orgs) in the *IAM User Guide.* IAM root access management lets you centrally manage root user credentials and perform privileged tasks on member accounts.. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-iam.md#integrate-enable-ta-iam) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-iam.md#integrate-enable-da-iam) |
| [IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html) Analyze resource-based policies in your AWS environment to identify any policies that grant access to a principal outside of your zone of trust. | You can designate a member account to be an administrator for IAM Access Analyzer. For more information, see [Enabling Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#access-analyzer-enabling) in the *IAM User Guide*. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#access-analyzer-enabling) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-settings.html) |
| [Amazon Inspector](services-that-can-integrate-inspector2.md) Automatically scan your AWS workloads for vulnerabilities to discover Amazon EC2 instances and container images that reside in Amazon ECR for software vulnerabilities and unintended network exposure. | Delegate an administrator to enable or disable scans for member accounts, view aggregated finding data from the entire organization, create and manage suppression rules. For more information, see [Managing multiple accounts with AWS Organizations](https://docs.aws.amazon.com//inspector/latest/user/managing-multiple-accounts.html) in the *Amazon Inspector User Guide*. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-inspector2.md#integrate-enable-ta-inspector2) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-inspector2.md#integrate-enable-da-inspector2) |
| [AWS License Manager](services-that-can-integrate-license-manager.md) Streamline the process of bringing software licenses to the cloud. | You can enable cross-account discovery of computing resources throughout your organization. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-license-manager.md#integrate-enable-ta-license-manager) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-license-manager.md#integrate-enable-da-license-manager) |
| [Amazon Macie](services-that-can-integrate-macie.md) Discovers and classifies your business-critical content using machine learning to help you meet data security and privacy requirements. It continuously evaluates your content stored in Amazon S3 and notifies you of potential issues. | You can configure Amazon Macie for all of the accounts in your organization to get a consolidated view of all of your data in Amazon S3, across all accounts from a designated Macie administrator account. You can configure Macie to automatically protect resources in new accounts as your organization grows. You are alerted to remediate policy misconfigurations across S3 buckets throughout your organization. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-macie.md#integrate-enable-ta-macie) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-macie.md#integrate-enable-da-macie) |
| [AWS Managed Services (AMS) Self-Service Reporting (SSR)](services-that-can-integrate-managed-services.md) Collects data from various native AWS services and provides access to reports on major AMS offerings. SSR provides the information that you can use to support operations, configuration management, asset management, security management, and compliance. | You can enable Aggregated SSR, a feature that allows customers to view consolidated Self-service reports across your organization through either your management account or a delegated administrator account. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-managed-services.md#integrate-enable-ta-managed-services) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-managed-services.md#integrate-enable-da-managed-services) |
| [AWS Marketplace](services-that-can-integrate-marketplace.md) A curated digital catalog that you can use to find, buy, deploy, and manage third-party software, data, and services that you need to build solutions and run your businesses. | You can share licenses for your AWS Marketplace subscriptions and purchases across the accounts in your organization. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-marketplace.md#integrate-enable-ta-marketplace) | ![\[No\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-no.png) No |
| [AWS Marketplace Private Marketplace](services-that-can-integrate-private-marketplace.md) Provides you with a broad catalog of products available in AWS Marketplace, along with fine-grained control of those products. | Enables you to create multiple private marketplace experiences that are associated with your entire organization, one or more OUs, or one or more accounts in your organization, each with its own set of approved products. Your AWS administrators can also apply company branding to each private marketplace experience with your company or team’s logo, messaging, and color scheme. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-marketplace.md#integrate-enable-ta-marketplace) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-private-marketplace.md#integrate-enable-da-private-marketplace) |
| [AWS Marketplace procurement insights dashboard](services-that-can-integrate-procurement-insights.md) Enables you to view agreements and cost-analysis data for all your AWS Marketplace purchases across the AWS accounts in your organization. | AWS Marketplace procurement insights dashboard listens to organization changes, such as an account joining the organization, and aggregates data for their corresponding agreements to build their dashboards. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-procurement-insights.md#integrate-enable-ta-procurement-insights) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-procurement-insights.md#integrate-enable-da-procurement-insights) |
| [AWS Network Manager](services-that-can-integrate-network-manager.md) Enables you to centrally manage your AWS Cloud WAN core network and your AWS Transit Gateway network across AWS accounts, Regions, and on-premises locations. | You can centrally manage and monitor your global networks with transit gateways and their attached resources in multiple AWS accounts within your organization. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-network-manager.md#integrate-enable-ta-network-manager) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-network-manager.md#integrate-enable-da-network-manager) |
| [Amazon Q Developer](services-that-can-integrate-amazon-q-dev.md) Amazon Q Developer is a generative AI powered conversational assistant that can help you understand, build, extend, and operate AWS applications. | The paid subscription version of Amazon Q Developer requires Organizations integration. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-amazon-q-dev.md#integrate-enable-ta-amazon-q-dev) | ![\[No\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-no.png) No |
| [AWS Resource Access Manager](services-that-can-integrate-ram.md) Share specified AWS resources that you own with other accounts. | You can share resources within your organization without exchanging additional invitations. Resources you can share include [Route 53 Resolver rules](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html#resolver-overview-forward-vpc-to-network-using-rules), on-demand capacity reservations, and more. For information about sharing capacity reservations, see the [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-capacity-reservations.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-capacity-reservations.html) or the [https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-capacity-reservations.html](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-capacity-reservations.html). For a list of shareable resources, see [Shareable Resources](https://docs.aws.amazon.com/ram/latest/userguide/shareable.html) in the *AWS RAM User Guide*. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-ram.md#integrate-enable-ta-ram) | ![\[No\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-no.png) No |
| [AWS Resource Explorer](services-that-can-integrate-resource-explorer.md) Explore your resources using an internet search engine-like experience. | Enable multi-account search. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-resource-explorer.md#integrate-enable-ta-resource-explorer) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-resource-explorer.md#integrate-enable-da-resource-explorer) |
| [AWS Security Hub CSPM](services-that-can-integrate-securityhub.md) View your security state in AWS and check your environment against security industry standards and best practices. | You can automatically enable Security Hub CSPM for all of your organization's accounts, including new accounts as they are added. This increases the coverage for Security Hub CSPM checks and findings, which provides a more accurate picture of your overall security posture. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-securityhub.md#integrate-enable-ta-securityhub) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-securityhub.md#integrate-enable-da-securityhub) |
| [Amazon S3 Storage Lens](services-that-can-integrate-s3lens.md) Get visibility into your Amazon S3 storage usage and activity metrics with actionable recommendations to optimize storage. | Configure Amazon S3 Storage Lens to gain visibility into Amazon S3 storage usage and activity trends, and recommendations for all member accounts in your organization. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-s3lens.md#integrate-enable-ta-s3lens) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-s3lens.md#integrate-enable-da-s3lens) |
| [AWS Security Incident Response](services-that-can-integrate-security-ir.md) AWS security service that provides 24/7 live, human-assisted security incident support to help customers respond rapidly to cybersecurity incidents such as credential theft and ransomware attacks. | Security coverage for the entire organization. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-security-ir.md#integrate-enable-ta-security-ir) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-security-ir.md#integrate-enable-da-security-ir) |
| [Amazon Security Lake](services-that-can-integrate-sl.md) Amazon Security Lake centralizes security data from cloud, on-premises, and custom sources into a data lake that's stored in your account. | Create a data lake that collects logs and events across your accounts. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-sl.md#integrate-enable-ta-sl) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-sl.md#integrate-enable-da-sl) |
| [AWS Service Catalog](services-that-can-integrate-servicecatalog.md) Create and manage catalogs of IT services that are approved for use on AWS. | You can share portfolios and copy products across accounts more easily, without sharing portfolio IDs. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-servicecatalog.md#integrate-enable-ta-servicecatalog) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/catalogs_portfolios_sharing.html#portfolio-sharing-organizations) |
| [Service Quotas](services-that-can-integrate-servicequotas.md) View and manage your service *quotas,* also referred to as *limits,* from a central location. | You can create a quota request template to automatically request a quota increase when accounts in your organization are created. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-servicequotas.md#integrate-enable-ta-servicequotas) | ![\[No\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-no.png) No |
| [AWS IAM Identity Center](services-that-can-integrate-sso.md) Provide single sign-on access for all of your accounts and cloud applications. | Users can sign in to the AWS access portal with their corporate credentials and access resources in their assigned management account or member accounts. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-sso.md#integrate-enable-ta-sso) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-sso.md#integrate-disable-da-sso) |
| [AWS Systems Manager](services-that-can-integrate-ssm.md) Enable visibility and control of your AWS resources. | You can synchronize operations data across all AWS accounts in your organization by using Systems Manager Explorer. You can manage change templates, approvals and reporting for all member accounts in your organization from a delegated administrator account by using Systems Manager Change Manager. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-ssm.md#integrate-enable-ta-ssm) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-ssm.md#integrate-enable-da-ssm) |
| [AWS User Notifications](services-that-can-integrate-uno.md) A central location for your AWS notifications. | You can configure and view notifications centrally across accounts in your organization. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-uno.md#integrate-enable-ta-uno) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-uno.md#integrate-enable-da-uno) |
| [Tag policies](services-that-can-integrate-tag-policies.md) Use standardize tags across resources in your organization's accounts. | You can create tag policies to define tagging rules for specific resources and resource types and attach those policies to organization units and accounts to enforce those rules. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-tag-policies.md#integrate-enable-ta-tag-policies) | ![\[No\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-no.png) No |
| [AWS Trusted Advisor](services-that-can-integrate-ta.md) Trusted Advisor inspects your AWS environment and makes recommendations when opportunities exist to save money, to improve system availability and performance, or to help close security gaps. | Run Trusted Advisor checks for all of the AWS accounts in your organization. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-ta.md#integrate-enable-ta-ta) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-ta.md#integrate-enable-da-ta) |
| [AWS Well-Architected Tool](services-that-can-integrate-wat.md) The AWS Well-Architected Tool helps you document the state of your workloads and compares them to the latest AWS architectural best practices. | Enables both AWS WA Tool and Organizations customers to simplify the process of sharing AWS WA Tool resources with other members of their organization. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-wat.md#integrate-enable-ta-wat) | ![\[No\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-no.png) No |
| [Amazon VPC IP Address Manager (IPAM)](services-that-can-integrate-ipam.md) IPAM is a VPC feature that makes it easier for you to plan, track, and monitor IP addresses for your AWS workloads. | Monitor IP address usage throughout your organization and share IP address pools across member accounts. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-ipam.md#integrate-enable-ta-ipam) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-ipam.md#integrate-enable-da-ipam) |
| [Amazon VPC Reachability Analyzer](services-that-can-integrate-ra.md) Reachability Analyzer is a configuration analysis tool that enables you to perform connectivity testing between a source resource and a destination resource in your virtual private clouds (VPCs). | Trace paths across accounts in your organizations. | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-ra.md#integrate-enable-ta-ra) | ![\[Yes\]](http://docs.aws.amazon.com/organizations/latest/userguide/images/icon-yes.png) Yes [Learn more](services-that-can-integrate-ra.md#integrate-enable-da-ra) |
# AWS Account Management and AWS Organizations
AWS Account Management helps you manage the account information and metadata for all of the AWS accounts in your organization. You can set, modify, or delete the alternate contact information for each of your organization's member accounts. For more information, see [Using AWS Account Management in your organization](https://docs.aws.amazon.com/accounts/latest/reference/using-orgs.html) in the *AWS Account Management User Guide*.
Use the following information to help you integrate AWS Account Management with AWS Organizations.
## To enable trusted access with Account Management
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
Account Management requires trusted access to AWS Organizations before you can designate a member account to be the delegated administrator for this service for your organization.
You can only enable trusted access using the Organizations tools.
You can enable trusted access by using either the AWS Organizations console, by running a AWS CLI command, or by calling an API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To enable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **AWS Account Management** in the list of services.
1. Choose **Enable trusted access**.
1. In the **Enable trusted access for AWS Account Management** dialog box, type **enable** to confirm, and then choose **Enable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of AWS Account Management that they can now enable that service to work with AWS Organizations from the service console .
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the OrganizationsCLI/SDK**
Use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
Run the following command to enable AWS Account Management as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal account.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
## To disable trusted access with Account Management
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
Only an administrator in the AWS Organizations management account can disable trusted access with AWS Account Management.
You can only disable trusted access using the Organizations tools.
You can disable trusted access by using either the AWS Organizations console, by running an Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To disable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **AWS Account Management** in the list of services.
1. Choose **Disable trusted access**.
1. In the **Disable trusted access for AWS Account Management** dialog box, type **disable** to confirm, and then choose **Disable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of AWS Account Management that they can now disable that service from working with AWS Organizations using the service console or tools .
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
You can use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable AWS Account Management as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal account.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
## Enabling a delegated administrator account for Account Management
When you designate a member account to be a delegated administrator for the organization, users and roles from the designated account can manage the AWS account metadata for other member accounts in the organization. If you don't enable a delegated admin account, then these tasks can be performed only by the organization's management account. This helps you to separate management of the organization from management of your account details.
**Minimum permissions**
Only a user or role in the Organizations management account can configure a member account as a delegated administrator for Account Management in the organization
For general instructions on how to configure a delegation policy, see [Create a resource-based delegation policy with AWS OrganizationsUpdate a resource-based delegation policy with AWS Organizations](orgs-policy-delegate.md).
------
#### [ AWS CLI, AWS API ]
If you want to configure a delegated administrator account using the AWS CLI or one of the AWS SDKs, you can use the following commands:
+ AWS CLI:
```
$ aws organizations register-delegated-administrator \
--account-id 123456789012 \
--service-principal account.amazonaws.com
```
+ AWS SDK: Call the Organizations `RegisterDelegatedAdministrator` operation and the member account's ID number and identify the account service principal `account.amazonaws.com` as parameters.
------
# AWS Application Migration Service (Application Migration Service) and AWS Organizations
AWS Application Migration Service simplifies, expedites, and reduces the cost of migrating applications to AWS. By integrating with Organizations, you can use the global view feature to manage large-scale migrations across multiple accounts. For more information see [ Setting up your AWS Organizations](https://docs.aws.amazon.com/mgn/latest/ug/setting-up-organizations.html) in the *Application Migration Service user guide*.
Use the following information to help you integrate AWS Application Migration Service with AWS Organizations.
## Service-linked roles created when you enable integration
The following [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is automatically created in your organization's management account when you enable trusted access. This role allows Application Migration Service to perform supported operations within your organization's accounts in your organization.
You can delete or modify this role only if you disable trusted access between Application Migration Service and Organizations, or if you remove the member account from the organization.
+ `AWSServiceRoleForApplicationMigrationService `
## Service principals used by Application Migration Service
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Application Migration Service grant access to the following service principals:
+ `mgn.amazonaws.com`
## Enabling trusted access with Application Migration Service
When you enable trusted access with Application Migration Service you can use the global view feature, which allows you to manage large-scale migrations across multiple accounts. Global view provides visibility and the ability to perform specific actions on source servers, apps, and waves in different AWS accounts. For more information, see [Setting up your AWS Organizations](https://docs.aws.amazon.com/mgn/latest/ug/setting-up-organizations.html) in the *AWS Application Migration Service user guide*.
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
You can enable trusted access using either the AWS Application Migration Service console or the AWS Organizations console.
**Important**
We strongly recommend that whenever possible, you use the AWS Application Migration Service console or tools to enable integration with Organizations. This lets AWS Application Migration Service perform any configuration that it requires, such as creating resources needed by the service. Proceed with these steps only if you can’t enable integration using the tools provided by AWS Application Migration Service. For more information, see [this note](orgs_integrate_services.md#important-note-about-integration).
If you enable trusted access by using the AWS Application Migration Service console or tools then you don’t need to complete these steps.
You can enable trusted access by using either the AWS Organizations console, by running a AWS CLI command, or by calling an API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To enable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **AWS Application Migration Service** in the list of services.
1. Choose **Enable trusted access**.
1. In the **Enable trusted access for AWS Application Migration Service** dialog box, type **enable** to confirm, and then choose **Enable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of AWS Application Migration Service that they can now enable that service to work with AWS Organizations from the service console .
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the OrganizationsCLI/SDK**
Use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
Run the following command to enable AWS Application Migration Service as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal mgn.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
## Disabling trusted access with Application Migration Service
Only an administrator in the Organizations management account can disable trusted access with Application Migration Service.
You can disable trusted access using either the AWS Application Migration Service or the AWS Organizations tools.
**Important**
We strongly recommend that whenever possible, you use the AWS Application Migration Service console or tools to disable integration with Organizations. This lets AWS Application Migration Service perform any clean up that it requires, such as deleting resources or access roles that are no longer needed by the service. Proceed with these steps only if you can’t disable integration using the tools provided by AWS Application Migration Service.
If you disable trusted access by using the AWS Application Migration Service console or tools then you don’t need to complete these steps.
You can disable trusted access by using either the AWS Organizations console, by running an Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To disable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **AWS Application Migration Service** in the list of services.
1. Choose **Disable trusted access**.
1. In the **Disable trusted access for AWS Application Migration Service** dialog box, type **disable** to confirm, and then choose **Disable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of AWS Application Migration Service that they can now disable that service from working with AWS Organizations using the service console or tools .
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
You can use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable AWS Application Migration Service as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal mgn.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
## Enabling a delegated administrator account for Application Migration Service
When you designate a member account as a delegated administrator for the organization, users and roles from that account can perform administrative actions for Application Migration Service that otherwise can be performed only by users or roles in the organization's management account. This helps you to separate management of the organization from management of Application Migration Service. For more information see [ Setting up your AWS Organizations](https://docs.aws.amazon.com/mgn/latest/ug/setting-up-organizations.html) in the *Application Migration Service user guide*.
**Minimum permissions**
Only a user or role in the Organizations management account can configure a member account as a delegated administrator for Application Migration Service in the organization
------
#### [ AWS CLI, AWS API ]
If you want to configure a delegated administrator account using the AWS CLI or one of the AWS SDKs, you can use the following commands:
+ AWS CLI:
```
$ aws organizations register-delegated-administrator \
--account-id 123456789012 \
--service-principal mgn.amazonaws.com
```
+ AWS SDK: Call the Organizations `RegisterDelegatedAdministrator` operation and the member account's ID number and identify the account service `mgn.amazonaws.com` as parameters.
------
## Disabling a delegated administrator for Application Migration Service
Only an administrator in the Organizations management account can remove a delegated administrator for Application Migration Service. You can remove the delegated administrator using the Organizations `DeregisterDelegatedAdministrator` CLI or SDK operation.
# AWS Artifact and AWS Organizations
AWS Artifact is a service that allows you to download AWS security compliance reports such as ISO and PCI reports. Using AWS Artifact, a user in the organization's management account can automatically accept agreements on behalf of all member accounts in an organization, even as new reports and accounts are added. Member account users can view and download agreements. For more information, see [Managing an agreement for multiple accounts in AWS Artifact](https://docs.aws.amazon.com/artifact/latest/ug/manage-org-agreement.html) in the *AWS Artifact User Guide*.
Use the following information to help you integrate AWS Artifact with AWS Organizations.
## Service-linked roles created when you enable integration
The following [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is automatically created in your organization's management account when you enable trusted access. This role allows AWS Artifact to perform supported operations within your organization's accounts in your organization.
You can delete or modify this role only if you disable trusted access between AWS Artifact and Organizations, or if you remove the member account from the organization.
Although you can delete or modify this role if you remove the member account from the organization, we do not recommend it.
Modifying the role is discouraged because it can lead to security issues such as the cross-service confused deputy. To learn more about protection against confused deputy, see [Cross-service deputy prevention](https://docs.aws.amazon.com//artifact/latest/ug/security-iam.html#confused-deputy) in the *AWS Artifact User Guide*.
+ `AWSServiceRoleForArtifact`
## Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by AWS Artifact grant access to the following service principals:
+ `artifact.amazonaws.com`
## Enabling trusted access with AWS Artifact
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
You can only enable trusted access using the Organizations tools.
You can enable trusted access by using either the AWS Organizations console, by running a AWS CLI command, or by calling an API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To enable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **AWS Artifact** in the list of services.
1. Choose **Enable trusted access**.
1. In the **Enable trusted access for AWS Artifact** dialog box, type **enable** to confirm, and then choose **Enable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of AWS Artifact that they can now enable that service to work with AWS Organizations from the service console .
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the OrganizationsCLI/SDK**
Use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
Run the following command to enable AWS Artifact as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal artifact.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
## Disabling trusted access with AWS Artifact
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
Only an administrator in the AWS Organizations management account can disable trusted access with AWS Artifact.
You can only disable trusted access using the Organizations tools.
AWS Artifact requires trusted access with AWS Organizations to work with organization agreements. If you disable trusted access using AWS Organizations while you are using AWS Artifact for organization agreements, it stops functioning because it cannot access the organization. Any organization agreements that you accept in AWS Artifact remain, but can't be accessed by AWS Artifact. The AWS Artifact role that AWS Artifact creates remains. If you then re-enable trusted access, AWS Artifact continues to operate as before, without the need for you to reconfigure the service.
A standalone account that is removed from an organization no longer has access to any organization agreements.
You can disable trusted access by using either the AWS Organizations console, by running an Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To disable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **AWS Artifact** in the list of services.
1. Choose **Disable trusted access**.
1. In the **Disable trusted access for AWS Artifact** dialog box, type **disable** to confirm, and then choose **Disable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of AWS Artifact that they can now disable that service from working with AWS Organizations using the service console or tools .
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
You can use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable AWS Artifact as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal artifact.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
# AWS Audit Manager and AWS Organizations
AWS Audit Manager helps you continuously audit your AWS usage to simplify how you assess risk and compliance with regulations and industry standards. Audit Manager automates evidence collection to make it easier to assess if your policies, procedures, and activities are operating effectively. When it is time for an audit, Audit Manager helps you manage stakeholder reviews of your controls and helps you build audit-ready reports with much less manual effort.
When you integrate Audit Manager with AWS Organizations, you can gather evidence from a broader source by including multiple AWS accounts from your organization within the scope of your assessments.
For more information, see [Enable AWS Organizations](https://docs.aws.amazon.com/audit-manager/latest/userguide/setting-up.html#enabling-orgs) in the *Audit Manager User Guide*.
Use the following information to help you integrate AWS Audit Manager with AWS Organizations.
## Service-linked roles created when you enable integration
The following [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is automatically created in your organization's management account when you enable trusted access. This role allows Audit Manager to perform supported operations within your organization's accounts in your organization.
You can delete or modify this role only if you disable trusted access between Audit Manager and Organizations, or if you remove the member account from the organization.
For more information about how Audit Manager uses this role, see [Using service-linked roles](https://docs.aws.amazon.com/audit-manager/latest/userguide/using-service-linked-roles.html) in the *AWS Audit Manager Users Guide*.
+ `AWSServiceRoleForAuditManager`
## Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Audit Manager grant access to the following service principals:
+ `auditmanager.amazonaws.com`
## To enable trusted access with Audit Manager
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
Audit Manager requires trusted access to AWS Organizations before you can designate a member account to be the delegated administrator for your organization.
You can enable trusted access using either the AWS Audit Manager console or the AWS Organizations console.
**Important**
We strongly recommend that whenever possible, you use the AWS Audit Manager console or tools to enable integration with Organizations. This lets AWS Audit Manager perform any configuration that it requires, such as creating resources needed by the service. Proceed with these steps only if you can’t enable integration using the tools provided by AWS Audit Manager. For more information, see [this note](orgs_integrate_services.md#important-note-about-integration).
If you enable trusted access by using the AWS Audit Manager console or tools then you don’t need to complete these steps.
**To enable trusted access using the Audit Manager console**
For instructions about enabling trusted access, see [Setting Up](https://docs.aws.amazon.com/audit-manager/latest/userguide/console-settings.html#settings-ao) in the *AWS Audit Manager User Guide*.
**Note**
If you configure a delegated administrator using the AWS Audit Manager console, then AWS Audit Manager automatically enables trusted access for you.
You can enable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the Organizations CLI/SDK**
Use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
Run the following command to enable AWS Audit Manager as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal auditmanager.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
## To disable trusted access with Audit Manager
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
Only an administrator in the AWS Organizations management account can disable trusted access with AWS Audit Manager.
You can only disable trusted access using the Organizations tools.
You can disable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
Use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable AWS Audit Manager as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal auditmanager.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
## Enabling a delegated administrator account for Audit Manager
When you designate a member account to be a delegated administrator for the organization, users and roles from that account can perform administrative actions for Audit Manager that otherwise can be performed only by users or roles in the organization's management account. This helps you to separate management of the organization from management of Audit Manager.
**Minimum permissions**
Only a user or role in the Organizations management account with the following permission can configure a member account as a delegated administrator for Audit Manager in the organization:
`audit-manager:RegisterAccount`
For instruction about enabling a delegated administrator account for Audit Manager, see [Setting Up](https://docs.aws.amazon.com/audit-manager/latest/userguide/console-settings.html#settings-ao) in the *AWS Audit Manager User Guide*.
If you configure a delegated administrator using the AWS Audit Manager console, then Audit Manager automatically enables trusted access for you.
------
#### [ AWS CLI, AWS API ]
If you want to configure a delegated administrator account using the AWS CLI or one of the AWS SDKs, you can use the following commands:
+ AWS CLI:
```
$ aws audit-manager register-account \
--delegated-admin-account 123456789012
```
+ AWS SDK: Call the `RegisterAccount` operation and provide `delegatedAdminAccount` as a parameter to delegate the administrator account.
------
# AWS Backup and AWS Organizations
AWS Backup is a service that allows you to manage and monitor the AWS Backup jobs in your organization. Using AWS Backup, if you sign-in as a user in the organization's management account, you can enable organization-wide backup protection and monitoring. It helps you to achieve compliance by using [backup policies](orgs_manage_policies_backup.md) to centrally apply AWS Backup plans to resources across all of the accounts in your organization. When you use both AWS Backup and AWS Organizations together, you can get the following benefits:
**Protection**
You can [enable the backup policy type](enable-policy-type.md) in your organization and then [create backup policies](orgs_policies_create.md) to attach to the organization's root, OUs, or accounts. A backup policy combines an AWS Backup plan with the other details required to apply the plan automatically to your accounts.Policies that are directly attached to an account are merged with policies [inherited](orgs_manage_policies_inheritance_mgmt.md) from the organization's root and any parent OUs to create an [effective policy](orgs_manage_policies_effective.md) that applies to the account. The policy includes the ID of an IAM role that has permissions to run AWS Backup on the resources in your accounts. AWS Backup uses the IAM role to perform the backup on your behalf as specified by the backup plan in the effective policy.
**Monitoring**
When you [enable trusted access for AWS Backup](orgs_integrate_services.md#orgs_how-to-enable-disable-trusted-access) in your organization, you can use the AWS Backup console to view details about the backup, restore, and copy jobs in any of the accounts in your organization. For more information, see [Monitor your backup jobs](https://docs.aws.amazon.com/aws-backup/latest/devguide/monitor-and-verify-protected-resources.html) in the *AWS Backup Developer Guide*.
For more information about AWS Backup, see the *[AWS Backup Developer Guide](https://docs.aws.amazon.com/aws-backup/latest/devguide/)*.
Use the following information to help you integrate AWS Backup with AWS Organizations.
## Enabling trusted access with AWS Backup
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
You can enable trusted access using either the AWS Backup console or the AWS Organizations console.
**Important**
We strongly recommend that whenever possible, you use the AWS Backup console or tools to enable integration with Organizations. This lets AWS Backup perform any configuration that it requires, such as creating resources needed by the service. Proceed with these steps only if you can’t enable integration using the tools provided by AWS Backup. For more information, see [this note](orgs_integrate_services.md#important-note-about-integration).
If you enable trusted access by using the AWS Backup console or tools then you don’t need to complete these steps.
To enabled trusted access using AWS Backup, see [Enabling backup in multiple AWS accounts](https://docs.aws.amazon.com//aws-backup/latest/devguide/manage-cross-account.html#enable-xaccount-management) in the *AWS Backup Developer Guide*.
## Disabling trusted access with AWS Backup
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
AWS Backup requires trusted access with AWS Organizations to enable monitoring of backup, restore, and copy jobs across your organization's accounts. If you disable trusted access AWS Backup, you lose the ability to view jobs outside of the current account. The AWS Backup role that AWS Backup creates remains. If you later re-enable trusted access, AWS Backup continues to operate as before, without the need for you to reconfigure the service.
You can only disable trusted access using the Organizations tools.
You can disable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
Use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable AWS Backup as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal backup.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
## Enabling a delegated administrator account for AWS Backup
See [Delegated administrator](https://docs.aws.amazon.com/aws-backup/latest/devguide/manage-cross-account.html#backup-delegatedadmin) in the *AWS Backup Developer Guide*.
# AWS Billing and Cost Management and AWS Organizations
AWS Billing and Cost Management provides a suite of features to help you set up your billing, retrieve and pay invoices, and analyze, organize, plan, and optimize your costs. When you use Billing and Cost Management with AWS Organizations you allow [ split cost allocation data](https://docs.aws.amazon.com/cur/latest/userguide/split-cost-allocation-data.html) to retrieve AWS Organizations information, if applicable, and collect telemetry data for the split cost allocation data services that you opted into.
Use the following information to help you integrate AWS Billing and Cost Management with AWS Organizations.
## Service-linked roles created when you enable integration
The following [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is automatically created in your organization's management account when you enable trusted access. This role allows Billing and Cost Management to perform supported operations within your organization's accounts in your organization.
You can delete or modify this role only if you disable trusted access between Billing and Cost Management and Organizations, or if you remove the member account from the organization.
For more information, see [ Service-linked role permissions for Billing and Cost Management ](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/security_iam_service-with-iam.html#security_iam_service-with-iam-roles-service-linked) in the *Billing and Cost Management User Guide*.
+ `AWSServiceRoleForSplitCostAllocationData`
## Service principals used by Billing and Cost Management
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Billing and Cost Management grant access to the following service principals:
Billing and Cost Management uses the ` billing-cost-management.amazonaws.com` service principal.
## Enabling trusted access with Billing and Cost Management
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
With trusted access enabled via management account, customers can take advantage of the split cost allocation data feature under Billing and Cost Management. When customers enable split cost allocation data for Amazon Elastic Kubernetes Service with Amazon Managed Service for Prometheus, trusted access is invoked to create service-linked roles for all member accounts within the Organization. This allows split cost allocation data to collect telemetry data from customers' Amazon Managed Service for Prometheus work spaces and perform cost allocation based on those metrics.
You can only enable trusted access using the Organizations tools.
You can enable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the Organizations CLI/SDK**
Use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
Run the following command to enable AWS Billing and Cost Management as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal billing-cost-management.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
## Disabling trusted access
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
You can only disable trusted access using the Organizations tools.
You can disable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
Use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable AWS Billing and Cost Management as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal billing-cost-management.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
# AWS CloudFormation StackSets and AWS Organizations
CloudFormation StackSets enables you to create, update, or delete stacks across multiple AWS accounts and AWS Regions with a single operation. StackSets integration with AWS Organizations enables you to create stack sets with service-managed permissions, using a service-linked role that has the relevant permission in each member account. This lets you deploy stack instances to member accounts in your organization. You don't have to create the necessary AWS Identity and Access Management roles; StackSets creates the IAM role in each member account on your behalf.
You can also choose to enable automatic deployments to accounts that are added to your organization in the future. With auto deployment enabled, roles and deployment of associated stack set instances are automatically added to all accounts added in the future to that OU.
With trusted access between StackSets and Organizations enabled, the management account has permissions to create and manage stack sets for your organization. The management account can register up to five member accounts as delegated administrators. With trusted access enabled, delegated administrators also have permissions to create and manage stack sets for your organization. Stack sets with service-managed permissions are created in the management account, including stack sets that are created by delegated administrators.
**Important**
Delegated administrators have full permissions to deploy to accounts in your organization. The management account cannot limit delegated administrator permissions to deploy to specific OUs or to perform specific stack set operations.
For more information about integrating StackSets with Organizations, see [Working with AWS CloudFormation StackSets](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html) in the *AWS CloudFormation User Guide*.
Use the following information to help you integrate AWS CloudFormation StackSets with AWS Organizations.
## Service-linked roles created when you enable integration
The following [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is automatically created in your organization's management account when you enable trusted access. This role allows CloudFormation Stacksets to perform supported operations within your organization's accounts in your organization.
You can delete or modify this role only if you disable trusted access between CloudFormation Stacksets and Organizations, or if you remove the member account from the organization.
+ Management account: `AWSServiceRoleForCloudFormationStackSetsOrgAdmin`
To create the service-linked role `AWSServiceRoleForCloudFormationStackSetsOrgMember` for the member accounts in your organization, you need to create a stack set in the management account first. This creates a stack set instance, which then creates the role in the member accounts.
+ Member accounts: `AWSServiceRoleForCloudFormationStackSetsOrgMember`
For more details about creating stack sets, see [Working with AWS CloudFormation StackSets](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html) in the *AWS CloudFormation User Guide*.
## Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by CloudFormation Stacksets grant access to the following service principals:
+ Management account: `stacksets.cloudformation.amazonaws.com`
You can modify or delete this role only if you disabled trusted access between StackSets and Organizations.
+ Member accounts: `member.org.stacksets.cloudformation.amazonaws.com`
You can modify or delete this role from an account only if you first disable trusted access between StackSets and Organizations, or if you first remove the account from the target organization or organizational unit (OU).
## Enabling trusted access with CloudFormation Stacksets
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
Only an administrator in the Organizations management account has permissions to enable trusted access with another AWS service. You can enable trusted access using either the CloudFormation console or the Organizations console.
You can only enable trusted access using AWS CloudFormation StackSets.
To enable trusted access using the CloudFormation Stacksets console, see [Enable Trusted Access with AWS Organizations](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-enable-trusted-access.html) in the AWS CloudFormation User Guide.
## Disabling trusted access with CloudFormation Stacksets
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
Only an administrator in an Organizations management account has permissions to disable trusted access with another AWS service. You can disable trusted access only by using the Organizations console. If you disable trusted access with Organizations while you are using StackSets, all previously created stack instances are retained. However, stack sets deployed using the service-linked role's permissions can no longer perform deployments to accounts managed by Organizations.
You can disable trusted access using either the CloudFormation console or the Organizations console.
**Important**
If you disable trusted access programmatically (e.g with AWS CLI or with an API), be aware that this will remove the permission. It is better to disable trusted access with the CloudFormation console.
You can disable trusted access by using either the AWS Organizations console, by running an Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To disable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **AWS CloudFormation StackSets** in the list of services.
1. Choose **Disable trusted access**.
1. In the **Disable trusted access for AWS CloudFormation StackSets** dialog box, type **disable** to confirm, and then choose **Disable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of AWS CloudFormation StackSets that they can now disable that service from working with AWS Organizations using the service console or tools .
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
You can use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable AWS CloudFormation StackSets as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal stacksets.cloudformation.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
## Enabling a delegated administrator account for CloudFormation Stacksets
When you designate a member account as a delegated administrator for the organization, users and roles from that account can perform administrative actions for CloudFormation Stacksets that otherwise can be performed only by users or roles in the organization's management account. This helps you to separate management of the organization from management of CloudFormation Stacksets.
For instructions on how to designate a member account as a delegated administrator of CloudFormation Stacksets in the organization, see [Register a delegated administrator](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-delegated-admin.html) in the *AWS CloudFormation User Guide*.
# AWS CloudTrail and AWS Organizations
AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Using AWS CloudTrail, a user in a management account can create an organization trail that logs all events for all AWS accounts in that organization. Organization trails are automatically applied to all member accounts in the organization. Member accounts can see the organization trail, but can't modify or delete it. By default, member accounts don't have access to the log files for the organization trail in the Amazon S3 bucket. This helps you uniformly apply and enforce your event logging strategy across the accounts in your organization.
For more information, see [ Creating a Trail for an Organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html) in the *AWS CloudTrail User Guide*.
Use the following information to help you integrate AWS CloudTrail with AWS Organizations.
## Service-linked roles created when you enable integration
The following [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is automatically created in your organization's management account when you enable trusted access. This role allows CloudTrail to perform supported operations within your organization's accounts in your organization.
You can delete or modify this role only if you disable trusted access between CloudTrail and Organizations, or if you remove the member account from the organization.
+ `AWSServiceRoleForCloudTrail`
## Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by CloudTrail grant access to the following service principals:
+ `cloudtrail.amazonaws.com`
## Enabling trusted access with CloudTrail
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
If you enable trusted access by creating a trail from the AWS CloudTrail console, trusted access is configured automatically for you (recommended). You can also enable trusted access using the AWS Organizations console. You must sign in with your AWS Organizations management account to create an organization trail.
If you choose to create an organization trail using the AWS CLI or the AWS API, you must manually configure trusted access. For more information, see [ Enabling CloudTrail as a trusted service in AWS Organizations](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-an-organizational-trail-by-using-the-aws-cli.html#cloudtrail-create-organization-trail-by-using-the-cli-enable-trusted-service) in the *AWS CloudTrail User Guide.*
**Important**
We strongly recommend that whenever possible, you use the AWS CloudTrail console or tools to enable integration with Organizations.
You can enable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the Organizations CLI/SDK**
Use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
Run the following command to enable AWS CloudTrail as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal cloudtrail.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
## Disabling trusted access with CloudTrail
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
AWS CloudTrail requires trusted access with AWS Organizations to work with organization trails and organization event data stores. If you disable trusted access using AWS Organizations while you're using AWS CloudTrail, all organization trails for member accounts are deleted because CloudTrail can't access the organization. All management account organization trails and organization event data stores are converted to account-level trails and event data stores. The `AWSServiceRoleForCloudTrail` role created for integration between CloudTrail and AWS Organizations stays in the account. If you re-enable trusted access, CloudTrail will not take action on existing trails and event data stores. The management account must update any account-level trails and event data stores to apply them to the organization.
To convert an account-level trail or event data store to an organization trail or organization event data store, do the following:
+ From the CloudTrail console, update the [trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-update-a-trail-console.html) or [event data store](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-event-data-store-update.html) and choose the **Enable for all accounts in my organization** option.
+ From the AWS CLI, do the following:
+ To update a trail, run the [https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/update-trail.html](https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/update-trail.html) command and include the `--is-organization-trail` parameter.
+ To update an event data store, run the [https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/update-event-data-store.html](https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/update-event-data-store.html) command and include the `--organization-enabled` parameter.
Only an administrator in the AWS Organizations management account can disable trusted access with AWS CloudTrail. You can disable trusted access only with the Organizations tools, using either the AWS Organizations console, running an Organizations AWS CLI command, or calling an Organizations API operation in one of the AWS SDKs.
You can disable trusted access by using either the AWS Organizations console, by running an Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To disable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **AWS CloudTrail** in the list of services.
1. Choose **Disable trusted access**.
1. In the **Disable trusted access for AWS CloudTrail** dialog box, type **disable** to confirm, and then choose **Disable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of AWS CloudTrail that they can now disable that service from working with AWS Organizations using the service console or tools .
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
You can use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable AWS CloudTrail as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal cloudtrail.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
## Enabling a delegated administrator account for CloudTrail
When you use CloudTrail with Organizations, you can register any account within the organization to act as a CloudTrail delegated administrator to manage the organization's trails and event data stores on behalf of the organization. A delegated administrator is a member account in an organization that can perform the same administrative tasks in CloudTrail as the management account.
**Minimum permissions**
Only an administrator in the Organizations management account can register a delegated administrator for CloudTrail.
You can register a delegated administrator account using the CloudTrail console, or by using the Organizations `RegisterDelegatedAdministrator` CLI or SDK operation. To register a delegated administrator using the CloudTrail console, see [ Add a CloudTrail delegated administrator](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-add-delegated-administrator.html).
## Disabling a delegated administrator for CloudTrail
Only an administrator in the Organizations management account can remove a delegated administrator for CloudTrail. You can remove the delegated administrator using either the CloudTrail console, or by using the Organizations `DeregisterDelegatedAdministrator` CLI or SDK operation. For information on how to remove a delegated administrator using the CloudTrail console, see [Remove a CloudTrail delegated administrator](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-remove-delegated-administrator.html) .
# Amazon CloudWatch and AWS Organizations
You can use AWS Organizations for Amazon CloudWatch for the following use cases:
+ Discover and understand the state of telemetry configuration for your AWS resources from a central view in the CloudWatch console. This simplifies the process of auditing your telemetry collection configurations for multiple resource types across your AWS organization or account. You must turn on trusted access to use telemetry config across your organization.
For more information, see [Auditing CloudWatch telemetry configurations](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/telemetry-config-cloudwatch.html) in the *Amazon CloudWatch User Guide*.
+ Work with multiple accounts in Network Flow Monitor, a feature of Amazon CloudWatch Network Monitoring. Network Flow Monitor provides near real-time visibility into network performance for traffic between Amazon EC2 instances. After you turn on trusted access to integrate with Organizations, you can create a monitor to visualize network performance details across multiple accounts.
For more information, see [ Initialize Network Flow Monitor for multi-account monitoring](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-NetworkFlowMonitor-multi-account.html) in the *Amazon CloudWatch User Guide*.
Use the following information to help you integrate Amazon CloudWatch with AWS Organizations.
## Service-linked roles created when you enable integration
Create the following [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create-service-linked-role.html) in your organization's management account. The service-linked role is automatically created in member accounts when you enable trusted access. This role allows CloudWatch to perform supported operations within your organization's accounts in your organization. You can delete or modify this role only if you disable trusted access between CloudWatch and Organizations, or if you remove the member account from the organization.
+ `AWSServiceRoleForObservabilityAdmin`
## Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by CloudWatch grant access to the following service principals:
+ `observabilityadmin.amazonaws.com`
+ `networkflowmonitor.amazonaws.com`
+ `topology.networkflowmonitor.amazonaws.com`
## Enabling trusted access with CloudWatch
For information about the permissions that you need to turn on trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
You can enable trusted access using either the Amazon CloudWatch console or the AWS Organizations console.
**Important**
We strongly recommend that whenever possible, you use the Amazon CloudWatch console or tools to enable integration with Organizations. This lets Amazon CloudWatch perform any configuration that it requires, such as creating resources needed by the service. Proceed with these steps only if you can’t enable integration using the tools provided by Amazon CloudWatch. For more information, see [this note](orgs_integrate_services.md#important-note-about-integration).
If you enable trusted access by using the Amazon CloudWatch console or tools then you don’t need to complete these steps.
**To turn on trusted access using the CloudWatch console**
See [ Turning on CloudWatch telemetry auditing](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/telemetry-config-turn-on.html) in the *Amazon CloudWatch User Guide*.
When you turn on trusted access in CloudWatch, you enable telemetry auditing and you can work with multiple accounts in Network Flow Monitor.
You can enable trusted access by using either the AWS Organizations console, by running a AWS CLI command, or by calling an API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To enable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **Amazon CloudWatch** in the list of services.
1. Choose **Enable trusted access**.
1. In the **Enable trusted access for Amazon CloudWatch** dialog box, type **enable** to confirm, and then choose **Enable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of Amazon CloudWatch that they can now enable that service to work with AWS Organizations from the service console .
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the OrganizationsCLI/SDK**
Use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
Run the following command to enable Amazon CloudWatch as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal observabilityadmin.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
## Turn off trusted access with CloudWatch
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
You can disable trusted access using either the Amazon CloudWatch or the AWS Organizations tools.
**Important**
We strongly recommend that whenever possible, you use the Amazon CloudWatch console or tools to disable integration with Organizations. This lets Amazon CloudWatch perform any clean up that it requires, such as deleting resources or access roles that are no longer needed by the service. Proceed with these steps only if you can’t disable integration using the tools provided by Amazon CloudWatch.
If you disable trusted access by using the Amazon CloudWatch console or tools then you don’t need to complete these steps.
**To turn off trusted access using the CloudWatch console**
See [ Turning off CloudWatch telemetry auditing ](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/telemetry-config-turn-off.html) in the *Amazon CloudWatch User Guide*
When you turn off trusted access in CloudWatch, telemetry auditing is no longer active and you can no longer work with multiple accounts in Network Flow Monitor.
You can disable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
Use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable Amazon CloudWatch as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal observabilityadmin.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
## Registering a delegated administrator account for CloudWatch
When you register a member account as a delegated administrator account for the organization, users and roles from that account can perform administrative actions for CloudWatch that otherwise can be performed only by users or roles signed in with the organization's management account. Using a delegated administrator account helps you to separate management of the organization from management of features in CloudWatch.
**Minimum permissions**
Only an administrator in the Organizations management account can register a member account as a delegated administrator account for CloudWatch in the organization.
You can register a delegated administrator account using the CloudWatch console, or by using the Organizations `RegisterDelegatedAdministrator` API operation with the AWS Command Line Interface or an SDK.
For information on how to register a delegated administrator account by using the CloudWatch console, see [ Turning on CloudWatch telemetry auditing ](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/telemetry-config-turn-on.html) in the *Amazon CloudWatch User Guide*.
When you register a delegated administrator account in CloudWatch, you can use the account for management operations with telemetry auditing and with Network Flow Monitor.
## Deregister a delegated administrator for CloudWatch
**Minimum permissions**
Only an administrator signed in with the Organizations management account can deregister a delegated administrator account for CloudWatch in the organization.
You can deregister the delegated administrator account by using either the CloudWatch console, or by using the Organizations `DeregisterDelegatedAdministrator` API operation with the AWS Command Line Interface or an SDK. For more information, see [ Deregistering a delegated administrator account](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/telemetry-config-turn-on.html#telemetry-config-deregister-administrator) in the *Amazon CloudWatch User Guide*.
When you deregister a delegated administrator account in CloudWatch, you can no longer use the account for management operations with telemetry auditing and with Network Flow Monitor.
# AWS Compute Optimizer and AWS Organizations
AWS Compute Optimizer is a service that analyzes the configuration and utilization metrics of your AWS resources. Resource examples include Amazon Elastic Compute Cloud (Amazon EC2) instances and Auto Scaling groups. Compute Optimizer reports whether your resources are optimal and generates optimization recommendations to reduce the cost and improve the performance of your workloads. For more information about Compute Optimizer, see the [AWS Compute Optimizer User Guide](https://docs.aws.amazon.com/compute-optimizer/latest/ug/what-is.html).
Use the following information to help you integrate AWS Compute Optimizer with AWS Organizations.
## Service-linked roles created when you enable integration
The following [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is automatically created in your organization's management account when you enable trusted access. This role allows Compute Optimizer to perform supported operations within your organization's accounts in your organization.
You can delete or modify this role only if you disable trusted access between Compute Optimizer and Organizations, or if you remove the member account from the organization.
+ `AWSServiceRoleForComputeOptimizer`
+ `AWSServiceRoleForComputeOptimizerAutomation`
## Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Compute Optimizer grant access to the following service principals:
+ `compute-optimizer.amazonaws.com`
## Enabling trusted access with Compute Optimizer
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
You can enable trusted access using either the AWS Compute Optimizer console or the AWS Organizations console.
**Important**
We strongly recommend that whenever possible, you use the AWS Compute Optimizer console or tools to enable integration with Organizations. This lets AWS Compute Optimizer perform any configuration that it requires, such as creating resources needed by the service. Proceed with these steps only if you can’t enable integration using the tools provided by AWS Compute Optimizer. For more information, see [this note](orgs_integrate_services.md#important-note-about-integration).
If you enable trusted access by using the AWS Compute Optimizer console or tools then you don’t need to complete these steps.
**To enable trusted access using the Compute Optimizer console**
You must sign in to the Compute Optimizer console using your organization's management account. Opt-in on behalf of your organization by following the instructions at [Opting in your Account](https://docs.aws.amazon.com/compute-optimizer/latest/ug/getting-started.html#account-opt-in) in the *AWS Compute Optimizer User Guide*.
You can enable trusted access by using either the AWS Organizations console, by running a AWS CLI command, or by calling an API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To enable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **AWS Compute Optimizer** in the list of services.
1. Choose **Enable trusted access**.
1. In the **Enable trusted access for AWS Compute Optimizer** dialog box, type **enable** to confirm, and then choose **Enable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of AWS Compute Optimizer that they can now enable that service to work with AWS Organizations from the service console .
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the OrganizationsCLI/SDK**
Use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
Run the following command to enable AWS Compute Optimizer as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal compute-optimizer.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
## Disabling trusted access with Compute Optimizer
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
Only an administrator in the AWS Organizations management account can disable trusted access with AWS Compute Optimizer.
You can disable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
Use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable AWS Compute Optimizer as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal compute-optimizer.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
## Enabling a delegated administrator account for Compute Optimizer
When you designate a member account to be a delegated administrator for the organization, users and roles from the designated account can manage the AWS account metadata for other member accounts in the organization. If you don't enable a delegated admin account, then these tasks can be performed only by the organization's management account. This helps you to separate management of the organization from management of your account details.
**Minimum permissions**
Only a user or role in the Organizations management account can configure a member account as a delegated administrator for Compute Optimizer in the organization
For instructions about enabling a delegated administrator account for Compute Optimizer, see [https://docs.aws.amazon.com/compute-optimizer/latest/ug/delegate-administrator-account.html](https://docs.aws.amazon.com/compute-optimizer/latest/ug/delegate-administrator-account.html) in the *AWS Compute Optimizer User Guide*.
------
#### [ AWS CLI, AWS API ]
If you want to configure a delegated administrator account using the AWS CLI or one of the AWS SDKs, you can use the following commands:
+ AWS CLI:
```
$ aws organizations register-delegated-administrator \
--account-id 123456789012 \
--service-principal compute-optimizer.amazonaws.com
```
+ AWS SDK: Call the Organizations `RegisterDelegatedAdministrator` operation and the member account's ID number and identify the account service principal `account.amazonaws.com` as parameters.
------
## Disabling a delegated administrator for Compute Optimizer
Only an administrator in the organization management account can configure a delegated administrator for Compute Optimizer.
To disable the delegated admin Compute Optimizer account using the Compute Optimizer console, see [https://docs.aws.amazon.com/compute-optimizer/latest/ug/delegate-administrator-account.html](https://docs.aws.amazon.com/compute-optimizer/latest/ug/delegate-administrator-account.html) in the *AWS Compute Optimizer User Guide*.
To remove a delegated administrator using the AWS AWS CLI, see [deregister-delegated-administrator](https://docs.aws.amazon.com/cli/latest/reference/organizations/deregister-delegated-administrator.html) in the *AWS AWS CLI Command Reference*.
# AWS Config and AWS Organizations
Multi-account, multi-region data aggregation in AWS Config enables you to aggregate AWS Config data from multiple accounts and AWS Regions into a single account. Multi-account, multi-region data aggregation is useful for central IT administrators to monitor compliance for multiple AWS accounts in the enterprise. An aggregator is a resource type in AWS Config that collects AWS Config data from multiple source accounts and Regions. Create an aggregator in the Region where you want to see the aggregated AWS Config data. While creating an aggregator, you can choose to add either individual account IDs or your organization. For more information about AWS Config, see the [AWS Config Developer Guide](https://docs.aws.amazon.com/config/latest/developerguide/).
You can also use [AWS Config APIs](https://docs.aws.amazon.com/config/latest/APIReference/welcome.html) to manage AWS Config rules across all AWS accounts in your organization. For more information, see [Enabling AWS Config Rules Across All Accounts in Your Organization](https://docs.aws.amazon.com/config/latest/developerguide/config-rule-multi-account-deployment.html) in the *AWS Config Developer Guide*.
Use the following information to help you integrate AWS Config with AWS Organizations.
## Service-linked roles
The following [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) allows AWS Config to perform supported operations within the accounts in your organization.
+ `AWSServiceRoleForConfig`
Learn more about creating this role in [Permissions for the IAM Role Assigned to AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html) in the *AWS Config Developer Guide*
Learn more about how AWS Config uses service-linked roles in [Using Service-Linked Roles for AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/using-service-linked-roles.html) in the *AWS Config Developer Guide*
You can delete or modify this role only if you disable trusted access between AWS Config and Organizations, or if you remove the member account from the organization.
## Enabling trusted access with AWS Config
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
You can enable trusted access using either the AWS Config console or the AWS Organizations console.
**Important**
We strongly recommend that whenever possible, you use the AWS Config console or tools to enable integration with Organizations. This lets AWS Config perform any configuration that it requires, such as creating resources needed by the service. Proceed with these steps only if you can’t enable integration using the tools provided by AWS Config. For more information, see [this note](orgs_integrate_services.md#important-note-about-integration).
If you enable trusted access by using the AWS Config console or tools then you don’t need to complete these steps.
**To enable trusted access using the AWS Config console**
To enable trusted access to AWS Organizations using AWS Config, create a multi-account aggregator and add the organization. For information on how to configure a multi-account aggregator, see [Creating Aggregators](https://docs.aws.amazon.com/config/latest/developerguide/aggregated-create.html) in the *AWS Config Developer Guide*.
You can enable trusted access by using either the AWS Organizations console, by running a AWS CLI command, or by calling an API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To enable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **AWS Config** in the list of services.
1. Choose **Enable trusted access**.
1. In the **Enable trusted access for AWS Config** dialog box, type **enable** to confirm, and then choose **Enable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of AWS Config that they can now enable that service to work with AWS Organizations from the service console .
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the OrganizationsCLI/SDK**
Use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
Run the following command to enable AWS Config as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal config.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
## Disabling trusted access with AWS Config
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
You can only disable trusted access using the Organizations tools.
You can disable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
Use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable AWS Config as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal config.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
# AWS Cost Optimization Hub and AWS Organizations
AWS Cost Optimization Hub is an AWS Billing and Cost Management feature that helps you consolidate and prioritize cost optimization recommendations across your AWS accounts and AWS Regions, so that you can get the most out of your AWS spend. When you use Cost Optimization Hub with AWS Organizations you can easily identify, filter, and aggregate AWS cost optimization recommendations across your Organizations member accounts and AWS Regions.
For more information, see [ Cost Optimization Hub ](https://docs.aws.amazon.com/cost-management/latest/userguide/cost-optimization-hub.html) in the *AWS Cost Management User Guide*.
Use the following information to help you integrate AWS Cost Optimization Hub with AWS Organizations.
## Service-linked roles created when you enable integration
The following [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is automatically created in your organization's management account when you enable trusted access. This role allows Cost Optimization Hub to perform supported operations within your organization's accounts in your organization.
You can delete or modify this role only if you disable trusted access between Cost Optimization Hub and Organizations, or if you remove the member account from the organization.
For more information, see [ Service-linked role permissions for Cost Optimization Hub ](https://docs.aws.amazon.com/cost-management/latest/userguide/cost-optimization-hub-SLR.html#cost-optimization-hub-SLR-permissions) in the *AWS Cost Management User Guide*.
+ `AWSServiceRoleForCostOptimizationHub`
## Service principals used by Cost Optimization Hub
Cost Optimization Hub uses the `cost-optimization-hub.bcm.amazonaws.com` service principal.
## Enabling trusted access with Cost Optimization Hub
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
When you opt in using your organization's management account and include all member accounts within the organization, trusted access for Cost Optimization Hub is automatically enabled in your organization account.
You can enable trusted access by using either the AWS Organizations console, by running a AWS CLI command, or by calling an API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To enable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **AWS Cost Optimization Hub** in the list of services.
1. Choose **Enable trusted access**.
1. In the **Enable trusted access for AWS Cost Optimization Hub** dialog box, type **enable** to confirm, and then choose **Enable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of AWS Cost Optimization Hub that they can now enable that service to work with AWS Organizations from the service console .
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the OrganizationsCLI/SDK**
Use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
Run the following command to enable AWS Cost Optimization Hub as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal cost-optimization-hub.bcm.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
## Disabling trusted access
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
You can only disable trusted access using the Organizations tools.
**Important**
If you disable Cost Optimization Hub trusted access after you opt in, Cost Optimization Hub denies access to recommendations for your organization's member accounts. Moreover, the member accounts within the organization aren't opted in to Cost Optimization Hub. Learn more in [Cost Optimization Hub and Organizations trusted access ](https://docs.aws.amazon.com/cost-management/latest/userguide/coh-trusted-access.html) in the *AWS Cost Management User Guide*.
You can disable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
Use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable AWS Cost Optimization Hub as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal cost-optimization-hub.bcm.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
## Enabling a delegated administrator account for Cost Optimization Hub
When you designate a member account to be a delegated administrator for the organization, the designated account can retrieve Cost Optimization Hub recommendations for all accounts under your organization and manage Cost Optimization Hub preferences, giving you greater flexibility to centrally identify resource optimization opportunities.
**Minimum permissions**
Only a user or role in the Organizations management account with the following permission can configure a member account as a delegated administrator for Cost Optimization Hub in the organization:
For instructions about enabling a delegated administrator account for Cost Optimization Hub, see [ Delegate an administrator account](https://docs.aws.amazon.com/cost-management/latest/userguide/coh-delegated-admin.html) in the *AWS Cost Management User Guide*.
## Disabling a delegated administrator for Cost Optimization Hub
Only an administrator in the Organizations management account can remove a delegated administrator for Cost Optimization Hub.
To disable the delegated admin Cost Optimization Hub account using the Cost Optimization Hub console, see [ Delegate an administrator account](https://docs.aws.amazon.com/cost-management/latest/userguide/coh-delegated-admin.html) in the *AWS Cost Management User Guide*.
To remove a delegated administrator using the AWS CLI, see [https://docs.aws.amazon.com/cli/latest/](https://docs.aws.amazon.com/cli/latest/) in the *AWS Config CLI Reference*.
# AWS Control Tower and AWS Organizations
AWS Control Tower offers a straightforward way to set up and govern an AWS multi-account environment, following prescriptive best practices. AWS Control Tower orchestration extends the capabilities of AWS Organizations. AWS Control Tower applies preventive and detective controls (guardrails) to help keep your organizations and accounts from divergence from best practices (drift).
AWS Control Tower orchestration extends the capabilities of AWS Organizations.
For more information, see [the *AWS Control Tower user guide*](https://docs.aws.amazon.com/controltower/latest/userguide/).
Use the following information to help you integrate AWS Control Tower with AWS Organizations.
## Roles needed for integration
The `AWSControlTowerExecution` role must be present in all enrolled accounts. It allows AWS Control Tower to manage your individual accounts and report information about them to your Audit and Log Archive accounts.
To learn more about roles used by AWS Control Tower, see [How AWS Control Tower works with roles to create and manage accounts](https://docs.aws.amazon.com/controltower/latest/userguide/roles-how) and [Using Identity-Based Policies (IAM Policies) for AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/access-control-managing-permissions.html).
## Service principals used by AWS Control Tower
AWS Control Tower uses the `controltower.amazonaws.com` service principal.
## Enabling trusted access with AWS Control Tower
AWS Control Tower uses trusted access to detect drift for preventive controls, and to track account and OU changes that cause drift.
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
You can only enable trusted access using the Organizations tools.
To enable trusted access from the Organizations console, choose **Enable access** next to **AWS Control Tower**.
You can enable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the Organizations CLI/SDK**
Use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
Run the following command to enable AWS Control Tower as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal controltower.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
## Disabling trusted access with AWS Control Tower
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
You can only disable trusted access using the Organizations tools.
**Important**
Disabling AWS Control Tower's trusted access causes drift in your AWS Control Tower Landing Zone. The only way to fix the drift is to use AWS Control Tower's Landing Zone repair. Re-enabling trusted access in Organizations does not fix the drift. [Learn more about drift](https://docs.aws.amazon.com/controltower/latest/userguide/drift.html) in the *AWS Control Tower user guide*.
You can disable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
Use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable AWS Control Tower as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal controltower.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
# Amazon Detective and AWS Organizations
Amazon Detective uses your log data to generate visualizations that allow you to analyze, investigate, and identify the root cause of security findings or suspicious activity.
Using AWS Organizations allows you to ensure that your Detective behavior graph provides visibility into the activity for all of your organization accounts.
When you grant trusted access to Detective, the Detective service can react automatically to changes in the organization membership. The delegated administrator can enable any organization account as a member account in the behavior graph. Detective also can automatically enable new organization accounts as member accounts. Organization accounts cannot disassociate themselves from the behavior graph.
For more information, see [Using Amazon Detective in your organization](https://docs.aws.amazon.com//detective/latest/adminguide/accounts-orgs-transition.html) in the *Amazon Detective Administration Guide*.
Use the following information to help you integrate Amazon Detective with AWS Organizations.
## Service-linked roles created when you enable integration
The following [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is automatically created in your organization's management account when you enable trusted access. This role allows Detective to perform supported operations within your organization's accounts in your organization.
You can delete or modify this role only if you disable trusted access between Detective and Organizations, or if you remove the member account from the organization.
+ `AWSServiceRoleForDetective`
## Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Detective grant access to the following service principals:
+ `detective.amazonaws.com`
## To enable trusted access with Detective
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
**Note**
When you designate a delegated administrator for Amazon Detective, Detective automatically enables trusted access for Detective for your organization.
Detective requires trusted access to AWS Organizations before you can designate a member account to be the delegated administrator for this service for your organization.
You can only enable trusted access using the Organizations tools.
You can enable trusted access by using the AWS Organizations console.
------
#### [ AWS Management Console ]
**To enable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **Amazon Detective** in the list of services.
1. Choose **Enable trusted access**.
1. In the **Enable trusted access for Amazon Detective** dialog box, type **enable** to confirm it, and then choose **Enable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of Amazon Detective that they can now enable that service to work with AWS Organizations from the service console .
------
## To disable trusted access with Detective
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
Only an administrator in the AWS Organizations management account can disable trusted access with Amazon Detective.
You can only disable trusted access using the Organizations tools.
You can disable trusted access by using the AWS Organizations console.
------
#### [ AWS Management Console ]
**To disable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **Amazon Detective** in the list of services.
1. Choose **Disable trusted access**.
1. In the **Disable trusted access for Amazon Detective** dialog box, type **disable** to confirm, and then choose **Disable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of Amazon Detective that they can now disable that service from working with AWS Organizations using tthe service console or tools;.
------
## Enabling a delegated administrator account for Detective
The delegated administrator account for Detective is the administrator account for a Detective behavior graph. The delegated administrator determines which organization accounts to enable and disable as member accounts in that behavior graph. The delegated administrator can configure Detective to automatically enable new organization accounts as member accounts as they are added to the organization. For information on how a delegated administrator manages organization accounts, see [Managing organization accounts as member accounts](https://docs.aws.amazon.com//detective/latest/adminguide/accounts-orgs-members.html) in the *Amazon Detective Administration Guide*.
Only an administrator in the organization management account can configure a delegated administrator for Detective.
You can specify a delegated administrator account from the Detective console or API, or by using the Organizations CLI or SDK operation.
**Minimum permissions**
Only a user or role in the Organizations management account can configure a member account as a delegated administrator for Detective in the organization
To configure a delegated administrator using the Detective console or API, see [Designating a Detective administrator account for an organization](https://docs.aws.amazon.com//detective/latest/adminguide/accounts-designate-admin.html) in the *Amazon Detective Administration Guide*.
------
#### [ AWS CLI, AWS API ]
If you want to configure a delegated administrator account using the AWS CLI or one of the AWS SDKs, you can use the following commands:
+ AWS CLI:
```
$ aws organizations register-delegated-administrator \
--account-id 123456789012 \
--service-principal detective.amazonaws.com
```
+ AWS SDK: Call the Organizations `RegisterDelegatedAdministrator` operation and the member account's ID number and identify the account service principal `account.amazonaws.com` as parameters.
------
## Disabling a delegated administrator for Detective
You can remove the delegated administrator using either the Detective console or API, or by using the Organizations `DeregisterDelegatedAdministrator` CLI or SDK operation. For information on how to remove a delegated administrator using the Detective console or API, or the Organizations API, see [Designating a Detective administrator account for an organization](https://docs.aws.amazon.com//detective/latest/adminguide/accounts-designate-admin.html) in the *Amazon Detective Administration Guide*.
# Amazon DevOps Guru and AWS Organizations
Amazon DevOps Guru analyzes operational data and application metrics and events to identify behaviors that deviate from normal operating patterns. Users are notified when DevOps Guru detects an operational issue or risk.
Using DevOps Guru enables multi-account support with AWS Organizations, so you can designate a member account to manage insights across your entire organization. This delegated administrator can then view, sort, and filter insights from all accounts within your organization to develop a holistic view of the health of all monitored applications within your organization without the need for any additional customization.
For more information, see [Monitor accounts across your organization](https://docs.aws.amazon.com//devops-guru/latest/userguide/getting-started-multi-account.html) in the *Amazon DevOps Guru User Guide*.
Use the following information to help you integrate Amazon DevOps Guru with AWS Organizations.
## Service-linked roles created when you enable integration
The following [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is automatically created in your organization's management account when you enable trusted access. This role allows DevOps Guru to perform supported operations within your organization's accounts in your organization.
You can delete or modify this role only if you disable trusted access between DevOps Guru and Organizations, or if you remove the member account from the organization.
+ `AWSServiceRoleForDevOpsGuru`
## Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by DevOps Guru grant access to the following service principals:
+ `devops-guru.amazonaws.com`
For more information, see [Using service-linked roles for DevOps Guru](https://docs.aws.amazon.com//devops-guru/latest/userguide/using-service-linked-roles.html) in the *Amazon DevOps Guru User Guide*.
## To enable trusted access with DevOps Guru
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
**Note**
When you designate a delegated administrator for Amazon DevOps Guru, DevOps Guru automatically enables trusted access for DevOps Guru for your organization.
DevOps Guru requires trusted access to AWS Organizations before you can designate a member account to be the delegated administrator for this service for your organization.
**Important**
We strongly recommend that whenever possible, you use the Amazon DevOps Guru console or tools to enable integration with Organizations. This lets Amazon DevOps Guru perform any configuration that it requires, such as creating resources needed by the service. Proceed with these steps only if you can’t enable integration using the tools provided by Amazon DevOps Guru. For more information, see [this note](orgs_integrate_services.md#important-note-about-integration).
You can enable trusted access by using either the AWS Organizations console or the DevOps Guru console.
------
#### [ AWS Management Console ]
**To enable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. On the **[Services](https://console.aws.amazon.com/organizations/v2/home/services)** page, find the row for **Amazon DevOps Guru**, choose the service’s name, and then choose **Enable trusted access**.
1. In the confirmation dialog box, enable **Show the option to enable trusted access**, enter **enable** in the box, and then choose **Enable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of Amazon DevOps Guru that they can now enable that service using its console to work with AWS Organizations.
------
#### [ DevOps Guru console ]
**To enable trusted service access using the DevOps Guru console**
1. Sign in as administrator in the management account and open DevOps Guru console: [Amazon DevOps Guru console](https://console.aws.amazon.com//devops-guru/management-account)
1. Choose **Enable trusted access**.
------
## To disable trusted access with DevOps Guru
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
Only an administrator in the AWS Organizations management account can disable trusted access with Amazon DevOps Guru.
You can only disable trusted access using the Organizations tools.
You can disable trusted access by using the AWS Organizations console.
------
#### [ AWS Management Console ]
**To disable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **Amazon DevOps Guru** in the list of services.
1. Choose **Disable trusted access**.
1. In the **Disable trusted access for Amazon DevOps Guru** dialog box, type **disable** to confirm, and then choose **Disable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of Amazon DevOps Guru that they can now disable that service from working with AWS Organizations using tthe service console or tools;.
------
## Enabling a delegated administrator account for DevOps Guru
The delegated administrator account for DevOps Guru can see the insights data from all the member accounts which are onboarded to DevOps Guru from the organization. For information on how a delegated administrator manages organization accounts, see [Monitor accounts across your organization](https://docs.aws.amazon.com//devops-guru/latest/userguide/getting-started-multi-account.html) in the *Amazon DevOps Guru User Guide*.
Only an administrator in the organization management account can configure a delegated administrator for DevOps Guru.
You can specify a delegated administrator account from the DevOps Guru console, or by using the Organizations `RegisterDelegatedAdministrator` CLI or SDK operation.
**Minimum permissions**
Only a user or role in the Organizations management account can configure a member account as a delegated administrator for DevOps Guru in the organization
------
#### [ DevOps Guru console ]
**To configure a delegated administrator in the DevOps Guru console**
1. Sign in as administrator in the management account and open DevOps Guru console: [Amazon DevOps Guru console](https://console.aws.amazon.com//devops-guru/management-account)
1. Choose **Register delegated administrator**. You can choose either Management account or any member account as the delegated admin.
------
#### [ AWS CLI, AWS API ]
If you want to configure a delegated administrator account using the AWS CLI or one of the AWS SDKs, you can use the following commands:
+ AWS CLI:
```
$ aws organizations register-delegated-administrator \
--account-id 123456789012 \
--service-principal devops-guru.amazonaws.com
```
+ AWS SDK: Call the Organizations `RegisterDelegatedAdministrator` operation and the member account's ID number and identify the account service principal `account.amazonaws.com` as parameters.
------
## Disabling a delegated administrator for DevOps Guru
You can remove the delegated administrator using either the DevOps Guru console, or by using the Organizations `DeregisterDelegatedAdministrator` CLI or SDK operation. For information on how to remove a delegated administrator using the DevOps Guru console, see [Monitor accounts across your organization](https://docs.aws.amazon.com//devops-guru/latest/userguide/getting-started-multi-account.html) in the *Amazon DevOps Guru User Guide*.
# AWS Directory Service and AWS Organizations
AWS Directory Service for Microsoft Active Directory, or AWS Managed Microsoft AD, lets you run Microsoft Active Directory (AD) as a managed service. AWS Directory Service makes it easy to set up and run directories in the AWS Cloud or connect your AWS resources with an existing on-premises Microsoft Active Directory. AWS Managed Microsoft AD also integrates tightly with AWS Organizations to allow seamless directory sharing across multiple AWS accounts and any VPC in a Region. For more information, see the [AWS Directory Service Administration Guide](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/).
To share an Directory Service across an organization, the organization must have **All features** enabled, and the directory must be in the organization management account.
Use the following information to help you integrate AWS Directory Service with AWS Organizations.
## Enabling trusted access with Directory Service
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
You can enable trusted access using either the AWS Directory Service console or the AWS Organizations console.
**Important**
We strongly recommend that whenever possible, you use the AWS Directory Service console or tools to enable integration with Organizations. This lets AWS Directory Service perform any configuration that it requires, such as creating resources needed by the service. Proceed with these steps only if you can’t enable integration using the tools provided by AWS Directory Service. For more information, see [this note](orgs_integrate_services.md#important-note-about-integration).
If you enable trusted access by using the AWS Directory Service console or tools then you don’t need to complete these steps.
**To enable trusted access using the Directory Service console**
To share a directory, which automatically enables trusted access, see [Share Your Directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_directory_sharing.html) in the *AWS Directory Service Administration Guide*. For step-by-step instructions, see [Tutorial: Sharing Your AWS Managed Microsoft AD Directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_tutorial_directory_sharing.html).
You can enable trusted access by using the AWS Organizations console.
------
#### [ AWS Management Console ]
**To enable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **AWS Directory Service** in the list of services.
1. Choose **Enable trusted access**.
1. In the **Enable trusted access for AWS Directory Service** dialog box, type **enable** to confirm it, and then choose **Enable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of AWS Directory Service that they can now enable that service to work with AWS Organizations from the service console .
------
## Disabling trusted access with Directory Service
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
If you disable trusted access using AWS Organizations while you are using Directory Service, all previously shared directories continue to operate as normal. However, you can no longer share new directories within the organization until you enable trusted access again.
You can only disable trusted access using the Organizations tools.
You can disable trusted access by using the AWS Organizations console.
------
#### [ AWS Management Console ]
**To disable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **AWS Directory Service** in the list of services.
1. Choose **Disable trusted access**.
1. In the **Disable trusted access for AWS Directory Service** dialog box, type **disable** to confirm, and then choose **Disable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of AWS Directory Service that they can now disable that service from working with AWS Organizations using tthe service console or tools;.
------
# Amazon Elastic Compute Cloud and AWS Organizations
Amazon Elastic Compute Cloud provides on-demand, scalable computing capacity in the AWS Cloud. When you use Amazon EC2 with Organizations; you enable the Organizations admin to create a report of what the existing configuration is for accounts across their organization after using Amazon EC2's [Declarative Policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_declarative.html) feature.
Use the following information to help you integrate Amazon Elastic Compute Cloud with AWS Organizations.
## Service-linked roles created when you enable integration
The following [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is automatically created in your organization's management account when you enable trusted access. This role allows Amazon EC2 to perform supported operations within your organization's accounts in your organization.
You can delete or modify this role only if you disable trusted access between Amazon EC2 and Organizations, or if you remove the member account from the organization.
+ `AWSServiceRoleForDeclarativePoliciesEC2Report`
## Service principals used by Amazon EC2
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Amazon EC2 grant access to the following service principals:
+ `ec2.amazonaws.com`
## Enabling trusted access with Amazon EC2
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
To enable the Organizations admin to create a report of what the existing configuration is for accounts across their organization, you must enable trusted access.
You can only enable trusted access using the Organizations tools.
You can enable trusted access by using either the AWS Organizations console, by running a AWS CLI command, or by calling an API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To enable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **Declarative Policy for EC2** in the list of services.
1. Choose **Enable trusted access**.
1. In the **Enable trusted access for Declarative Policy for EC2** dialog box, type **enable** to confirm, and then choose **Enable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of Amazon Elastic Compute Cloud that they can now enable that service to work with AWS Organizations from the service console .
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the OrganizationsCLI/SDK**
Use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
Run the following command to enable Amazon Elastic Compute Cloud as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal ec2.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
## Disabling trusted access
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
You can only disable trusted access using the Organizations tools.
You can disable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
Use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable Amazon Elastic Compute Cloud as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal ec2.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
# EC2 Capacity Manager and AWS Organizations
EC2 Capacity Manager is a new UI experience with accompanying APIs for you to aggregate, view, analyze, and manage your capacity usage across EC2 On-Demand, Spot, and Capacity Reservations. When you grant trusted access for EC2 Capacity Manager to your AWS Organization, the service gains permission to read organization membership information across all member accounts. Specifically, Capacity Manager performs the following actions in member accounts: it collects EC2 usage data (including on-demand instances, spot instances, and capacity reservations) from all member accounts to aggregate into organization-wide capacity reports and dashboards. The service does not modify resources or configurations in member accounts - it only reads usage telemetry data that is already collected by AWS. This allows organization administrators to view consolidated capacity utilization, forecast future needs, and optimize resource allocation across their entire organization from a single dashboard. For more information, see [EC2 Capacity Manager](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/capacity-manager.html) in the *Amazon EC2 User Guide*.
Use the following information to help you integrate EC2 Capacity Manager with AWS Organizations.
## Service-linked roles created when you enable integration
The following [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is automatically created in your organization's management account when you enable trusted access. This role allows EC2 Capacity Manager to perform supported operations within your organization's accounts in your organization.
You can delete or modify this role only if you disable trusted access between EC2 Capacity Manager and Organizations, or if you remove the member account from the organization.
The following service-linked role is created in the management account when you enable trusted access. This role allows EC2 Capacity Manager to perform tasks in your organization and its accounts on your behalf.
You can delete or modify this role only if you disable trusted access between EC2 Capacity Manager and AWS Organizations, or if you remove the member account from the organization. For more information, see [Using service-linked roles for EC2 Capacity Manager](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-service-linked-roles-cm.html) and [AWS managed policy: AWSEC2CapacityManagerServiceRolePolicy](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-AWSEC2CapacityManagerServiceRolePolicy) in the *Amazon EC2 User Guide*.
+ `AWSServiceRoleForEC2CapacityManager` – Allows EC2 Capacity Manager to access AWS services and resources used or managed by EC2 Capacity Manager on your behalf.
## Service principals used by EC2 Capacity Manager
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by EC2 Capacity Manager grant access to the following service principals:
+ `ec2.capacitymanager.amazonaws.com`
## Enabling trusted access with EC2 Capacity Manager
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
When you grant trusted access for EC2 Capacity Manager to your AWS Organization, the service gains permission to read organization membership information across all member accounts. This allows organization administrators to view consolidated capacity utilization, forecast future needs, and optimize resource allocation across their entire organization from a single dashboard.
You can enable trusted access using either the EC2 Capacity Manager console or the AWS Organizations console.
**Important**
We strongly recommend that whenever possible, you use the EC2 Capacity Manager console or tools to enable integration with Organizations. This lets EC2 Capacity Manager perform any configuration that it requires, such as creating resources needed by the service. Proceed with these steps only if you can’t enable integration using the tools provided by EC2 Capacity Manager. For more information, see [this note](orgs_integrate_services.md#important-note-about-integration).
If you enable trusted access by using the EC2 Capacity Manager console or tools then you don’t need to complete these steps.
To enable trusted access from the EC2 Capacity Manager console, sign in as an administrator in the management account and open the Amazon EC2 console. Navigate to Capacity Manager and go to the Settings tab. In the Trusted access section, choose **Manage trusted access** to enable it.
You can enable trusted access by using either the AWS Organizations console, by running a AWS CLI command, or by calling an API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To enable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **EC2 Capacity Manager** in the list of services.
1. Choose **Enable trusted access**.
1. In the **Enable trusted access for EC2 Capacity Manager** dialog box, type **enable** to confirm, and then choose **Enable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of EC2 Capacity Manager that they can now enable that service to work with AWS Organizations from the service console.
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the OrganizationsCLI/SDK**
Use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
Run the following command to enable EC2 Capacity Manager as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal ec2.capacitymanager.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
## Disabling trusted access
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
To disable trusted access from the EC2 Capacity Manager console, navigate to Amazon EC2 Capacity Manager Settings tab. In the Trusted access section, choose **Manage trusted access** to disable it. Note: All delegated administrators must be removed prior to disabling trusted access.
You can disable trusted access using either the EC2 Capacity Manager or the AWS Organizations tools.
**Important**
We strongly recommend that whenever possible, you use the EC2 Capacity Manager console or tools to disable integration with Organizations. This lets EC2 Capacity Manager perform any clean up that it requires, such as deleting resources or access roles that are no longer needed by the service. Proceed with these steps only if you can’t disable integration using the tools provided by EC2 Capacity Manager.
If you disable trusted access by using the EC2 Capacity Manager console or tools then you don’t need to complete these steps.
You can disable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
Use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable EC2 Capacity Manager as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal ec2.capacitymanager.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
## Enabling a delegated administrator account for EC2 Capacity Manager
A delegated administrator for EC2 Capacity Manager can manage Capacity Manager for your organization without using the management account. Delegated administrators have the ability to enable organization-level capacity management, view capacity data across all member accounts, modify settings between account-level and organization-level scope, and manage capacity forecasting for the entire organization. For more information, see [Delegated administrators for EC2 Capacity Manager](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enable-capacity-manager-da.html) in the *Amazon EC2 User Guide*.
**Minimum permissions**
Only an administrator in the Organizations management account can configure a delegated administrator for EC2 Capacity Manager.
You can specify a delegated administrator account using the EC2 Capacity Manager console by navigating to Settings and managing delegated administrators, or by using the Organizations `RegisterDelegatedAdministrator` CLI or SDK operation. To configure a delegated administrator using the EC2 Capacity Manager console, see [Add a delegated administrator](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enable-capacity-manager-da.html#add-capacity-manager-da) in the *Amazon EC2 User Guide*.
------
#### [ AWS CLI, AWS API ]
You can register a delegated administrator account using the AWS CLI or one of the AWS SDKs:
+ AWS CLI: [register-delegated-administrator](https://docs.aws.amazon.com/cli/latest/reference/organizations/register-delegated-administrator.html)
```
$ aws organizations register-delegated-administrator \
--account-id ACCOUNT_ID \
--service-principal ec2.capacitymanager.amazonaws.com
```
+ AWS API: [RegisterDelegatedAdministrator](https://docs.aws.amazon.com/organizations/latest/APIReference/API_RegisterDelegatedAdministrator.html)
------
## Disabling a delegated administrator account for EC2 Capacity Manager
Only an administrator in either the Organizations management account or the EC2 Capacity Manager delegated admin account can remove a delegated administrator account from the organization. You can remove a delegated administrator using the EC2 Capacity Manager console by choosing **Remove delegated administrator** in the Settings tab, or by using the Organizations `DeregisterDelegatedAdministrator` CLI or SDK operation. To remove a delegated administrator using the EC2 Capacity Manager console, see [Remove a delegated administrator](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enable-capacity-manager-da.html#remove-capacity-manager-da) in the *Amazon EC2 User Guide*.
------
#### [ AWS CLI, AWS API ]
You can remove a delegated administrator account using the AWS CLI or one of the AWS SDKs:
+ AWS CLI: [deregister-delegated-administrator](https://docs.aws.amazon.com/cli/latest/reference/organizations/deregister-delegated-administrator.html)
```
$ aws organizations deregister-delegated-administrator \
--account-id ACCOUNT_ID \
--service-principal ec2.capacitymanager.amazonaws.com
```
+ AWS API: [DeregisterDelegatedAdministrator](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeregisterDelegatedAdministrator.html)
------
# Amazon Elastic Kubernetes Service and AWS Organizations
The Amazon Elastic Kubernetes Service Dashboard is a consolidated dashboard that you can use to monitor, manage, and gain visibility into your Kubernetes clusters across multiple AWS Regions and AWS Accounts. The EKS Dashboard provides you with comprehensive control and insights for your Amazon EKS infrastructure through a centralized interface.
The Amazon Elastic Kubernetes Service Dashboard enables you to track clusters scheduled for upgrades, project control plane costs, review cluster insights, and monitor node group distributions across your organization. Your AWS administrators can view aggregated data about cluster resources, including health status, version distribution, and add-on configurations through different visualization options including graphs, resource lists, and geographic maps. The dashboard integrates with AWS Organizations to provide secure cross-account and cross-region visibility of your EKS resources.
Use the following information to help you integrate Amazon Elastic Kubernetes Service with AWS Organizations.
## Service-linked roles created when you enable integration
The following service-linked role is automatically created in your organization's management account when you enable trusted access using the Amazon Elastic Kubernetes Service console. This role allows Amazon EKS to perform supported operations within your organization's accounts in your organization. You can delete or modify this role only if you disable trusted access between Amazon Elastic Kubernetes Service and Organizations.
If you enable trusted access directly from the Organizations console, CLI or SDK, the service-linked role is not created automatically.
+ `AWSServiceRoleForAmazonEKSDashboard`
## Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Amazon EKS grant access to the following service principals:
+ `dashboard.eks.amazonaws.com`
## Enabling trusted access with Amazon EKS
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
**To enable trusted access using the Amazon EKS console**
See [Enable trusted access](https://docs.aws.amazon.com/eks/latest/userguide/cluster-dashboard-orgs.html#_enable_trusted_access) in the *Amazon EKS User Guide*.
## Disabling trusted access with Amazon EKS
**To disable trusted access using the Amazon EKS console**
See [Disable trusted access](https://docs.aws.amazon.com/eks/latest/userguide/cluster-dashboard-orgs.html#_disable_trusted_access) in the *Amazon EKS User Guide*.
## Enabling a delegated administrator account for Amazon EKS
The management account administrator can delegate Amazon EKS administrative permissions to a designated member account known as delegated administrator.
Management accounts and delegated administrator accounts can view the Amazon EKS Dashboard.
**To enable a delegated administrator account**
See [Enable a delegated administrator account](https://docs.aws.amazon.com/eks/latest/userguide/cluster-dashboard-orgs.html#_enable_a_delegated_administrator_account) in the *Amazon EKS User Guide*.
## Disabling a delegated administrator for Amazon EKS
Only an administrator in the organization management account can configure a delegated administrator for Amazon EKS.
**To disable a delegated administrator account**
See [Disable a delegated administrator account](https://docs.aws.amazon.com/eks/latest/userguide/cluster-dashboard-orgs.html#_disable_a_delegated_administrator_account) in the *Amazon EKS User Guide*.
# AWS Firewall Manager and AWS Organizations
AWS Firewall Manager is a security management service you use to centrally configure and manage firewall rules and other protections across the AWS accounts and applications in your organization. Using Firewall Manager, you can roll out AWS WAF rules, create AWS Shield Advanced protections, configure and audit Amazon Virtual Private Cloud (Amazon VPC) security groups, and deploy AWS Network Firewalls. Use Firewall Manager to set up your protections just once and have them automatically applied across all accounts and resources within your organization, even as new resources and accounts are added. For more information about AWS Firewall Manager, see the *[AWS Firewall Manager Developer Guide](https://docs.aws.amazon.com/waf/latest/developerguide/fms-chapter.html)*.
Use the following information to help you integrate AWS Firewall Manager with AWS Organizations.
## Service-linked roles created when you enable integration
The following [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is automatically created in your organization's management account when you enable trusted access. This role allows Firewall Manager to perform supported operations within your organization's accounts in your organization.
You can delete or modify this role only if you disable trusted access between Firewall Manager and Organizations, or if you remove the member account from the organization.
+ `AWSServiceRoleForFMS`
## Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Firewall Manager grant access to the following service principals:
+ `fms.amazonaws.com`
## Enabling trusted access with Firewall Manager
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
You can enable trusted access using either the AWS Firewall Manager console or the AWS Organizations console.
**Important**
We strongly recommend that whenever possible, you use the AWS Firewall Manager console or tools to enable integration with Organizations. This lets AWS Firewall Manager perform any configuration that it requires, such as creating resources needed by the service. Proceed with these steps only if you can’t enable integration using the tools provided by AWS Firewall Manager. For more information, see [this note](orgs_integrate_services.md#important-note-about-integration).
If you enable trusted access by using the AWS Firewall Manager console or tools then you don’t need to complete these steps.
You must sign in with your AWS Organizations management account and configure an account within the organization as the AWS Firewall Manager administrator account. For more information, see [Set the AWS Firewall Manager Administrator Account](https://docs.aws.amazon.com/waf/latest/developerguide/enable-integration.html) in the *AWS Firewall Manager Developer Guide*.
You can enable trusted access by using either the AWS Organizations console, by running a AWS CLI command, or by calling an API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To enable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **AWS Firewall Manager** in the list of services.
1. Choose **Enable trusted access**.
1. In the **Enable trusted access for AWS Firewall Manager** dialog box, type **enable** to confirm, and then choose **Enable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of AWS Firewall Manager that they can now enable that service to work with AWS Organizations from the service console .
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the OrganizationsCLI/SDK**
Use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
Run the following command to enable AWS Firewall Manager as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal fms.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
## Disabling trusted access with Firewall Manager
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
You can disable trusted access using either the AWS Firewall Manager or the AWS Organizations tools.
**Important**
We strongly recommend that whenever possible, you use the AWS Firewall Manager console or tools to disable integration with Organizations. This lets AWS Firewall Manager perform any clean up that it requires, such as deleting resources or access roles that are no longer needed by the service. Proceed with these steps only if you can’t disable integration using the tools provided by AWS Firewall Manager.
If you disable trusted access by using the AWS Firewall Manager console or tools then you don’t need to complete these steps.
**To disable trusted access using the Firewall Manager console**
You can change or revoke the AWS Firewall Manager administrator account by following the instructions in [Designating a Different Account as the AWS Firewall Manager Administrator Account](https://docs.aws.amazon.com/waf/latest/developerguide/fms-change-administrator.html) in the *AWS Firewall Manager Developer Guide*.
If you revoke the administrator account, you must sign in to the AWS Organizations management account and set a new administrator account for AWS Firewall Manager.
You can disable trusted access by using either the AWS Organizations console, by running an Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To disable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **AWS Firewall Manager** in the list of services.
1. Choose **Disable trusted access**.
1. In the **Disable trusted access for AWS Firewall Manager** dialog box, type **disable** to confirm, and then choose **Disable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of AWS Firewall Manager that they can now disable that service from working with AWS Organizations using the service console or tools .
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
You can use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable AWS Firewall Manager as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal fms.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
## Enabling a delegated administrator account for Firewall Manager
When you designate a member account as a delegated administrator for the organization, users and roles from that account can perform administrative actions for Firewall Manager that otherwise can be performed only by users or roles in the organization's management account. This helps you to separate management of the organization from management of Firewall Manager.
**Minimum permissions**
Only a user or role in the Organizations management account can configure a member account as a delegated administrator for Firewall Manager in the organization.
For instructions on how to designate a member account as the Firewall Manager administrator for the organization, see [Set the AWS Firewall Manager Administrator Account](https://docs.aws.amazon.com/waf/latest/developerguide/enable-integration.html) in the *AWS Firewall Manager Developer Guide*.
# Amazon GuardDuty and AWS Organizations
Amazon GuardDuty is a continuous security monitoring service that analyzes and processes a variety data sources, using threat intelligence feeds and machine learning to identify unexpected and potentially unauthorized and malicious activity within your AWS environment. This can include issues like escalations of privileges, uses of exposed credentials, communication with malicious IP addresses, URLs, or domains, or presence of malware on your Amazon Elastic Compute Cloud instances and container workloads.
You can help simplify management of GuardDuty by using Organizations to manage GuardDuty across all of the accounts in your organization.
For more information, see [Managing GuardDuty accounts with AWS Organizations](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html) in the *Amazon GuardDuty User Guide*
Use the following information to help you integrate Amazon GuardDuty with AWS Organizations.
## Service-linked roles created when you enable integration
The following service-linked roles are automatically created in your organization's management account when you enable trusted access. These roles allow GuardDuty to perform supported operations within your organization's accounts in your organization. You can delete a role only if you disable trusted access between GuardDuty and Organizations, or if you remove the member account from the organization.
+ The `AWSServiceRoleForAmazonGuardDuty` service-linked role is automatically created in accounts that have integrated GuardDuty with Organizations. For more information, see [Managing GuardDuty accounts with Organizations](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html) in the *Amazon GuardDuty User Guide*
+ The `AmazonGuardDutyMalwareProtectionServiceRolePolicy` service-linked role is automatically created in accounts that have enabled GuardDuty Malware Protection. For more information, see [Service-linked role permissions for GuardDuty Malware Protection](https://docs.aws.amazon.com/guardduty/latest/ug/slr-permissions-malware-protection.html) in the *Amazon GuardDuty User Guide*
## Service principals used by the service-linked roles
+ `guardduty.amazonaws.com`, used by the `AWSServiceRoleForAmazonGuardDuty` service-linked role.
+ `malware-protection.guardduty.amazonaws.com`, used by the `AmazonGuardDutyMalwareProtectionServiceRolePolicy` service-linked role.
## Enabling trusted access with GuardDuty
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
You can only enable trusted access using Amazon GuardDuty.
Amazon GuardDuty requires trusted access to AWS Organizations before you can designate a member account to be the GuardDuty administrator for your organization. If you configure a delegated administrator using the GuardDuty console, then GuardDuty automatically enables trusted access for you.
However, if you want to configure a delegated administrator account using the AWS CLI or one of the AWS SDKs, then you must explicitly call the [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html) operation and provide the service principal as a parameter. Then you can call [EnableOrganizationAdminAccount](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_EnableOrganizationAdminAccount.html) to delegate the GuardDuty administrator account.
## Disabling trusted access with GuardDuty
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
You can only disable trusted access using the Organizations tools.
You can disable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
Use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable Amazon GuardDuty as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal guardduty.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
## Enabling a delegated administrator account for GuardDuty
When you designate a member account as a delegated administrator for the organization, users and roles from that account can perform administrative actions for GuardDuty that otherwise can be performed only by users or roles in the organization's management account. This helps you to separate management of the organization from management of GuardDuty.
**Minimum permissions**
For information about the permissions required to designate a member account as a delegated administrator, see [Permissions required to designate a delegated administrator](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html#organizations_permissions) in the *Amazon GuardDuty User Guide*
**To designate a member account as a delegated administrator for GuardDuty**
See [Designate a delegated administrator and add member accounts (console)](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html#organization_thru_console) and [Designate a delegated administrator and add member accounts (API)](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html#organization_thru_api)
# AWS Health and AWS Organizations
AWS Health provides ongoing visibility into your resource performance and the availability of your AWS services and accounts. AWS Health delivers events when your AWS resources and services are impacted by an issue or will be affected by upcoming changes. After you enable organizational view, a user in the organization’s management account can aggregate AWS Health events across all accounts in the organization. Organizational view only shows AWS Health events delivered after the feature is enabled and retains them for 90 days.
You can enable organizational view by using the AWS Health console, the AWS Command Line Interface (AWS CLI), or the AWS Health API.
For more information, see [Aggregating AWS Health events](https://docs.aws.amazon.com/health/latest/ug/aggregate-events.html) in the *AWS Health User Guide*.
Use the following information to help you integrate AWS Health with AWS Organizations.
## Service-linked roles for integration
The `AWSServiceRoleForHealth_Organizations` service-linked role allows AWS Health to perform supported operations within your organization's accounts in your organization.
This role is created automatically in your organization's management account when you enable trusted access by calling the [EnableHealthServiceAccessForOrganization](https://docs.aws.amazon.com/health/latest/APIReference/API_EnableHealthServiceAccessForOrganization.html) API operation. Otherwise, create the role using the AWS Health console, API, or CLI, as described in [Creating a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/).
You can delete or modify this role only if you disable trusted access between AWS Health and Organizations, or if you remove the member account from the organization.
## Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by AWS Health grant access to the following service principals:
+ `health.amazonaws.com`
## Enabling trusted access with AWS Health
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
When you the enable organizational view feature for AWS Health, trusted access is also enabled for you automatically.
You can enable trusted access using either the AWS Health console or the AWS Organizations console.
**Important**
We strongly recommend that whenever possible, you use the AWS Health console or tools to enable integration with Organizations. This lets AWS Health perform any configuration that it requires, such as creating resources needed by the service. Proceed with these steps only if you can’t enable integration using the tools provided by AWS Health. For more information, see [this note](orgs_integrate_services.md#important-note-about-integration).
If you enable trusted access by using the AWS Health console or tools then you don’t need to complete these steps.
**To enable trusted access using the AWS Health console**
You can enable trusted access by using AWS Health and one of the following options:
+ Use the AWS Health console. For more information, see [Organizational view (console) ](https://docs.aws.amazon.com/health/latest/ug/enable-organizational-view-in-health-console.html) in the *AWS Health User Guide*.
+ Use the AWS CLI. For more information, see [Organizational view (CLI) ](https://docs.aws.amazon.com/health/latest/ug/enable-organizational-view-from-aws-command-line.html) in the *AWS Health User Guide*.
+ Call the [EnableHealthServiceAccessForOrganization](https://docs.aws.amazon.com/health/latest/APIReference/API_EnableHealthServiceAccessForOrganization.html) API operation.
You can enable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the Organizations CLI/SDK**
Use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
Run the following command to enable AWS Health as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal health.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
## Disabling trusted access with AWS Health
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
After you disable the organizational view feature, AWS Health stops aggregating events for all other accounts in your organization. This also disables trusted access for you automatically.
You can disable trusted access using either the AWS Health or the AWS Organizations tools.
**Important**
We strongly recommend that whenever possible, you use the AWS Health console or tools to disable integration with Organizations. This lets AWS Health perform any clean up that it requires, such as deleting resources or access roles that are no longer needed by the service. Proceed with these steps only if you can’t disable integration using the tools provided by AWS Health.
If you disable trusted access by using the AWS Health console or tools then you don’t need to complete these steps.
**To disable trusted access using the AWS Health console**
You can disable trusted access with one of the following options:
+ Use the AWS Health console. For more information, see [Disabling organizational view (console) ](https://docs.aws.amazon.com/health/latest/ug/enable-organizational-view-in-health-console.html#disabling-organizational-view-console) in the *AWS Health User Guide*.
+ Use the AWS CLI. For more information, see [Disabling organizational view (CLI) ](https://docs.aws.amazon.com//health/latest/ug/enable-organizational-view-from-aws-command-line.html#disabling-organizational-view) in the *AWS Health User Guide*.
+ Call the [DisableHealthServiceAccessForOrganization](https://docs.aws.amazon.com/health/latest/APIReference/API_DisableHealthServiceAccessForOrganization.html) API operation.
You can disable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
Use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable AWS Health as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal health.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
## Enabling a delegated administrator account for AWS Health
When you designate a member account as a delegated administrator for the organization, users and roles from that account can perform administrative actions for AWS Health that otherwise can be performed only by users or roles in the organization's management account. This helps you to separate management of the organization from management of AWS Health.
**To designate a member account as a delegated administrator for AWS Health**
See [Register a delegated administrator for your organizational view](https://docs.aws.amazon.com/health/latest/ug/delegated-administrator-organizational-view.html#register-a-delegated-administrator)
**To remove a delegated administrator for AWS Health**
See [Remove a delegated administrator from your organizational view](https://docs.aws.amazon.com/health/latest/ug/delegated-administrator-organizational-view.html#remove-a-delegated-administrator)
# AWS Identity and Access Management and AWS Organizations
AWS Identity and Access Management is a web service for securely controlling access to AWS services.
You can use [service last accessed data](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html) in IAM to help you better understand AWS activity across your organization. You can use this data to create and update [service control policies (SCPs)](orgs_manage_policies_scps.md) that restrict access to only the AWS services that your organization's accounts use.
For an example, see [Using Data to Refine Permissions for an Organizational Unit](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor-example-scenarios.html#access_policies_access-advisor-reduce-permissions-orgs) in the *IAM User Guide.*
IAM lets you centrally manage root user credentials and perform privileged tasks on member accounts. After you enable root access management, which enables trusted access for IAM in AWS Organizations, you can centrally secure the root user credentials of member accounts. Member accounts can't sign in to their root user or perform password recovery for their root user. The management account or a delegated administrator account for IAM can also perform some privileged tasks on member accounts using short-term root access. Short-term privileged sessions give you temporary credentials that you can scope to take privileged actions on a member account in your organization.
For more information, see [Centrally manage root access for member accounts](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_root-user.html#id_root-user-access-management) in the *IAM User Guide*.
Use the following information to help you integrate AWS Identity and Access Management with AWS Organizations.
## Enabling trusted access with IAM
When you enable root access management, trusted access is enabled for IAM in AWS Organizations.
## Disabling trusted access with IAM
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
Only an administrator in the AWS Organizations management account can disable trusted access with AWS Identity and Access Management.
You can only disable trusted access using the Organizations tools.
You can disable trusted access by using either the AWS Organizations console, by running an Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To disable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **AWS Identity and Access Management** in the list of services.
1. Choose **Disable trusted access**.
1. In the **Disable trusted access for AWS Identity and Access Management** dialog box, type **disable** to confirm, and then choose **Disable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of AWS Identity and Access Management that they can now disable that service from working with AWS Organizations using the service console or tools .
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
You can use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable AWS Identity and Access Management as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal iam.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
## Enabling a delegated administrator account for IAM
When you designate a member account as a delegated administrator for the organization, users and roles from that account can perform privileged tasks on member accounts that otherwise can be performed only by users or roles in the organization's management account. For more information, see [Perform a privileged task on an Organizations member account](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_root-user-privileged-task.html) in the IAM User Guide.
Only an administrator in the organization management account can configure a delegated administrator for IAM.
You can specify a delegated administrator account from the IAM console or API, or by using the Organizations CLI or SDK operation.
## Disabling a delegated administrator for IAM
Only an administrator in either the Organizations management account or the IAM delegated admin account can remove a delegated administrator account from the organization. You can disable delegated administration using the Organizations `DeregisterDelegatedAdministrator` CLI or SDK operation.
# Amazon Inspector and AWS Organizations
Amazon Inspector is an automated vulnerability management service that continually scans Amazon EC2 and container workloads for software vulnerabilities and unintended network exposure.
Using Amazon Inspector you can manage multiple accounts that are associated through AWS Organizations by simply delegating an administrator account for Amazon Inspector. The delegated administrator manages Amazon Inspector for the organization and is granted special permissions to perform tasks on behalf of your organization such as:
+ Enable or disable scans for member accounts
+ View aggregated finding data from the entire organization
+ Create and manage suppression rules
For more information, see [Managing multiple accounts with AWS Organizations](https://docs.aws.amazon.com//inspector/latest/user/managing-multiple-accounts.html) in the *Amazon Inspector User Guide*.
Use the following information to help you integrate Amazon Inspector with AWS Organizations.
## Service-linked roles created when you enable integration
The following [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is automatically created in your organization's management account when you enable trusted access. This role allows Amazon Inspector to perform supported operations within your organization's accounts in your organization.
You can delete or modify this role only if you disable trusted access between Amazon Inspector and Organizations, or if you remove the member account from the organization.
+ `AWSServiceRoleForAmazonInspector2`
For more information, see [Using service-linked roles with Amazon Inspector](https://docs.aws.amazon.com//inspector/latest/user/using-service-linked-roles.html) in the *Amazon Inspector User Guide*.
## Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Amazon Inspector grant access to the following service principals:
+ `inspector2.amazonaws.com`
## To enable trusted access with Amazon Inspector
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
Amazon Inspector requires trusted access to AWS Organizations before you can designate a member account to be the delegated administrator for this service for your organization.
When you designate a delegated administrator for Amazon Inspector, Amazon Inspector automatically enables trusted access for Amazon Inspector for your organization.
However, if you want to configure a delegated administrator account using the AWS CLI or one of the AWS SDKs, then you must explicitly call the `EnableAWSServiceAccess` operation and provide the service principal as a parameter. Then you can call `EnableDelegatedAdminAccount` to delegate the Inspector administrator account.
You can enable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the Organizations CLI/SDK**
Use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
Run the following command to enable Amazon Inspector as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal inspector2.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
**Note**
If you are using the `EnableAWSServiceAccess` API, you need to also call [https://docs.aws.amazon.com/inspector/v2/APIReference/API_EnableDelegatedAdminAccount.html](https://docs.aws.amazon.com/inspector/v2/APIReference/API_EnableDelegatedAdminAccount.html) to delegate the Inspector administrator account.
## To disable trusted access with Amazon Inspector
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
Only an administrator in the AWS Organizations management account can disable trusted access with Amazon Inspector.
You can only disable trusted access using the Organizations tools.
You can disable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
Use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable Amazon Inspector as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal inspector2.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
## Enabling a delegated administrator account for Amazon Inspector
With Amazon Inspector you can manage multiple accounts in an organization using a delegated administrator with AWS Organizations service.
The AWS Organizations management account designates an account within the organization as the delegated administrator account for Amazon Inspector. The delegated administrator manages Amazon Inspector for the organization and is granted special permissions to perform tasks on behalf of your organization such as: enable or disable scans for member accounts, view aggregated finding data from the entire organization, and create and manage suppression rules
For information on how a delegated administrator manages organization accounts, see [Understanding the relationship between administrator and member accounts](https://docs.aws.amazon.com//inspector/latest/user/admin-member-relationship.html) in the *Amazon Inspector User Guide*.
Only an administrator in the organization management account can configure a delegated administrator for Amazon Inspector.
You can specify a delegated administrator account from the Amazon Inspector console or API, or by using the Organizations CLI or SDK operation.
**Minimum permissions**
Only a user or role in the Organizations management account can configure a member account as a delegated administrator for Amazon Inspector in the organization
To configure a delegated administrator using the Amazon Inspector console, see [Step 1: Enable Amazon Inspector - Multi-account environment](https://docs.aws.amazon.com//inspector/latest/user/getting_started_tutorial.html#tutorial_enable_scans) in the *Amazon Inspector User Guide*.
**Note**
You must call `inspector2:enableDelegatedAdminAccount` in each region where you use Amazon Inspector.
------
#### [ AWS CLI, AWS API ]
If you want to configure a delegated administrator account using the AWS CLI or one of the AWS SDKs, you can use the following commands:
+ AWS CLI:
```
$ aws organizations register-delegated-administrator \
--account-id 123456789012 \
--service-principal inspector2.amazonaws.com
```
+ AWS SDK: Call the Organizations `RegisterDelegatedAdministrator` operation and the member account's ID number and identify the account service principal `account.amazonaws.com` as parameters.
------
## Disabling a delegated administrator for Amazon Inspector
Only an administrator in the AWS Organizations management account can remove a delegated administrator account from the organization.
You can remove the delegated administrator using either the Amazon Inspector console or API, or by using the Organizations `DeregisterDelegatedAdministrator` CLI or SDK operation. To remove a delegated administrator using the Amazon Inspector console, see [Removing a delegated administrator](https://docs.aws.amazon.com//inspector/latest/user/remove-delegated-admin.html) in the *Amazon Inspector User Guide*.
# AWS License Manager and AWS Organizations
AWS License Manager streamlines the process of bringing software vendor licenses to the cloud. As you build out cloud infrastructure on AWS, you can save costs by using bring-your-own-license (BYOL) opportunities—that is, by repurposing your existing license inventory for use with cloud resources. With rule-based controls on the consumption of licenses, administrators can set hard or soft limits on new and existing cloud deployments, stopping noncompliant server usage before it happens.
For more information about License Manager, see the [License Manager User Guide](https://docs.aws.amazon.com/license-manager/latest/userguide/).
By linking License Manager with AWS Organizations, you can:
+ Enable cross-account discovery of computing resources throughout your organization.
+ View and manage commercial Linux subscriptions that you own and run on AWS. For more information see [Linux subscriptions in AWS License Manager](https://docs.aws.amazon.com/license-manager/latest/userguide/linux-subscriptions.html).
Use the following information to help you integrate AWS License Manager with AWS Organizations.
## Service-linked roles created when you enable integration
The following [service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) are automatically created in your organization's management account when you enable trusted access. These roles allow License Manager to perform supported operations within your organization's accounts in your organization.
You can delete or modify roles only if you disable trusted access between License Manager and Organizations, or if you remove the member account from the organization.
+ `AWSLicenseManagerMasterAccountRole`
+ `AWSLicenseManagerMemberAccountRole`
+ `AWSServiceRoleForAWSLicenseManagerRole`
+ `AWSServiceRoleForAWSLicenseManagerLinuxSubscriptionsService`
For more information, see [License Manager–Management account role](https://docs.aws.amazon.com/license-manager/latest/userguide/management-role.html), [License Manager–Member account role](https://docs.aws.amazon.com/license-manager/latest/userguide/member-role.html), and [License Manager–Linux subscriptions role](https://docs.aws.amazon.com/license-manager/latest/userguide/linux-subscriptions-role.html).
## Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by License Manager grant access to the following service principals:
+ `license-manager.amazonaws.com`
+ `license-manager.member-account.amazonaws.com`
+ `license-manager-linux-subscriptions.amazonaws.com`
## Enabling trusted access with License Manager
You can only enable trusted access using AWS License Manager.
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
**To enable trusted access with License Manager**
You must sign in to the License Manager console using your AWS Organizations management account and associate it with your License Manager account. For more information, see [Settings in AWS License Manager](https://docs.aws.amazon.com/license-manager/latest/userguide/settings.html).
## Disabling trusted access with License Manager
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
You can only disable trusted access using the Organizations tools.
You can disable trusted access by running an Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
You can use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
You can run the following command to disable AWS License Manager as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal license-manager.amazonaws.com
```
This command produces no output when successful.
To disable trusted access for Linux subscriptions use:
```
$ aws organizations disable-aws-service-access \
--service-principal license-manager-linux-subscriptions.amazonaws.com
```
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
## Enabling a delegated administrator account for License Manager
When you designate a member account as a delegated administrator for the organization, users and roles from that account can perform administrative actions for License Manager that otherwise can be performed only by users or roles in the organization's management account. This helps you to separate management of the organization from management of License Manager.
To delegate a member account as an administrator for License Manager, follow the steps at [Register a delegated administrator](https://docs.aws.amazon.com/license-manager/latest/userguide/settings.html#delegated-administrator) in the *License Manager User Guide*.
# AWS Managed Services (AMS) Self-Service Reporting (SSR) and AWS Organizations
[AWS Managed Services (AMS) Self-Service Reporting (SSR)](https://aws.amazon.com/managed-services) collects data from various native AWS services and provides access to reports on major AMS offerings. SSR provides the information that you can use to support operations, configuration management, asset management, security management, and compliance.
After you integrate with AWS Organizations, you can enable Aggregated self-service reporting (SSR). This is an AMS feature that allows Advanced and Accelerate customers to view their existing Self-service reports aggregated at the organization level, cross-account. This gives you visibility into key operational metrics such as patch compliance, backup coverage, and incidents across all AMS-managed accounts within AWS Organizations.
Use the following information to help you integrate AWS Managed Services (AMS) Self-Service Reporting (SSR) with AWS Organizations.
## Service-linked roles created when you enable integration
The following [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is automatically created in your organization's management account when you enable trusted access. This role allows AMS to perform supported operations within your organization's accounts in your organization.
You can delete or modify this role only if you disable trusted access between AMS and Organizations, or if you remove the member account from the organization.
+ `AWSServiceRoleForManagedServices_SelfServiceReporting`
## Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by AMS grant access to the following service principals:
+ `selfservicereporting.managedservices.amazonaws.com`
## Enabling trusted access with AMS
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
You can enable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the Organizations CLI/SDK**
Use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
Run the following command to enable AWS Managed Services (AMS) Self-Service Reporting (SSR) as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal selfservicereporting.managedservices.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
## Disabling trusted access with AMS
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
You can only disable trusted access using the Organizations tools.
You can disable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
Use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable AWS Managed Services (AMS) Self-Service Reporting (SSR) as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal selfservicereporting.managedservices.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
## Enabling a delegated administrator account for AMS
Delegated administrator accounts can view AMS reports (such as patch and backup) across all the accounts in a single aggregated view in the AMS console.
You can add a delegated administrator using either the AMS console or API, or by using the Organizations `RegisterDelegatedAdministrator` CLI or SDK operation.
## Disabling a delegated administrator for AMS
Only an administrator in the organization management account can configure a delegated administrator for AMS.
You can remove the delegated administrator using either the AMS console or API, or by using the Organizations `DeregisterDelegatedAdministrator` CLI or SDK operation.
# Amazon Macie and AWS Organizations
Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover, monitor, and help you protect your sensitive data in Amazon Simple Storage Service (Amazon S3). Macie automates the discovery of sensitive data, such as personally identifiable information (PII) and intellectual property, to provide you with a better understanding of the data that your organization stores in Amazon S3.
For more information, see [Managing Amazon Macie accounts with AWS Organizations](https://docs.aws.amazon.com/macie/latest/user/macie-organizations.html) in the *[Amazon Macie User Guide](https://docs.aws.amazon.com/macie/latest/userguide/)*.
Use the following information to help you integrate Amazon Macie with AWS Organizations.
## Service-linked roles created when you enable integration
The following [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is automatically created for your organization's delegated Macie administrator account when you enable trusted access. This role allows Macie to perform supported operations for the accounts in your organization.
You can delete this role only if you disable trusted access between Macie and Organizations, or if you remove the member account from the organization.
+ `AWSServiceRoleRorAmazonMacie`
## Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Macie grant access to the following service principals:
+ `macie.amazonaws.com`
## Enabling trusted access with Macie
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
You can enable trusted access using either the Amazon Macie console or the AWS Organizations console.
**Important**
We strongly recommend that whenever possible, you use the Amazon Macie console or tools to enable integration with Organizations. This lets Amazon Macie perform any configuration that it requires, such as creating resources needed by the service. Proceed with these steps only if you can’t enable integration using the tools provided by Amazon Macie. For more information, see [this note](orgs_integrate_services.md#important-note-about-integration).
If you enable trusted access by using the Amazon Macie console or tools then you don’t need to complete these steps.
**To enable trusted access using the Macie console**
Amazon Macie requires trusted access to AWS Organizations to designate a member account to be the Macie administrator for your organization. If you configure a delegated administrator using the Macie management console, then Macie automatically enables trusted access for you.
For more information, see [Integrating and configuring an organization in Amazon Macie](https://docs.aws.amazon.com/macie/latest/user/accounts-mgmt-ao-integrate.html) in the *Amazon Macie User Guide*.
You can enable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the Organizations CLI/SDK**
Use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
Run the following command to enable Amazon Macie as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal macie.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
## Enabling a delegated administrator account for Macie
When you designate a member account as a delegated administrator for the organization, users and roles from that account can perform administrative actions for Macie that otherwise can be performed only by users or roles in the organization's management account. This helps you to separate management of the organization from management of Macie.
**Minimum permissions**
Only a user or role in the Organizations management account with the following permissions can configure a member account as a delegated administrator for Macie in the organization:
`organizations:EnableAWSServiceAccess`
`macie:EnableOrganizationAdminAccount`
**To designate a member account as a delegated administrator for Macie**
Amazon Macie requires trusted access to AWS Organizations to designate a member account to be the Macie administrator for your organization. If you configure a delegated administrator using the Macie management console, then Macie automatically enables trusted access for you.
For more information, see [https://docs.aws.amazon.com/macie/latest/user/macie-organizations.html#register-delegated-admin](https://docs.aws.amazon.com/macie/latest/user/macie-organizations.html#register-delegated-admin)
# AWS Marketplace and AWS Organizations
AWS Marketplace is a curated digital catalog that you can use to find, buy, deploy, and manage third-party software, data, and services that you need to build solutions and run your businesses.
AWS Marketplace creates and manages licenses using AWS License Manager for your purchases in AWS Marketplace. When you share (grant access to) your licenses with other accounts in your organization, AWS Marketplace creates and manages new licenses for those accounts.
For more information, see [Service-linked roles for AWS Marketplace](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-using-service-linked-roles.html) in the *AWS Marketplace Buyer Guide*.
Use the following information to help you integrate AWS Marketplace with AWS Organizations.
## Service-linked roles created when you enable integration
The following [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is automatically created in your organization's management account when you enable trusted access. This role allows AWS Marketplace to perform supported operations within your organization's accounts in your organization.
You can delete or modify this role only if you disable trusted access between AWS Marketplace and Organizations, or if you remove the member account from the organization.
+ `AWSServiceRoleForMarketplaceLicenseManagement`
## Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by AWS Marketplace grant access to the following service principals:
+ `license-management.marketplace.amazonaws.com`
## Enabling trusted access with AWS Marketplace
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
You can enable trusted access using either the AWS Marketplace console or the AWS Organizations console.
**Important**
We strongly recommend that whenever possible, you use the AWS Marketplace console or tools to enable integration with Organizations. This lets AWS Marketplace perform any configuration that it requires, such as creating resources needed by the service. Proceed with these steps only if you can’t enable integration using the tools provided by AWS Marketplace. For more information, see [this note](orgs_integrate_services.md#important-note-about-integration).
If you enable trusted access by using the AWS Marketplace console or tools then you don’t need to complete these steps.
**To enable trusted access using the AWS Marketplace console**
See [Creating a service-linked role for AWS Marketplace](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-using-service-linked-roles.html#buyer-creating-service-linked-role) in the *AWS Marketplace Buyer Guide*.
You can enable trusted access by using either the AWS Organizations console, by running a AWS CLI command, or by calling an API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To enable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **AWS Marketplace** in the list of services.
1. Choose **Enable trusted access**.
1. In the **Enable trusted access for AWS Marketplace** dialog box, type **enable** to confirm, and then choose **Enable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of AWS Marketplace that they can now enable that service to work with AWS Organizations from the service console .
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the OrganizationsCLI/SDK**
Use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
Run the following command to enable AWS Marketplace as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal license-management.marketplace.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
## Disabling trusted access with AWS Marketplace
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
You can only enable trusted access using the Organizations tools.
You can disable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
Use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable AWS Marketplace as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal license-management.marketplace.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
# AWS Marketplace Private Marketplace and AWS Organizations
AWS Marketplace is a curated digital catalog that you can use to find, buy, deploy, and manage third-party software, data, and services that you need to build solutions and run your businesses. A private marketplace provides you with a broad catalog of products available in AWS Marketplace, along with fine-grained control of those products.
AWS Marketplace Private Marketplace enables you to create multiple private marketplace experiences that are associated with your entire organization, one or more OUs, or one or more accounts in your organization, each with its own set of approved products. Your AWS administrators can also apply company branding to each private marketplace experience with your company or team’s logo, messaging, and color scheme.
For more information, see [Using roles to configure Private Marketplace in AWS Marketplace](https://docs.aws.amazon.com/marketplace/latest/buyerguide/using-service-linked-roles-private-marketplace.html) in the *AWS Marketplace Buyer Guide*.
Use the following information to help you integrate AWS Marketplace Private Marketplace with AWS Organizations.
## Service-linked roles created when you enable integration
The following service-linked role is automatically created in your organization's management account when you enable trusted access using the AWS Marketplace Private Marketplace console. This role allows Private Marketplace to perform supported operations within your organization's accounts in your organization. You can delete or modify this role only if you disable trusted access between AWS Marketplace Private Marketplace and Organizations and disassociate all private marketplace experiences in your organization.
If you enable trusted access directly from the Organizations console, CLI or SDK, the service-linked role is not created automatically.
+ `AWSServiceRoleForPrivateMarketplaceAdmin`
## Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Private Marketplace grant access to the following service principals:
+ `private-marketplace.marketplace.amazonaws.com`
## Enabling trusted access with Private Marketplace
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
You can enable trusted access using either the AWS Marketplace Private Marketplace console or the AWS Organizations console.
**Important**
We strongly recommend that whenever possible, you use the AWS Marketplace Private Marketplace console or tools to enable integration with Organizations. This lets AWS Marketplace Private Marketplace perform any configuration that it requires, such as creating resources needed by the service. Proceed with these steps only if you can’t enable integration using the tools provided by AWS Marketplace Private Marketplace. For more information, see [this note](orgs_integrate_services.md#important-note-about-integration).
If you enable trusted access by using the AWS Marketplace Private Marketplace console or tools then you don’t need to complete these steps.
**To enable trusted access using the Private Marketplace console**
See [Getting started with Private Marketplace](https://docs.aws.amazon.com/marketplace/latest/buyerguide/private-catalog-administration.html#private-marketplace-getting-started) in the *AWS Marketplace Buyer Guide*.
You can enable trusted access by using either the AWS Organizations console, by running a AWS CLI command, or by calling an API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To enable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **AWS Marketplace Private Marketplace** in the list of services.
1. Choose **Enable trusted access**.
1. In the **Enable trusted access for AWS Marketplace Private Marketplace** dialog box, type **enable** to confirm, and then choose **Enable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of AWS Marketplace Private Marketplace that they can now enable that service to work with AWS Organizations from the service console .
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the OrganizationsCLI/SDK**
Use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
Run the following command to enable AWS Marketplace Private Marketplace as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal private-marketplace.marketplace.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
## Disabling trusted access with Private Marketplace
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
You can only disable trusted access using the Organizations tools.
You can disable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
Use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable AWS Marketplace Private Marketplace as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal private-marketplace.marketplace.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
## Enabling a delegated administrator account for Private Marketplace
The management account administrator can delegate Private Marketplace administrative permissions to a designated member account known as delegated administrator. To register an account as a delegated administrator for the private marketplace, the management account administrator must ensure that trusted access and the service-linked role are enabled, choose **Register a new administrator**, provide the 12-digit AWS account number, and choose **Submit**.
Management accounts and delegated administrator accounts can perform Private Marketplace administrative tasks, such as creating experiences, updating branding settings, associating or disassociating audiences, adding or removing products, and approving or declining pending requests.
To configure a delegated administrator using the Private Marketplace console, see [Creating and managing a private marketplace](https://docs.aws.amazon.com/marketplace/latest/buyerguide/private-catalog-administration.html#private-marketplace-managing) in the *AWS Marketplace Buyer Guide*.
You can also configure a delegated administrator by using the Organizations `RegisterDelegatedAdministrator` API. For more information, see [ RegisterDelegatedAdministrator](https://docs.aws.amazon.com/cli/latest/reference/organizations/register-delegated-administrator.html) in the * Organizations Command Reference*.
## Disabling a delegated administrator for Private Marketplace
Only an administrator in the organization management account can configure a delegated administrator for Private Marketplace.
You can remove the delegated administrator using either the Private Marketplace console or API, or by using the Organizations `DeregisterDelegatedAdministrator` CLI or SDK operation.
To disable the delegated admin Private Marketplace account using the Private Marketplace console, see [Creating and managing a private marketplace](https://docs.aws.amazon.com/marketplace/latest/buyerguide/private-catalog-administration.html#private-marketplace-managing) in the *AWS Marketplace Buyer Guide*
# AWS Marketplace procurement insights dashboard and AWS Organizations
You use the AWS Marketplace procurement insights dashboard to view agreements and cost-analysis data for all of the AWS accounts in your organization. When integrated with Organizations, AWS Marketplace procurement insights dashboard listens to organization changes, such as an account joining the organization, and aggregates data for their corresponding agreements to build their dashboards.
For more information, see [Procurement insights ](https://docs.aws.amazon.com/marketplace/latest/buyerguide/procurement-insights.html) in the *AWS Marketplace Buyer Guide*.
Use the following information to help you integrate AWS Marketplace procurement insights dashboard with AWS Organizations.
## Service-linked roles and managed policies created when you enable integration
When you activate the AWS Marketplace procurement insights dashboard dashboard the [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-service-linked-role-procurement.html](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-service-linked-role-procurement.html) service-linked role and the [https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-security-iam-awsmanpol.html#aws-procurement-insights](https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-security-iam-awsmanpol.html#aws-procurement-insights) AWS managed policy are created.
## Enabling trusted access with AWS Marketplace procurement insights
Enabling trusted access grants the AWS Marketplace procurement insights dashboard the ability to integrate with the customer's Organizations service. AWS Marketplace procurement insights dashboard listens to organization changes, such as an account joining the organization, and aggregates data for their corresponding agreements to build their dashboards.
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
You can enable trusted access using either the AWS Marketplace procurement insights dashboard console or the AWS Organizations console.
**Important**
We strongly recommend that whenever possible, you use the AWS Marketplace procurement insights dashboard console or tools to enable integration with Organizations. This lets AWS Marketplace procurement insights dashboard perform any configuration that it requires, such as creating resources needed by the service. Proceed with these steps only if you can’t enable integration using the tools provided by AWS Marketplace procurement insights dashboard. For more information, see [this note](orgs_integrate_services.md#important-note-about-integration).
If you enable trusted access by using the AWS Marketplace procurement insights dashboard console or tools then you don’t need to complete these steps.
**To enable trusted access by enabling the AWS Marketplace procurement insights dashboard**
See [Enabling the AWS Marketplace procurement insights dashboard](https://docs.aws.amazon.com/marketplace/latest/buyerguide/enabling-procurement-insights.html) in the *AWS Marketplace Buyer Guide*.
**To enable trusted access using Organizations tools**
You can enable trusted access by using either the AWS Organizations console, by running a AWS CLI command, or by calling an API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To enable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **AWS Marketplace procurement insights dashboard** in the list of services.
1. Choose **Enable trusted access**.
1. In the **Enable trusted access for AWS Marketplace procurement insights dashboard** dialog box, type **enable** to confirm, and then choose **Enable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of AWS Marketplace procurement insights dashboard that they can now enable that service to work with AWS Organizations from the service console .
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the OrganizationsCLI/SDK**
Use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
Run the following command to enable AWS Marketplace procurement insights dashboard as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal procurement-insights.marketplace.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
## Disabling trusted access with AWS Marketplace procurement insights
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
You can only disable trusted access using the Organizations tools.
You can disable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
Use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable AWS Marketplace procurement insights dashboard as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal procurement-insights.marketplace.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
## Enabling a delegated administrator account for AWS Marketplace procurement insights
To configure a delegated administrator in the AWS Marketplace procurement insights console, see See [Registering delegated administrators>](https://docs.aws.amazon.com/marketplace/latest/buyerguide/management-delegates.html#management-register-delegate) in the *AWS Marketplace Buyer Guide*.
You can also configure a delegated administrator by using the Organizations `RegisterDelegatedAdministrator` API. For more information, see [ RegisterDelegatedAdministrator](https://docs.aws.amazon.com/cli/latest/reference/organizations/register-delegated-administrator.html) in the * Organizations Command Reference*.
## Disabling a delegated administrator for AWS Marketplace procurement insights
Only an administrator in the organization management account can configure a delegated administrator for AWS Marketplace procurement insights.
To remove a delegated administrator through the AWS Marketplace procurement insights console, see [Deregistering delegated administrators](https://docs.aws.amazon.com/marketplace/latest/buyerguide/management-delegates.html#management-deregister-delegate) in the *AWS Marketplace Buyer Guide*.
You can also remove the delegated administrator by using the Organizations `DeregisterDelegatedAdministrator` CLI or SDK operation.
# AWS Network Manager and AWS Organizations
Network Manager enables you to centrally manage your AWS Cloud WAN core network and your AWS Transit Gateway network across AWS accounts, Regions, and on-premises locations. With multi-account support you can create a single global network for any of your AWS accounts, and register transit gateways from multiple accounts to the global network using the Network Manager console.
With trusted access between Network Manager and Organizations enabled, the registered delegated administrators and the management accounts can leverage the service-linked role deployed in the member accounts to describe resources attached to your global networks. From the Network Manager console the registered delegated administrators and the management accounts can assume the custom IAM roles deployed in the member accounts: `CloudWatch-CrossAccountSharingRole` for multi-account monitoring and eventing, and `IAMRoleForAWSNetworkManagerCrossAccountResourceAccess` for the console switch role access for viewing and managing multi-account resources)
**Important**
We strongly recommend using the Network Manager console to manage multi-account settings (enable/disable trusted access and register/deregister delegated administrators). Managing these settings from the console automatically deploys and manages all required service-linked roles and custom IAM roles to the member accounts needed for multi-account access.
When you enable trusted access for Network Manager in the Network Manager console, the console also enables CloudFormation StackSets service. Network Manager uses StackSets to deploy custom IAM roles needed for multi-account management.
For more information about integrating Network Manager with Organizations, see [Manage multiple accounts in Network Manager with AWS Organizations](https://docs.aws.amazon.com/vpc/latest/tgwnm/tgw-nm-multi.html) in the *Amazon VPC User Guide*.
Use the following information to help you integrate AWS Network Manager with AWS Organizations.
## Service-linked roles created when you enable integration
When you enable trusted access, the following [service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) are automatically created in the listed organization accounts. These roles allow Network Manager to perform supported operations within the accounts in your organization. If you disable trusted access, Network Manager will not delete these roles from accounts in your organization. You can manually delete them using the IAM console.
Management account
+ `AWSServiceRoleForNetworkManager`
+ `AWSServiceRoleForCloudFormationStackSetsOrgAdmin`
+ `AWSServiceRoleForCloudWatchCrossAccount`
Member accounts
+ `AWSServiceRoleForNetworkManager`
+ ` AWSServiceRoleForCloudFormationStackSetsOrgMember`
When you register a member account as a delegated administrator, the following additional role is automatically created in the delegated administrator account:
+ `AWSServiceRoleForCloudWatchCrossAccount`
## Service principals used by the service-linked roles
The service-linked roles can only be assumed by the service principals authorized by the trust relationships defined for the role.
+ For the `AWSServiceRoleForNetworkManager service-linked` role, `networkmanager.amazonaws.com` is the only service principal that has access.
+ For the `AWSServiceRoleForCloudFormationStackSetsOrgMember` service-linked role, `member.org.stacksets.cloudformation.amazonaws.com` is the only service principal that has access.
+ For the `AWSServiceRoleForCloudFormationStackSetsOrgAdmin` service-linked role, `stacksets.cloudformation.amazonaws.com` is the only service principal that has access.
+ For the `AWSServiceRoleForCloudWatchCrossAccount` service-linked role, `cloudwatch-crossaccount.amazonaws.com` is the only service principal that has access.
Deleting these roles will impair multi-account functionality for Network Manager.
## Enabling trusted access with Network Manager
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
Only an administrator in the Organizations management account has permissions to enable trusted access with another AWS service. Be sure to use the Network Manager *console* to enable trusted access, to avoid permissions issues. For more information, see [Manage multiple accounts in Network Manager with AWS Organizations](https://docs.aws.amazon.com/vpc/latest/tgwnm/tgw-nm-multi.html) in the *Amazon VPC User Guide*.
## Disabling trusted access with Network Manager
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
Only an administrator in an Organizations management account has permissions to disable trusted access with another AWS service.
**Important**
We strongly recommend using the Network Manager console to disable trusted access. If you disable trusted access in any other way, such as using AWS CLI, with an API, or with the CloudFormation console, deployed CloudFormation StackSets and custom IAM roles may not be properly cleaned up. To disable trusted service access, sign in to the [Network Manager console](https://console.aws.amazon.com/vpc/home#networkmanager).
## Enabling a delegated administrator account for Network Manager
When you designate a member account as a delegated administrator for the organization, users and roles from that account can perform administrative actions for Network Manager that otherwise can be performed only by users or roles in the organization's management account. This helps you to separate management of the organization from management of Network Manager.
For instructions on how to designate a member account as a delegated administrator of Network Manager in the organization, see [Register a delegated administrator](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-delegated-admin.html) in the *Amazon VPC User Guide*.
# Amazon Q Developer and AWS Organizations
Amazon Q Developer is a generative AI powered conversational assistant that can help you understand, build, extend, and operate AWS applications. It is also a general purpose, machine learning-powered code generator that provides you with code recommendations in real time. The paid subscription version of Amazon Q Developer requires Organizations integration. For more information see [ Account, IAM Identity Center, and Organizations setup ](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/q-admin-setup-topic-account.html#admin-setup-org) in the *Amazon Q user guide*.
Use the following information to help you integrate Amazon Q Developer with AWS Organizations.
## Service-linked roles
The `AWSServiceRoleForAmazonQDeveloper` service-linked role allows Amazon Q Developer to perform supported operations within your organization. Create the role using the Amazon Q Developer console, API, or CLI, as described in [Creating a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/).
If you are using a member account, then you can delete or modify this role only if you disable trusted access between Amazon Q Developer and Organizations, or if you remove the member account from the organization.
## Service principals used by Amazon Q Developer
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Amazon Q Developer grant access to the following service principals:
+ `q.amazonaws.com`
## Enabling trusted access with Amazon Q Developer
Amazon Q Developer Pro uses trusted access to share the settings made in the Organizations management account with member accounts in the same organization.
For example, the Amazon Q Developer Pro administrator, working in the Organizations management account, may enable suggestions with code references. If trusted access is enabled, then suggestions with code references will also be enabled for all member accounts in that organization.
You can only enable trusted access using Amazon Q Developer.
To enable trusted access for Amazon Q Developer, use this procedure.
1. On the Amazon Q Developer **Settings** page, under **Member account settings**, choose **Edit**.
1. In the pop-up window, select **On**.
1. Choose **Save**.
For more information, see [ Enabling trusted access](https://docs.aws.amazon.com//amazonq/latest/qdeveloper-ug/q-admin-setup-subscribe-general.html#q-admin-trusted-access) in the *Amazon Q Developer user guide*.
## Disabling trusted access with Amazon Q Developer
You can only disable trusted access using the Amazon Q Developer tools.
To disable trusted access for Amazon Q Developer, use this procedure.
1. On the Amazon Q Developer **Settings** page, under **Member account settings**, choose **Edit**.
1. In the pop-up window, select **Off**.
1. Choose **Save**.
For more information, see [ Enabling trusted access](https://docs.aws.amazon.com//amazonq/latest/qdeveloper-ug/q-admin-setup-subscribe-general.html#q-admin-trusted-access) in the *Amazon Q Developer user guide*.
# AWS Resource Access Manager and AWS Organizations
AWS Resource Access Manager (AWS RAM) enables you to share specified AWS resources that you own with other AWS accounts. It's a centralized service that provides a consistent experience for sharing different types of AWS resources across multiple accounts.
For more information about AWS RAM, see the [https://docs.aws.amazon.com/ram/latest/userguide/what-is.html](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html).
Use the following information to help you integrate AWS Resource Access Manager with AWS Organizations.
## Service-linked roles created when you enable integration
The following [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is automatically created in your organization's management account when you enable trusted access. This role allows AWS RAM to perform supported operations within your organization's accounts in your organization.
You can delete or modify this role only if you disable trusted access between AWS RAM and Organizations, or if you remove the member account from the organization.
+ `AWSServiceRoleForResourceAccessManager`
## Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by AWS RAM grant access to the following service principals:
+ `ram.amazonaws.com`
## Enabling trusted access with AWS RAM
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
You can enable trusted access using either the AWS Resource Access Manager console or the AWS Organizations console.
**Important**
We strongly recommend that whenever possible, you use the AWS Resource Access Manager console or tools to enable integration with Organizations. This lets AWS Resource Access Manager perform any configuration that it requires, such as creating resources needed by the service. Proceed with these steps only if you can’t enable integration using the tools provided by AWS Resource Access Manager. For more information, see [this note](orgs_integrate_services.md#important-note-about-integration).
If you enable trusted access by using the AWS Resource Access Manager console or tools then you don’t need to complete these steps.
**To enable trusted access using the AWS RAM console or CLI**
See [Enable Sharing with AWS Organizations](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-orgs) in the *AWS RAM User Guide*.
You can enable trusted access by using either the AWS Organizations console, by running a AWS CLI command, or by calling an API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To enable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **AWS Resource Access Manager** in the list of services.
1. Choose **Enable trusted access**.
1. In the **Enable trusted access for AWS Resource Access Manager** dialog box, type **enable** to confirm, and then choose **Enable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of AWS Resource Access Manager that they can now enable that service to work with AWS Organizations from the service console .
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the OrganizationsCLI/SDK**
Use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
Run the following command to enable AWS Resource Access Manager as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal ram.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
## Disabling trusted access with AWS RAM
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
You can disable trusted access using either the AWS Resource Access Manager or the AWS Organizations tools.
**Important**
We strongly recommend that whenever possible, you use the AWS Resource Access Manager console or tools to disable integration with Organizations. This lets AWS Resource Access Manager perform any clean up that it requires, such as deleting resources or access roles that are no longer needed by the service. Proceed with these steps only if you can’t disable integration using the tools provided by AWS Resource Access Manager.
If you disable trusted access by using the AWS Resource Access Manager console or tools then you don’t need to complete these steps.
**To disable trusted access using the AWS Resource Access Manager console or CLI**
See [Enable Sharing with AWS Organizations](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-orgs) in the *AWS RAM User Guide*.
You can disable trusted access by using either the AWS Organizations console, by running an Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To disable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **AWS Resource Access Manager** in the list of services.
1. Choose **Disable trusted access**.
1. In the **Disable trusted access for AWS Resource Access Manager** dialog box, type **disable** to confirm, and then choose **Disable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of AWS Resource Access Manager that they can now disable that service from working with AWS Organizations using the service console or tools .
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
You can use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable AWS Resource Access Manager as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal ram.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
# AWS Resource Explorer and AWS Organizations
AWS Resource Explorer is a resource search and discovery service. With Resource Explorer, you can explore your resources, such as Amazon Elastic Compute Cloud instances, Amazon Kinesis Data Streams, or Amazon DynamoDB tables, using an internet search engine-like experience. You can search for your resources using resource metadata such as names, tags, and IDs. Resource Explorer works across AWS Regions in your account to simplify your cross-Region workloads.
When you integrate Resource Explorer with AWS Organizations, you can gather evidence from a broader source by including multiple AWS accounts from your organization within the scope of your assessments.
Use the following information to help you integrate AWS Resource Explorer with AWS Organizations.
## Service-linked roles created when you enable integration
The following [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is automatically created in your organization's management account when you enable trusted access. This role allows Resource Explorer to perform supported operations within your organization's accounts in your organization.
You can delete or modify this role only if you disable trusted access between Resource Explorer and Organizations, or if you remove the member account from the organization.
For more information about how Resource Explorer uses this role, see [Using service-linked roles](https://docs.aws.amazon.com/resource-explorer/latest/userguide/security_iam_service-linked-roles.html) in the *AWS Resource Explorer Users Guide*.
+ `AWSServiceRoleForResourceExplorer`
## Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Resource Explorer grant access to the following service principals:
+ `resource-explorer-2.amazonaws.com`
## To enable trusted access with AWS Resource Explorer
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
Resource Explorer requires trusted access to AWS Organizations before you can designate a member account to be the delegated administrator for your organization.
You can enable trusted access using either the Resource Explorer console or the Organizations console. We strongly recommend that whenever possible, you use the Resource Explorer console or tools to enable integration with Organizations. This lets AWS Resource Explorer perform any configuration that it requires, such as creating resources needed by the service.
**To enable trusted access using the Resource Explorer console**
For instructions about enabling trusted access, see [Prerequisites to using Resource Explorer](https://docs.aws.amazon.com/resource-explorer/latest/userguide/getting-started-setting-up-prereqs.html) in the *AWS Resource Explorer User Guide*.
**Note**
If you configure a delegated administrator using the AWS Resource Explorer console, then AWS Resource Explorer automatically enables trusted access for you.
You can enable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the Organizations CLI/SDK**
Use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
Run the following command to enable AWS Resource Explorer as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal resource-explorer-2.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
## To disable trusted access with Resource Explorer
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
Only an administrator in the AWS Organizations management account can disable trusted access with AWS Resource Explorer.
You can disable trusted access using either the AWS Resource Explorer or the AWS Organizations tools.
**Important**
We strongly recommend that whenever possible, you use the AWS Resource Explorer console or tools to disable integration with Organizations. This lets AWS Resource Explorer perform any clean up that it requires, such as deleting resources or access roles that are no longer needed by the service. Proceed with these steps only if you can’t disable integration using the tools provided by AWS Resource Explorer.
If you disable trusted access by using the AWS Resource Explorer console or tools then you don’t need to complete these steps.
You can disable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
Use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable AWS Resource Explorer as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal resource-explorer-2.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
## Enabling a delegated administrator account for Resource Explorer
Use your delegated administrator account to create multi-account resource views and scope it to an organizational unit or your entire organization. You can share multi-account views with any account in your organization via AWS Resource Access Manager by creating resource shares.
**Minimum permissions**
Only a user or role in the Organizations management account with the following permission can configure a member account as a delegated administrator for Resource Explorer in the organization:
`resource-explorer:RegisterAccount`
For instruction about enabling a delegated administrator account for Resource Explorer, see [Setting Up](https://docs.aws.amazon.com/resource-explorer/latest/userguide/getting-started-setting-up-prereqs.html) in the *AWS Resource Explorer User Guide*.
If you configure a delegated administrator using the AWS Resource Explorer console, then Resource Explorer automatically enables trusted access for you.
------
#### [ AWS CLI, AWS API ]
If you want to configure a delegated administrator account using the AWS CLI or one of the AWS SDKs, you can use the following commands:
+ AWS CLI:
```
$ aws organizations register-delegated-administrator \
--account-id 123456789012 \
--service-principal resource-explorer-2.amazonaws.com
```
+ AWS SDK: Call the Organizations `RegisterDelegatedAdministrator` operation and the member account's ID number and identify the account service `resource-explorer-2.amazonaws.com` as parameters.
------
## Disabling a delegated administrator for Resource Explorer
Only an administrator in the Organizations management account or in the Resource Explorer delegated administrator account can remove a delegated administrator for Resource Explorer. You can disable trusted access using the Organizations `DeregisterDelegatedAdministrator` CLI or SDK operation.
# AWS Security Hub CSPM and AWS Organizations
AWS Security Hub CSPM provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices.
Security Hub CSPM collects security data from across your AWS accounts, the AWS services you use, and supported third-party partner products. It helps you to analyze your security trends and identify the highest priority security issues.
When you use both Security Hub CSPM and AWS Organizations together, you can automatically enable Security Hub CSPM for all of your accounts, including new accounts as they are added. This increases the coverage for Security Hub CSPM checks and findings, which provides a more comprehensive and accurate picture of your overall security posture.
For more information about Security Hub CSPM, see the *[AWS Security Hub User Guide](https://docs.aws.amazon.com/securityhub/latest/userguide/)*.
Use the following information to help you integrate AWS Security Hub CSPM with AWS Organizations.
## Service-linked roles created when you enable integration
The following [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is automatically created in your organization's management account when you enable trusted access. This role allows Security Hub CSPM to perform supported operations within your organization's accounts in your organization.
You can delete or modify this role only if you disable trusted access between Security Hub CSPM and Organizations, or if you remove the member account from the organization.
+ `AWSServiceRoleForSecurityHub`
## Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Security Hub CSPM grant access to the following service principals:
+ `securityhub.amazonaws.com`
## Enabling trusted access with Security Hub CSPM
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
When you designate a delegated administrator for Security Hub CSPM, Security Hub CSPM automatically enables trusted access for Security Hub in your organization.
## Disabling trusted access with Security Hub CSPM
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html#orgs_trusted_access_disable_perms) in the *AWS Organizations User Guide*.
Before you disable trusted access, we recommend working with the delegated administrator for your organization to disable Security Hub CSPM in member accounts and to clean up Security Hub CSPM resources in those accounts.
You can disable trusted access by using the AWS Organizations console, Organizations API, or the AWS CLI. Only an administrator of the Organizations management account can disable trusted access with Security Hub CSPM.
For instructions on disabling trusted access with Security Hub CSPM, see [Disabling Security Hub CSPM integration with AWS Organizations](https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html#disable-orgs-integration).
## Enabling a delegated administrator for Security Hub CSPM
When you designate a member account as a delegated administrator for the organization, users and roles from that account can perform administrative actions for Security Hub CSPM that otherwise can be performed only by users or roles in the organization's management account. This helps you to separate management of the organization from management of Security Hub CSPM.
For information, see [Designating a Security Hub CSPM administrator account](https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html) in the *AWS Security Hub User Guide*.
**To designate a member account as a delegated administrator for Security Hub CSPM**
1. Sign in with your Organizations management account.
1. Perform one of the following:
+ If your management account does not have Security Hub CSPM enabled, then on the Security Hub CSPM console, choose **Go to Security Hub CSPM**.
+ If your management account does have Security Hub CSPM enabled, then on the Security Hub CSPM console, under **General** choose **Settings**.
1. Under **Delegated Administrator**, enter the account ID.
## Disabling a delegated administrator for Security Hub CSPM
Only the organization management account can remove the delegated Security Hub CSPM administrator account.
To change the delegated Security Hub CSPM administrator, you must first remove the current delegated administrator account and then designate a new one.
If you use the Security Hub CSPM console to remove the delegated administrator in one Region, it is automatically removed in all Regions.
The Security Hub CSPM API only removes the delegated Security Hub CSPM administrator account from the Region where the API call or command is issued. You must repeat the action in other Regions.
If you use the Organizations API to remove the delegated Security Hub CSPM administrator account, it is automatically removed in all Regions.
For instructions on disabling the delegated Security Hub CSPM administrator, see [Removing or changing the delegated administrator](https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html#remove-admin-overview).
# Amazon S3 Storage Lens and AWS Organizations
By giving Amazon S3 Storage Lens trusted access to your organization, you allow it to collect and aggregate metrics across all of the AWS accounts in your organization. S3 Storage Lens does this by accessing the list of accounts that belong to your organization and collects and analyzes the storage and usage and activity metrics for all of them.
For more information, see the [Using service-linked roles for Amazon S3 Storage Lens](https://docs.aws.amazon.com/AmazonS3/latest/dev/using-service-linked-roles.html) in the *Amazon S3 Storage Lens User Guide*.
Use the following information to help you integrate Amazon S3 Storage Lens with AWS Organizations.
## Service-linked role created when you enable integration
The following [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is automatically created in your organization's delegated administrator account when you enable trusted access and the Storage Lens configuration has been applied to your organization. This role allows Amazon S3 Storage Lens to perform supported operations within your organization's accounts in your organization.
You can delete or modify this role only if you disable trusted access between Amazon S3 Storage Lens and Organizations, or if you remove the member account from the organization.
+ `AWSServiceRoleForS3StorageLens`
## Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Amazon S3 Storage Lens grant access to the following service principals:
+ `storage-lens.s3.amazonaws.com`
## Enabling trusted access with Amazon S3 Storage Lens
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
You can enable trusted access using either the Amazon S3 Storage Lens console or the AWS Organizations console.
**Important**
We strongly recommend that whenever possible, you use the Amazon S3 Storage Lens console or tools to enable integration with Organizations. This lets Amazon S3 Storage Lens perform any configuration that it requires, such as creating resources needed by the service. Proceed with these steps only if you can’t enable integration using the tools provided by Amazon S3 Storage Lens. For more information, see [this note](orgs_integrate_services.md#important-note-about-integration).
If you enable trusted access by using the Amazon S3 Storage Lens console or tools then you don’t need to complete these steps.
**To enable trusted access using the Amazon S3 console**
See [Enabling trusted access for S3 Storage Lens](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/storage_lens_with_organizations.html#storage_lens_with_organizations_enabling_trusted_access) in the *Amazon Simple Storage Service User Guide*.
You can enable trusted access by using either the AWS Organizations console, by running a AWS CLI command, or by calling an API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To enable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **Amazon S3 Storage Lens** in the list of services.
1. Choose **Enable trusted access**.
1. In the **Enable trusted access for Amazon S3 Storage Lens** dialog box, type **enable** to confirm, and then choose **Enable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of Amazon S3 Storage Lens that they can now enable that service to work with AWS Organizations from the service console .
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the OrganizationsCLI/SDK**
Use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
Run the following command to enable Amazon S3 Storage Lens as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal storage-lens.s3.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
## Disabling trusted access with Amazon S3 Storage Lens
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
You can only disable trusted access using the Amazon S3 Storage Lens tools.
You can disable trusted access using the Amazon S3 console, the AWS CLI or any of the AWS SDKs.
**To disable trusted access using the Amazon S3 console**
See [Disabling trusted access for S3 Storage Lens](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/storage_lens_with_organizations.html#storage_lens_with_organizations_disabling_trusted_access) in the *Amazon Simple Storage Service User Guide*.
## Enabling a delegated administrator account for Amazon S3 Storage Lens
When you designate a member account as a delegated administrator for the organization, users and roles from that account can perform administrative actions for Amazon S3 Storage Lens that otherwise can be performed only by users or roles in the organization's management account. This helps you to separate management of the organization from management of Amazon S3 Storage Lens.
**Minimum permissions**
Only a user or role in the Organizations management account with the following permission can configure a member account as a delegated administrator for Amazon S3 Storage Lens in the organization:
`organizations:RegisterDelegatedAdministrator`
`organizations:DeregisterDelegatedAdministrator`
Amazon S3 Storage Lens supports a maximum of 5 delegated administrator accounts in your organization.
**To designate a member account as a delegated administrator for Amazon S3 Storage Lens**
You can register a delegated administrator using the Amazon S3 console, the AWS CLI or any of the AWS SDKs. To register a member account as a delegated administrator account for your organization using the Amazon S3 console, see [Registering a delegated administrator for S3 Storage Lens](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/storage_lens_with_organizations.html#storage_lens_with_organizations_registering_delegated_admins) in the *Amazon Simple Storage Service User Guide*.
**To deregister a delegated administrator for Amazon S3 Storage Lens**
You can deregister a delegated administrator using the Amazon S3 console, the AWS CLI or any of the AWS SDKs. To deregister a delegated administrator using the Amazon S3 console, see [Deregistering a delegated administrator for S3 Storage Lens](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/storage_lens_with_organizations.html#storage_lens_with_organizations_deregistering_delegated_admins) in the *Amazon Simple Storage Service User Guide*.
# AWS Security Incident Response and AWS Organizations
AWS Security Incident Response is a security service that provides 24/7, live, human-assisted security incident support to help customers respond rapidly to cybersecurity incidents such as credential theft and ransomware attacks. By integrating with Organizations you enable security coverage for your entire organization. For more information, see [ Managing AWS Security Incident Response accounts with AWS Organizations](https://docs.aws.amazon.com/security-ir/latest/userguide/security-ir-organizations.html) in the *Security Incident Response User Guide*.
Use the following information to help you integrate AWS Security Incident Response with AWS Organizations.
## Service-linked roles created when you enable integration
The following service-linked roles are automatically created in your organization's management account when you enable trusted access.
+ `AWSServiceRoleForSecurityIncidentResponse` - used for creating Security Incident Response membership - your subscription to the service through AWS Organizations.
+ `AWSServiceRoleForSecurityIncidentResponse_Triage` - used only when you enable the triage feature during sign-up.
## Service principals used by Security Incident Response
The service-linked roles in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Security Incident Response grant access to the following service principal:
+ `security-ir.amazonaws.com`
## Enabling trusted access to Security Incident Response
Enabling trusted access to Security Incident Response allows the service to keep track of your organization's structure and ensure that all accounts in the organization have active security incident coverage. It also allows the service to use a service-linked role in member accounts for triaging capabilities when you enable the triage feature.
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
You can enable trusted access using either the AWS Security Incident Response console or the AWS Organizations console.
**Important**
We strongly recommend that whenever possible, you use the AWS Security Incident Response console or tools to enable integration with Organizations. This lets AWS Security Incident Response perform any configuration that it requires, such as creating resources needed by the service. Proceed with these steps only if you can’t enable integration using the tools provided by AWS Security Incident Response. For more information, see [this note](orgs_integrate_services.md#important-note-about-integration).
If you enable trusted access by using the AWS Security Incident Response console or tools then you don’t need to complete these steps.
Organizations automatically enables the Organizations trusted access when you use the Security Incident Response console for setup and management. If you use the Security Incident Response CLI/SDK then you have to manually enable trusted access by using the [EnableAWSServiceAccess API](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html). To learn how to enable trusted access through the Security Incident Response console, see [ Enabling trusted access for AWS Account Management](https://docs.aws.amazon.com/security-ir/latest/userguide/using-orgs-trusted-access.html) in the *Security Incident Response User Guide*.
You can enable trusted access by using either the AWS Organizations console, by running a AWS CLI command, or by calling an API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To enable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **AWS Security Incident Response** in the list of services.
1. Choose **Enable trusted access**.
1. In the **Enable trusted access for AWS Security Incident Response** dialog box, type **enable** to confirm, and then choose **Enable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of AWS Security Incident Response that they can now enable that service to work with AWS Organizations from the service console .
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the OrganizationsCLI/SDK**
Use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
Run the following command to enable AWS Security Incident Response as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal security-ir.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
## Disabling trusted access with Security Incident Response
Only an administrator in the Organizations management account can disable trusted access with Security Incident Response.
You can only disable trusted access using the Organizations tools.
You can disable trusted access by using either the AWS Organizations console, by running an Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To disable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **AWS Security Incident Response** in the list of services.
1. Choose **Disable trusted access**.
1. In the **Disable trusted access for AWS Security Incident Response** dialog box, type **disable** to confirm, and then choose **Disable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of AWS Security Incident Response that they can now disable that service from working with AWS Organizations using the service console or tools .
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
You can use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable AWS Security Incident Response as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal security-ir.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
## Enabling a delegated administrator account for Security Incident Response
When you designate a member account as a delegated administrator for the organization, users and roles from that account can perform administrative actions for Security Incident Response that otherwise can be performed only by users or roles in the organization's management account. This helps you to separate management of the organization from management of Security Incident Response. For more information, see [ Managing AWS Security Incident Response accounts with AWS Organizations](https://docs.aws.amazon.com/security-ir/latest/userguide/security-ir-organizations.html) in the *Security Incident Response User Guide*.
**Minimum permissions**
Only a user or role in the Organizations management account can configure a member account as a delegated administrator for Security Incident Response in the organization
To learn how to configure a delegated administrator through the Security Incident Response console, see [ Designating a delegated Security Incident Response administrator account ](https://docs.aws.amazon.com/security-ir/latest/userguide/delegated-admin-designate.html) in the *Security Incident Response User Guide*.
------
#### [ AWS CLI, AWS API ]
If you want to configure a delegated administrator account using the AWS CLI or one of the AWS SDKs, you can use the following commands:
+ AWS CLI:
```
$ aws organizations register-delegated-administrator \
--account-id 123456789012 \
--service-principal security-ir.amazonaws.com
```
+ AWS SDK: Call the Organizations `RegisterDelegatedAdministrator` operation and the member account's ID number and identify the account service `security-ir.amazonaws.com` as parameters.
------
## Disabling a delegated administrator for Security Incident Response
**Important**
If membership was created from the delegated administrator account, deregistering the delegated administrator is a destructive action and will cause service disruption. To re-register DA:
Sign in to the Security Incident Response console at https://console.aws.amazon.com/security-ir/home\$1/membership/settings
Cancel membership from the service console. Membership remains active until the end of billing cycle.
Once membership is cancelled disable service access through the Organizations console, CLI or SDK.
Only an administrator in the Organizations management account can remove a delegated administrator for Security Incident Response. You can remove the delegated administrator using the Organizations `DeregisterDelegatedAdministrator` CLI or SDK operation.
# Amazon Security Lake and AWS Organizations
Amazon Security Lake centralizes security data from cloud, on-premises, and custom sources into a data lake that's stored in your account. By integrating with Organizations, you can create a data lake that collects logs and events across your accounts. For more information see [ Managing multiple accounts with AWS Organizations](https://docs.aws.amazon.com/security-lake/latest/userguide/multi-account-management.html) in the *Amazon Security Lake user guide*.
Use the following information to help you integrate Amazon Security Lake with AWS Organizations.
## Service-linked roles created when you enable integration
The following [service-linked role](https://docs.aws.amazon.com/aws-backup/latest/devguide/manage-cross-account.html#backup-delegatedadmin) is automatically created in your organization's management account when you call the [RegisterDataLakeDelegatedAdministrator](https://docs.aws.amazon.com/security-lake/latest/APIReference/API_RegisterDataLakeDelegatedAdministrator.html) API. This role allows Amazon Security Lake to perform supported operations within your organization's accounts in your organization.
You can delete or modify this role only if you disable trusted access between Amazon Security Lake and Organizations, or if you remove the member account from the organization.
+ `AWSServiceRoleForSecurityLake`
**Recommendation: Use Security Lake's RegisterDataLakeDelegatedAdministrator API to allow Security Lake access to your Organization and to register Organizations's delegated administrator**
If you use Organizations' APIs to register a delegated administrator, service-linked roles for the Organizations might not be created successfully. To ensure full functionality, use the Security Lake APIs.
## Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Amazon Security Lake grant access to the following service principals:
+ `securitylake.amazonaws.com`
## Enabling trusted access with Amazon Security Lake
When you enable trusted access with Security Lake, Security Lake can react automatically to changes in the organization membership. The delegated administrator can enable AWS logs collection from supported services in any organization account. For more information, see [Service-linked role for Amazon Security Lake](https://docs.aws.amazon.com/security-lake/latest/userguide/service-linked-roles.html) in the *Amazon Security Lake user guide*.
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
You can only enable trusted access using the Organizations tools.
You can enable trusted access by using either the AWS Organizations console, by running a AWS CLI command, or by calling an API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To enable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **Amazon Security Lake** in the list of services.
1. Choose **Enable trusted access**.
1. In the **Enable trusted access for Amazon Security Lake** dialog box, type **enable** to confirm, and then choose **Enable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of Amazon Security Lake that they can now enable that service to work with AWS Organizations from the service console .
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the OrganizationsCLI/SDK**
Use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
Run the following command to enable Amazon Security Lake as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal securitylake.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
## Disabling trusted access with Amazon Security Lake
Only an administrator in the Organizations management account can disable trusted access with Amazon Security Lake.
You can only disable trusted access using the Organizations tools.
You can disable trusted access by using either the AWS Organizations console, by running an Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To disable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **Amazon Security Lake** in the list of services.
1. Choose **Disable trusted access**.
1. In the **Disable trusted access for Amazon Security Lake** dialog box, type **disable** to confirm, and then choose **Disable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of Amazon Security Lake that they can now disable that service from working with AWS Organizations using the service console or tools .
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
You can use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable Amazon Security Lake as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal securitylake.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
## Enabling a delegated administrator account for Amazon Security Lake
The Amazon Security Lake delegated administrator adds other accounts in the organization as member accounts. The delegated administrator can enable Amazon Security Lake and configure Amazon Security Lake settings for the member accounts. The delegated administrator can collect logs across an organization in all AWS Regions where Amazon Security Lake is enabled (regardless of which Regional endpoint you're currently using).
You can also set up the delegated administrator to automatically add new accounts in the organization as members. The Amazon Security Lake delegated administrator has access to the logs and events in associated member accounts. Accordingly, you can set up Amazon Security Lake to collect data owned by associated member accounts. You can also grant subscribers permission to consume data owned by associated member accounts.
For more information see [ Managing multiple accounts with AWS Organizations](https://docs.aws.amazon.com/security-lake/latest/userguide/multi-account-management.html) in the *Amazon Security Lake user guide*.
**Minimum permissions**
Only an administrator in the Organizations management account can configure a member account as a delegated administrator for Amazon Security Lake in the organization
You can specify a delegated administrator account by using the Amazon Security Lake console, the Amazon Security Lake `CreateDatalakeDelegatedAdmin` API operation, or the `create-datalake-delegated-admin` CLI command. Alternatively, you can use the Organizations `RegisterDelegatedAdministrator` CLI or SDK operation. For instructions about enabling a delegated administrator account for Amazon Security Lake, see [ Designating the delegated Security Lake administrator and adding member accounts](https://docs.aws.amazon.com/security-lake/latest/userguide/multi-account-management.html#designated-admin) in the *Amazon Security Lake user guide*.
------
#### [ AWS CLI, AWS API ]
If you want to configure a delegated administrator account using the AWS CLI or one of the AWS SDKs, you can use the following commands:
+ AWS CLI:
```
$ aws organizations register-delegated-administrator \
--account-id 123456789012 \ --service-principal securitylake.amazonaws.com
```
+ AWS SDK: Call the Organizations `RegisterDelegatedAdministrator` operation and the member account's ID number and identify the account service principal `account.amazonaws.com` as parameters.
------
## Disabling a delegated administrator for Amazon Security Lake
Only an administrator in either the Organizations management account or the Amazon Security Lake delegated administrator account can remove a delegated administrator account from the organization.
You can remove the delegated administrator account by using the Amazon Security Lake `DeregisterDataLakeDelegatedAdministrator` API operation, the `deregister-data-lake-delegated-administrator` CLI command, or by using the Organizations `DeregisterDelegatedAdministrator` CLI or SDK operation. To remove a delegated administrator using Amazon Security Lake, see [Removing the Amazon Security Lake delegated administrator ](https://docs.aws.amazon.com/security-lake/latest/userguide/multi-account-management.html#remove-delegated-admin) in the *Amazon Security Lake user guide*.
# AWS Service Catalog and AWS Organizations
Service Catalog enables you to create and manage catalogs of IT services that are approved for use on AWS.
The integration of Service Catalog with AWS Organizations simplifies the sharing of portfolios and copying of products across an organization. Service Catalog administrators can reference an existing organization in AWS Organizations when sharing a portfolio, and they can share the portfolio with any trusted organizational unit (OU) in the organization's tree structure. This eliminates the need to share portfolio IDs, and for the receiving account to manually reference the portfolio ID when importing the portfolio. Portfolios shared via this mechanism are listed in the shared-to account in the administrator’s **Imported Portfolio** view in Service Catalog.
For more information about Service Catalog, see the [https://docs.aws.amazon.com/servicecatalog/latest/adminguide/introduction.html](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/introduction.html).
Use the following information to help you integrate AWS Service Catalog with AWS Organizations.
## Service-linked roles created when you enable integration
AWS Service Catalog doesn't create any service-linked roles as part of enabling trusted access.
## Service principals used to grant permissions
To enable trusted access, you must specify the following service principal:
+ `servicecatalog.amazonaws.com`
## Enabling trusted access with Service Catalog
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
You can enable trusted access using either the AWS Service Catalog console or the AWS Organizations console.
**Important**
We strongly recommend that whenever possible, you use the AWS Service Catalog console or tools to enable integration with Organizations. This lets AWS Service Catalog perform any configuration that it requires, such as creating resources needed by the service. Proceed with these steps only if you can’t enable integration using the tools provided by AWS Service Catalog. For more information, see [this note](orgs_integrate_services.md#important-note-about-integration).
If you enable trusted access by using the AWS Service Catalog console or tools then you don’t need to complete these steps.
**To enable trusted access using the Service Catalog CLI or AWS SDK**
Call one of the following commands or operations:
+ AWS CLI: [aws servicecatalog enable-aws-organizations-access](https://docs.aws.amazon.com/cli/latest/reference/servicecatalog/enable-aws-organizations-access.html)
+ AWS SDKs: [AWSServiceCatalog::EnableAWSOrganizationsAccess](https://docs.aws.amazon.com/servicecatalog/latest/dg/API_EnableAWSOrganizationsAccess.html)
You can enable trusted access by using either the AWS Organizations console, by running a AWS CLI command, or by calling an API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To enable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **AWS Service Catalog** in the list of services.
1. Choose **Enable trusted access**.
1. In the **Enable trusted access for AWS Service Catalog** dialog box, type **enable** to confirm, and then choose **Enable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of AWS Service Catalog that they can now enable that service to work with AWS Organizations from the service console .
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the OrganizationsCLI/SDK**
Use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
Run the following command to enable AWS Service Catalog as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal servicecatalog.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
## Disabling trusted access with Service Catalog
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
If you disable trusted access using AWS Organizations while you are using Service Catalog, it doesn't delete your current shares, but it prevents you from creating new shares throughout your organization. Current shares won't be in sync with your organization structure if it changes after you call this action.
**To disable trusted access using the Service Catalog CLI or AWS SDK**
Call one of the following commands or operations:
+ AWS CLI: [aws servicecatalog disable-aws-organizations-access](https://docs.aws.amazon.com/cli/latest/reference/servicecatalog/disable-aws-organizations-access.html)
+ AWS SDKs: [DisableAWSOrganizationsAccess](https://docs.aws.amazon.com/servicecatalog/latest/dg/API_DisableAWSOrganizationsAccess.html)
You can disable trusted access by using either the AWS Organizations console, by running an Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To disable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **AWS Service Catalog** in the list of services.
1. Choose **Disable trusted access**.
1. In the **Disable trusted access for AWS Service Catalog** dialog box, type **disable** to confirm, and then choose **Disable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of AWS Service Catalog that they can now disable that service from working with AWS Organizations using the service console or tools .
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
You can use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable AWS Service Catalog as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal servicecatalog.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
# Service Quotas and AWS Organizations
Service Quotas is an AWS service that enables you to view and manage your quotas from a central location. Quotas, also referred to as limits, are the maximum value for your resources, actions, and items in your AWS account.
When Service Quotas is associated with AWS Organizations, you can create a quota request template to automatically request quota increases when accounts are created.
For more information about Service Quotas, see the [Service Quotas User Guide](https://docs.aws.amazon.com/servicequotas/latest/userguide/).
Use the following information to help you integrate Service Quotas with AWS Organizations.
## Service-linked roles created when you enable integration
The following [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is automatically created in your organization's management account when you enable trusted access. This role allows Service Quotas to perform supported operations within your organization's accounts in your organization.
You can delete or modify this role only if you disable trusted access between Service Quotas and Organizations, or if you remove the member account from the organization.
+ `AWSServiceRoleForServiceQuotas`
## Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Service Quotas grant access to the following service principals:
+ `servicequotas.amazonaws.com`
## Enabling trusted access with Service Quotas
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
You can only enable trusted access using Service Quotas.
You can enable trusted access using the Service Quotas console, AWS CLI or SDK:
+
**To enable trusted access using the Service Quotas console**
Sign in with your AWS Organizations management account and then configure the template on the Service Quotas console. For more information, see [Using the Service Quota Template](https://docs.aws.amazon.com/servicequotas/latest/userguide/organization-templates.html) in the *Service Quotas User Guide*.
+
**To enable trusted access using the Service Quotas AWS CLI or SDK**
Call the following command or operation:
+ AWS CLI: [aws service-quotas associate-service-quota-template](https://docs.aws.amazon.com/cli/latest/reference/service-quotas/API_AssociateServiceQuotaTemplate.html)
+ AWS SDKs: [AssociateServiceQuotaTemplate](https://docs.aws.amazon.com/servicequotas/2019-06-24/apireference/API_AssociateServiceQuotaTemplate.html)
# AWS IAM Identity Center and AWS Organizations
AWS IAM Identity Center provides single sign-on access for all of your AWS accounts and cloud applications. It connects with Microsoft Active Directory through AWS Directory Service to allow users in that directory to sign in to a personalized AWS access portal using their existing Active Directory user names and passwords. From the AWS access portal, users have access to all the AWS accounts and cloud applications that they have permissions for.
For more information about IAM Identity Center, see the [AWS IAM Identity Center User Guide](https://docs.aws.amazon.com/singlesignon/latest/userguide/).
Use the following information to help you integrate AWS IAM Identity Center with AWS Organizations.
## Service-linked roles created when you enable integration
The following [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is automatically created in your organization's management account when you enable trusted access. This role allows IAM Identity Center to perform supported operations within your organization's accounts in your organization.
You can delete or modify this role only if you disable trusted access between IAM Identity Center and Organizations, or if you remove the member account from the organization.
+ `AWSServiceRoleForSSO`
## Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by IAM Identity Center grant access to the following service principals:
+ `sso.amazonaws.com`
## Enabling trusted access with IAM Identity Center
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
You can enable trusted access using either the AWS IAM Identity Center console or the AWS Organizations console.
**Important**
We strongly recommend that whenever possible, you use the AWS IAM Identity Center console or tools to enable integration with Organizations. This lets AWS IAM Identity Center perform any configuration that it requires, such as creating resources needed by the service. Proceed with these steps only if you can’t enable integration using the tools provided by AWS IAM Identity Center. For more information, see [this note](orgs_integrate_services.md#important-note-about-integration).
If you enable trusted access by using the AWS IAM Identity Center console or tools then you don’t need to complete these steps.
IAM Identity Center requires trusted access with AWS Organizations to function. Trusted access is enabled when you set up IAM Identity Center. For more information, see [Getting Started - Step 1: Enable AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/step1.html) in the *AWS IAM Identity Center User Guide*.
You can enable trusted access by using either the AWS Organizations console, by running a AWS CLI command, or by calling an API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To enable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **AWS IAM Identity Center** in the list of services.
1. Choose **Enable trusted access**.
1. In the **Enable trusted access for AWS IAM Identity Center** dialog box, type **enable** to confirm, and then choose **Enable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of AWS IAM Identity Center that they can now enable that service to work with AWS Organizations from the service console .
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the OrganizationsCLI/SDK**
Use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
Run the following command to enable AWS IAM Identity Center as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal sso.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
## Disabling trusted access with IAM Identity Center
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
IAM Identity Center requires trusted access with AWS Organizations to operate. If you disable trusted access using AWS Organizations while you are using IAM Identity Center, it stops functioning because it can't access the organization. Users can't use IAM Identity Center to access accounts. Any roles that IAM Identity Center creates remain, but the IAM Identity Center service can't access them. The IAM Identity Center service-linked roles remain. If you reenable trusted access, IAM Identity Center continues to operate as before, without the need for you to reconfigure the service.
If you remove an account from your organization, IAM Identity Center automatically cleans up any metadata and resources, such as its service-linked role. A standalone account that is removed from an organization no longer works with IAM Identity Center.
You can only disable trusted access using the Organizations tools.
You can disable trusted access by using either the AWS Organizations console, by running an Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To disable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **AWS IAM Identity Center** in the list of services.
1. Choose **Disable trusted access**.
1. In the **Disable trusted access for AWS IAM Identity Center** dialog box, type **disable** to confirm, and then choose **Disable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of AWS IAM Identity Center that they can now disable that service from working with AWS Organizations using the service console or tools .
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
You can use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable AWS IAM Identity Center as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal sso.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
## Enabling a delegated administrator account for IAM Identity Center
When you designate a member account as a delegated administrator for the organization, users and roles from that account can perform administrative actions for IAM Identity Center that otherwise can be performed only by users or roles in the organization's management account. This helps you to separate management of the organization from management of IAM Identity Center.
**Minimum permissions**
Only a user or role in the Organizations management account can configure a member account as a delegated administrator for IAM Identity Center in the organization.
For instructions about how to enable a delegated administrator account for IAM Identity Center, see [Delegated administration](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html) in the *AWS IAM Identity Center User Guide*.
# AWS Systems Manager and AWS Organizations
AWS Systems Manager is a collection of capabilities that enable visibility and control of your AWS resources. The following Systems Manager capabilities work with Organizations across all of the AWS accounts in your organization:
+ Systems Manager Explorer, is a customizable operations dashboard that reports information about your AWS resources. You can synchronize operations data across all AWS accounts in your organization by using Organizations and Systems Manager Explorer. For more information, see [Systems Manager Explorer](https://docs.aws.amazon.com/systems-manager/latest/userguide/Explorer.html) in the *AWS Systems Manager User Guide*.
+ Systems Manager Change Manager is an enterprise change management framework for requesting, approving, implementing, and reporting on operational changes to your application configuration and infrastructure. For more information, see [AWS Systems Manager Change Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/change-manager.html) in the *AWS Systems Manager User Guide*.
+ Systems Manager OpsCenter provides a central location where operations engineers and IT professionals can view, investigate, and resolve operational work items (OpsItems) related to AWS resources. When you use OpsCenter with Organizations it supports working with OpsItems from a management account (either an Organizations management account or a Systems Manager delegated administrator account) and one other account during a single session. Once configured, users can perform the following types of actions:
+ Create, view, and update OpsItems in another account.
+ View detailed information about AWS resources that are specified in OpsItems in another account.
+ Start Systems Manager Automation runbooks to remediate issues with AWS resources in another account.
For more information, see [AWS Systems Manager OpsCenter](https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter-getting-started-multiple-accounts.html) in the *AWS Systems Manager User Guide*.
+ Use Quick Setup to quickly configure frequently used AWS services and features with recommended best practices. For more information, see [AWS Systems Manager Quick Setup](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-quick-setup.html) in the *AWS Systems Manager User Guide*.
When you register an AWS Organizations delegated administrator account for Systems Manager you can create, update, view, and delete Quick Setup configuration managers that target organizational units in an organization. Learn more in [Using a delegated administrator for Quick Setup ](https://docs.aws.amazon.com/systems-manager/latest/userguide/quick-setup-delegated-administrator.html) in the *AWS Systems Manager User Guide*.
+ When you set up the integrated console for Systems Manager, you enter a delegated administrator account. This account is used to register AWS Organizations delegated administrator accounts with Quick Setup, Explorer, CloudFormation StackSets, and Resource Explorer. Learn more in [Setting up Systems Manager integrated console for an organization *AWS Systems Manager User Guide*](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-organizations.html).
Use the following information to help you integrate AWS Systems Manager with AWS Organizations.
## Service-linked roles created when you enable integration
The following [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is automatically created in your organization's management account when you enable trusted access. This role allows Systems Manager to perform supported operations within your organization's accounts in your organization.
You can delete or modify this role only if you disable trusted access between Systems Manager and Organizations, or if you remove the member account from the organization.
+ `AWSServiceRoleForAmazonSSM_AccountDiscovery`
## Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Systems Manager grant access to the following service principals:
+ `ssm.amazonaws.com`
## Enabling trusted access with Systems Manager
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
You can only enable trusted access using the Organizations tools.
You can enable trusted access by using either the AWS Organizations console, by running a AWS CLI command, or by calling an API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To enable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **AWS Systems Manager** in the list of services.
1. Choose **Enable trusted access**.
1. In the **Enable trusted access for AWS Systems Manager** dialog box, type **enable** to confirm, and then choose **Enable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of AWS Systems Manager that they can now enable that service to work with AWS Organizations from the service console .
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the OrganizationsCLI/SDK**
Use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
Run the following command to enable AWS Systems Manager as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal ssm.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
## Disabling trusted access with Systems Manager
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
Systems Manager requires trusted access with AWS Organizations to synchronize operations data across AWS accounts in your organization. If you disable trusted access, then Systems Manager fails to synchronize operations data and reports an error.
You can only disable trusted access using the Organizations tools.
You can disable trusted access by using either the AWS Organizations console, by running an Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To disable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **AWS Systems Manager** in the list of services.
1. Choose **Disable trusted access**.
1. In the **Disable trusted access for AWS Systems Manager** dialog box, type **disable** to confirm, and then choose **Disable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of AWS Systems Manager that they can now disable that service from working with AWS Organizations using the service console or tools .
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
You can use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable AWS Systems Manager as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal ssm.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
## Enabling a delegated administrator account for Systems Manager
When you designate a member account as a delegated administrator for the organization, users and roles from that account can perform administrative actions for Systems Manager that otherwise can be performed only by users or roles in the organization's management account. This helps you to separate management of the organization from management of Systems Manager.
If you use Change Manager across an organization, you use a delegated administrator account. This is the AWS account that has been designated as the account for managing change templates, change requests, change runbooks and approval workflows in Change Manager. The delegated account manages change activities across your organization. When you set up your organization for use with Change Manager, you specify which of your accounts serves in this role. It does not have to be the organization's management account. The delegated administrator account is not required if you use Change Manager with a single account only.
**To designate a member account as a delegated administrator see the following topics in the *AWS Systems Manager User Guide*:**
+ For Explorer and OpsCenter, see [Configuring a Delegated Administrator](https://docs.aws.amazon.com/systems-manager/latest/userguide/Explorer-setup-delegated-administrator.html).
+ For Change Manager, see [Setting up an organization and delegated account for Change Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/change-manager-organization-setup.html).
+ For Quick Setup see [Register a delegated administrator for Quick Setup ](https://docs.aws.amazon.com/systems-manager/latest/userguide/quick-setup-register-delegated-administrator.html).
## Disabling a delegated administrator account for Systems Manager
**To deregister a delegated administrator see the following topics in the *AWS Systems Manager User Guide*:**
+ For Explorer and OpsCenter, see [Deregister an Explorer delegated administrator ](https://docs.aws.amazon.com/systems-manager/latest/userguide/Explorer-setup-delegated-administrator-deregister.html).
+ For Change Manager, see [Setting up an organization and delegated account for Change Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/change-manager-organization-setup.html).
+ For Quick Setup see [Deregister a delegated administrator for Quick Setup ](https://docs.aws.amazon.com/systems-manager/latest/userguide/quick-setup-deregister-delegated-administrator.html).
# AWS User Notifications and AWS Organizations
[AWS User Notifications](https://aws.amazon.com/notifications) is a central location for your AWS notifications.
After you integrate with AWS Organizations, you can configure and view notifications centrally across accounts in your organization.
Use the following information to help you integrate AWS User Notifications with AWS Organizations.
## Service-linked roles created when you enable integration
The following [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is automatically created in your organization's management account when you enable trusted access. This role allows User Notifications to perform supported operations within your organization's accounts in your organization.
You can delete or modify this role only if you disable trusted access between User Notifications and Organizations, or if you remove the member account from the organization.
+ `AWSServiceRoleForAWSUserNotifications`
For more information, see [Using Service-Linked Roles](https://docs.aws.amazon.com/notifications/latest/userguide/using-service-linked-roles.html) in the *AWS User Notifications User Guide*.
## Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by User Notifications grant access to the following service principals:
+ `notifications.amazon.com`
## Enabling trusted access with User Notifications
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
You can only enable trusted access using AWS User Notifications.
To enable trusted access using the User Notifications console, see [Enabling AWS Organizations in AWS User Notifications](https://docs.aws.amazon.com/notifications/latest/userguide/uno-orgs.html) in the *User Notifications User Guide*.
## Disabling trusted access with User Notifications
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
You can only enable trusted access using AWS User Notifications.
To disable trusted access using the User Notifications console, see [Enabling AWS Organizations in AWS User Notifications](https://docs.aws.amazon.com/notifications/latest/userguide/uno-orgs.html) in the *User Notifications User Guide*.
## Enabling a delegated administrator account for User Notifications
The management account administrator can delegate User Notifications administrative permissions to a designated member account known as delegated administrator. To register an account as a delegated administrator for the private marketplace, the management account administrator must ensure that trusted access and the service-linked role are enabled, choose **Register a new administrator**, provide the 12-digit AWS account number, and choose **Submit**.
Management accounts and delegated administrator accounts can perform User Notifications administrative tasks, such as creating experiences, updating branding settings, associating or disassociating audiences, adding or removing products, and approving or declining pending requests.
To configure a delegated administrator using the User Notifications console, see [Registering delegated administrators in AWS User Notifications](https://docs.aws.amazon.com/notifications/latest/userguide/uno-orgs.html#register-admins) in the *User Notifications User Guide*.
You can also configure a delegated administrator by using the Organizations `RegisterDelegatedAdministrator` API. For more information, see [ RegisterDelegatedAdministrator](https://docs.aws.amazon.com/cli/latest/reference/organizations/register-delegated-administrator.html) in the * Organizations Command Reference*.
## Disabling a delegated administrator for User Notifications
Only an administrator in the organization management account can configure a delegated administrator for User Notifications.
You can remove the delegated administrator using either the User Notifications console or API, or by using the Organizations `DeregisterDelegatedAdministrator` CLI or SDK operation.
To disable the delegated admin User Notifications account using the User Notifications console, see [Removing delegated administrators in in AWS User Notifications](https://docs.aws.amazon.com/notifications/latest/userguide/uno-orgs.html#deregister-admins) in the *User Notifications User Guide*.
# Tag policies and AWS Organizations
*Tag policies* are a type of policy in AWS Organizations that can help you standardize tags across resources in your organization's accounts. For more information about tag policies, see [Tag policies](orgs_manage_policies_tag-policies.md).
Use the following information to help you integrate tag policies with AWS Organizations.
## Service principals used by the service-linked roles
Organizations interacts with the tags attached to your resources using the following service principal.
+ `tagpolicies.tag.amazonaws.com`
## Enabling trusted access for tag policies
You can enable trusted access either by enabling tag policies in the organization, or by using the AWS Organizations console.
**Important**
We strongly recommend that you enable trusted access by enabling tag policies. This enables Organizations to perform required setup tasks.
You can enable trusted access for tag policies by enabling the tag policy type in the AWS Organizations console. For more information, see [Enabling a policy type](enable-policy-type.md).
You can enable trusted access by using either the AWS Organizations console, by running a AWS CLI command, or by calling an API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To enable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **tag policies** in the list of services.
1. Choose **Enable trusted access**.
1. In the **Enable trusted access for tag policies** dialog box, type **enable** to confirm, and then choose **Enable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of tag policies that they can now enable that service to work with AWS Organizations from the service console .
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the OrganizationsCLI/SDK**
Use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
Run the following command to enable tag policies as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal tagpolicies.tag.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
## Disabling trusted access with tag policies
You can disable trusted access for tag policies by disabling the tag policy type in the AWS Organizations console. For more information, see [Disabling a policy type](disable-policy-type.md).
# AWS Trusted Advisor and AWS Organizations
AWS Trusted Advisor inspects your AWS environment and makes recommendations when opportunities exist to save money, to improve system availability and performance, or to help close security gaps. When integrated with Organizations, you can receive Trusted Advisor check results for all of the accounts in your organization and download reports to view the summaries of your checks and any affected resources.
For more information, see [Organizational view for AWS Trusted Advisor](https://docs.aws.amazon.com/awssupport/latest/user/organizational-view.html) in the *AWS Support User Guide*.
Use the following information to help you integrate AWS Trusted Advisor with AWS Organizations.
## Service-linked roles created when you enable integration
The following [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is automatically created in your organization's management account when you enable trusted access. This role allows Trusted Advisor to perform supported operations within your organization's accounts in your organization.
You can delete or modify this role only if you disable trusted access between Trusted Advisor and Organizations, or if you remove the member account from the organization.
+ `AWSServiceRoleForTrustedAdvisorReporting`
## Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Trusted Advisor grant access to the following service principals:
+ `reporting.trustedadvisor.amazonaws.com`
## Enabling trusted access with Trusted Advisor
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
You can only enable trusted access using AWS Trusted Advisor.
**To enable trusted access using the Trusted Advisor console**
See [Enable organizational view](https://docs.aws.amazon.com/awssupport/latest/user/organizational-view.html#enable-organizational-view) in the *AWS Support User Guide*.
## Disabling trusted access with Trusted Advisor
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
After you disable this feature, Trusted Advisor stops recording check information for all other accounts in your organization. You can't view or download existing reports or create new reports.
You can disable trusted access using either the AWS Trusted Advisor or the AWS Organizations tools.
**Important**
We strongly recommend that whenever possible, you use the AWS Trusted Advisor console or tools to disable integration with Organizations. This lets AWS Trusted Advisor perform any clean up that it requires, such as deleting resources or access roles that are no longer needed by the service. Proceed with these steps only if you can’t disable integration using the tools provided by AWS Trusted Advisor.
If you disable trusted access by using the AWS Trusted Advisor console or tools then you don’t need to complete these steps.
**To disable trusted access using the Trusted Advisor console**
See [Disable organizational view](https://docs.aws.amazon.com/awssupport/latest/user/organizational-view.html#disable-organizational-view) in the *AWS Support User Guide*.
You can disable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
Use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable AWS Trusted Advisor as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal reporting.trustedadvisor.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
## Enabling a delegated administrator account for Trusted Advisor
When you designate a member account to be a delegated administrator for the organization, users and roles from the designated account can manage the AWS account metadata for other member accounts in the organization. If you don't enable a delegated admin account, then these tasks can be performed only by the organization's management account. This helps you to separate management of the organization from management of your account details.
**Minimum permissions**
Only a user or role in the Organizations management account can configure a member account as a delegated administrator for Trusted Advisor in the organization
For instruction about enabling a delegated administrator account for Trusted Advisor, see [Register delegated administrators](https://docs.aws.amazon.com/awssupport/latest/user/trusted-advisor-priority.html#register-delegated-administrators) in the *Support User Guide*.
------
#### [ AWS CLI, AWS API ]
If you want to configure a delegated administrator account using the AWS CLI or one of the AWS SDKs, you can use the following commands:
+ AWS CLI:
```
$ aws organizations register-delegated-administrator \
--account-id 123456789012 \
--service-principal reporting.trustedadvisor.amazonaws.com
```
+ AWS SDK: Call the Organizations `RegisterDelegatedAdministrator` operation and the member account's ID number and identify the account service principal `account.amazonaws.com` as parameters.
------
## Disabling a delegated administrator for Trusted Advisor
You can remove the delegated administrator using either the Trusted Advisor console, or by using the the Organizations `DeregisterDelegatedAdministrator` CLI or SDK operation. For information on how to disable the delegated admin Trusted Advisor account using the Trusted Advisor console, see [Deregister delegated administrators](https://docs.aws.amazon.com/awssupport/latest/user/trusted-advisor-priority.html#deregister-delegated-administrators) in the *Support user guide*.
# AWS Well-Architected Tool and AWS Organizations
The AWS Well-Architected Tool helps you document the state of your workloads and compares them to the latest AWS architectural best practices.
Using AWS Well-Architected Tool with Organizations enables both AWS Well-Architected Tool and Organizations customers to simplify the process of sharing AWS Well-Architected Tool resources with other members of their organization.
For more information, see [Sharing your AWS Well-Architected Tool resources](https://docs.aws.amazon.com/wellarchitected/latest/userguide/sharing.html) in the *AWS Well-Architected Tool User Guide*.
Use the following information to help you integrate AWS Well-Architected Tool with AWS Organizations.
## Service-linked roles created when you enable integration
The following [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is automatically created in your organization's management account when you enable trusted access. This role allows AWS WA Tool to perform supported operations within your organization's accounts in your organization.
You can delete or modify this role only if you disable trusted access between AWS WA Tool and Organizations, or if you remove the member account from the organization.
+ `AWSServiceRoleForWellArchitected`
The service role policy is `AWSWellArchitectedOrganizationsServiceRolePolicy`
## Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by AWS WA Tool grant access to the following service principals:
+ `wellarchitected.amazonaws.com`
## Enabling trusted access with AWS WA Tool
Allows the updating of AWS WA Tool to reflect hierarchical changes in an organization.
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
You can enable trusted access using either the AWS Well-Architected Tool console or the AWS Organizations console.
**Important**
We strongly recommend that whenever possible, you use the AWS Well-Architected Tool console or tools to enable integration with Organizations. This lets AWS Well-Architected Tool perform any configuration that it requires, such as creating resources needed by the service. Proceed with these steps only if you can’t enable integration using the tools provided by AWS Well-Architected Tool. For more information, see [this note](orgs_integrate_services.md#important-note-about-integration).
If you enable trusted access by using the AWS Well-Architected Tool console or tools then you don’t need to complete these steps.
**To enable trusted access using the AWS WA Tool console**
See [Sharing your AWS Well-Architected Tool resources](https://docs.aws.amazon.com/wellarchitected/latest/userguide/sharing.html) in the *AWS Well-Architected Tool User Guide*.
You can enable trusted access by using either the AWS Organizations console, by running a AWS CLI command, or by calling an API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To enable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. In the navigation pane, choose **Services**.
1. Choose **AWS Well-Architected Tool** in the list of services.
1. Choose **Enable trusted access**.
1. In the **Enable trusted access for AWS Well-Architected Tool** dialog box, type **enable** to confirm, and then choose **Enable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of AWS Well-Architected Tool that they can now enable that service to work with AWS Organizations from the service console .
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the OrganizationsCLI/SDK**
Use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
Run the following command to enable AWS Well-Architected Tool as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal wellarchitected.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
## Disabling trusted access with AWS WA Tool
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
You can disable trusted access using either the AWS Well-Architected Tool or the AWS Organizations tools.
**Important**
We strongly recommend that whenever possible, you use the AWS Well-Architected Tool console or tools to disable integration with Organizations. This lets AWS Well-Architected Tool perform any clean up that it requires, such as deleting resources or access roles that are no longer needed by the service. Proceed with these steps only if you can’t disable integration using the tools provided by AWS Well-Architected Tool.
If you disable trusted access by using the AWS Well-Architected Tool console or tools then you don’t need to complete these steps.
**To disable trusted access using the AWS WA Tool console**
See [Sharing your AWS Well-Architected Tool resources](https://docs.aws.amazon.com/wellarchitected/latest/userguide/sharing.html) in the *AWS Well-Architected Tool User Guide*.
You can disable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
Use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable AWS Well-Architected Tool as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal wellarchitected.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
# Amazon VPC IP Address Manager (IPAM) and AWS Organizations
Amazon VPC IP Address Manager (IPAM) is a VPC feature that makes it easier for you to plan, track, and monitor IP addresses for your AWS workloads.
Using AWS Organizations allows you to monitor IP address usage throughout your organization and share IP address pools across member accounts.
For more information, see [ Integrate IPAM with AWS Organizations](https://docs.aws.amazon.com/vpc/latest/ipam/enable-integ-ipam.html) in the *Amazon VPC IPAM User Guide*.
Use the following information to help you integrate Amazon VPC IP Address Manager (IPAM) with AWS Organizations.
## Service-linked roles created when you enable integration
The following service-linked role is automatically created in your organization's management account and each member account when you integrate IPAM with AWS Organizations either by using the IPAM console or using IPAM's `EnableIpamOrganizationAdminAccount` API.
+ `AWSServiceRoleForIPAM`
For more information, see [ Service-linked roles for IPAM](https://docs.aws.amazon.com//vpc/latest/ipam/iam-ipam-slr.html) in the *Amazon VPC IPAM User Guide*.
## Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by IPAM grant access to the following service principals:
+ `ipam.amazonaws.com`
## To enable trusted access with IPAM
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
**Note**
When you designate a delegated administrator for IPAM it automatically enables trusted access for IPAM for your organization.
IPAM requires trusted access to AWS Organizations before you can designate a member account to be the delegated administrator for this service for your organization.
You can enable trusted access using only Amazon VPC IP Address Manager (IPAM) tools.
If you integrate IPAM with AWS Organizations using the IPAM console or using the IPAM `EnableIpamOrganizationAdminAccount` API, you automatically grant trusted access to IPAM. Granting trusted access creates the service-linked role ` AWSServiceRoleForIPAM` in the management account and in all of the member accounts in the organization. IPAM uses the service-linked role to monitor CIDRs associated with EC2 networking resources in your organization and to store metrics related to IPAM in Amazon CloudWatch. For more information, see [Service-linked roles for IPAM](https://docs.aws.amazon.com//vpc/latest/ipam/iam-ipam-slr.html) in the *Amazon VPC IPAM User Guide*.
For instructions about enabling trusted access, see [Integrate IPAM with AWS Organizations](https://docs.aws.amazon.com//vpc/latest/ipam/enable-integ-ipam.html) in the *Amazon VPC IPAM User Guide*.
**Note**
You can't enable trusted access with IPAM using the AWS Organizations console or with the [https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html) API.
## To disable trusted access with IPAM
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
Only an administrator in the AWS Organizations management account can disable trusted access with IPAM using the AWS Organizations `disable-aws-service-access` API.
For information about disabling IPAM account permissions and deleting the service-linked role, see [Service-linked roles for IPAM](https://docs.aws.amazon.com/vpc/latest/ipam/iam-ipam-slr.html) in the *Amazon VPC IPAM User Guide*.
You can disable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
------
#### [ AWS CLI, AWS API ]
**To disable trusted service access using the Organizations CLI/SDK**
Use the following AWS CLI commands or API operations to disable trusted service access:
+ AWS CLI: [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html)
Run the following command to disable Amazon VPC IP Address Manager (IPAM) as a trusted service with Organizations.
```
$ aws organizations disable-aws-service-access \
--service-principal ipam.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [DisableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)
------
## Enabling a delegated administrator account for IPAM
The delegated administrator account for IPAM is responsible for creating the IPAM and IP address pools, managing and monitoring IP address usage in the organization, and sharing IP address pools across member accounts. For more information, see [Integrate IPAM with AWS Organizations](https://docs.aws.amazon.com//vpc/latest/ipam/enable-integ-ipam.html) in the *Amazon VPC IPAM User Guide*.
Only an administrator in the organization management account can configure a delegated administrator for IPAM.
You can specify a delegated administrator account from the IPAM console, or by using the `enable-ipam-organization-admin-account` API. For more information, see [enable-ipam-organization-admin-account](https://docs.aws.amazon.com/cli/latest/reference/ec2/enable-ipam-organization-admin-account.html) in the * AWS AWS CLI Command Reference*.
**Minimum permissions**
Only a user or role in the Organizations management account can configure a member account as a delegated administrator for IPAM in the organization
To configure a delegated administrator using the IPAM console, see [Integrate IPAM with AWS Organizations](https://docs.aws.amazon.com//vpc/latest/ipam/enable-integ-ipam.html) in the *Amazon VPC IPAM User Guide*.
## Disabling a delegated administrator for IPAM
Only an administrator in the organization management account can configure a delegated administrator for IPAM.
To remove a delegated administrator using the AWS AWS CLI, see [disable-ipam-organization-admin-account](https://docs.aws.amazon.com/cli/latest/reference/ec2/disable-ipam-organization-admin-account.html) in the *AWS AWS CLI Command Reference*.
To disable the delegated admin IPAM account using the IPAM console, see [Integrate IPAM with AWS Organizations](https://docs.aws.amazon.com//vpc/latest/ipam/enable-integ-ipam.html) in the *Amazon VPC IPAM User Guide*.
# Amazon VPC Reachability Analyzer and AWS Organizations
Reachability Analyzer is a configuration analysis tool that enables you to perform connectivity testing between a source resource and a destination resource in your virtual private clouds (VPCs).
Using AWS Organizations with Reachability Analyzer allows you to trace paths across accounts in your organizations.
For more information, see [Manage delegated administrator accounts in Reachability Analyzer](https://docs.aws.amazon.com/vpc/latest/reachability/manage-delegated-administrators.html) in the *Reachability Analyzer user guide*.
Use the following information to help you integrate Reachability Analyzer with AWS Organizations.
## Service-linked roles created when you enable integration
The following [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is automatically created in your organization's management account when you enable trusted access. This role allows Reachability Analyzer to perform supported operations within your organization's accounts in your organization.
You can delete or modify this role only if you disable trusted access between Reachability Analyzer and Organizations, or if you remove the member account from the organization.
+ `AWSServiceRoleForReachabilityAnalyzer`
For more information, see [Cross-account analyses for Reachability Analyzer](https://docs.aws.amazon.com//vpc/latest/reachability/multi-account.html) in the *Reachability Analyzer user guide*.
## Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Reachability Analyzer grant access to the following service principals:
+ `reachabilityanalyzer.networkinsights.amazonaws.com`
## To enable trusted access with Reachability Analyzer
For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).
When you designate a delegated administrator for Reachability Analyzer it automatically enables trusted access for Reachability Analyzer for your organization.
Reachability Analyzer requires trusted access to AWS Organizations before you can designate a member account to be the delegated administrator for this service for your organization.
**Important**
You can enable trusted access using either the Reachability Analyzer console or the Organizations console. However, we strongly recommend that you use the Reachability Analyzer console or the `EnableMultiAccountAnalysisForAwsOrganization` API to enable integration with Organizations. This lets Reachability Analyzer perform any configuration that it requires, such as creating resources needed by the service.
Granting trusted access creates the service-linked role ` AWSServiceRoleForReachabilityAnalyzer` in the management account and in all of the member accounts in the organization. Reachability Analyzer uses the service-linked role to allow management, and the delegated administrator to run connectivity analyses between any resources in the organization. Reachability Analyzer is able to take snapshots of the networking elements of the accounts in an organization in order to answer connectivity queries.
For more information, and for instructions on enabling trusted access through Reachability Analyzer, see [Cross-account analyses for Reachability Analyzer](https://docs.aws.amazon.com//vpc/latest/reachability/multi-account.html) in the *Reachability Analyzer user guide*.
You can enable trusted access by using either the AWS Organizations console, by running a AWS CLI command, or by calling an API operation in one of the AWS SDKs.
------
#### [ AWS Management Console ]
**To enable trusted service access using the Organizations console**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. On the **[Services](https://console.aws.amazon.com/organizations/v2/home/services)** page, find the row for **VPC Reachability Analyzer**, choose the service’s name, and then choose **Enable trusted access**.
1. In the confirmation dialog box, enable **Show the option to enable trusted access**, enter **enable** in the box, and then choose **Enable trusted access**.
1. If you are the administrator of only AWS Organizations, tell the administrator of Reachability Analyzer that they can now enable that service using its console to work with AWS Organizations.
------
#### [ AWS CLI, AWS API ]
**To enable trusted service access using the OrganizationsCLI/SDK**
You can use the following AWS CLI commands or API operations to enable trusted service access:
+ AWS CLI: [enable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/enable-aws-service-access.html)
You can run the following command to enable Reachability Analyzer as a trusted service with Organizations.
```
$ aws organizations enable-aws-service-access \
--service-principal reachabilityanalyzer.networkinsights.amazonaws.com
```
This command produces no output when successful.
+ AWS API: [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)
------
## To disable trusted access with Reachability Analyzer
For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).
You can disable trusted access using either the Reachability Analyzer console (recommended), or the Organizations console. To disable trusted access using the Reachability Analyzer console, see [Cross-account analyses for Reachability Analyzer](https://docs.aws.amazon.com//vpc/latest/reachability/multi-account.html) in the *Reachability Analyzer user guide*.
## Enabling a delegated administrator account for Reachability Analyzer
The delegated administrator account is able to run connectivity analyses across any of the resources in the organization. For more information, see [Integrate Reachability Analyzer with AWS Organizations](https://docs.aws.amazon.com//vpc/latest/ipam/enable-integ-ipam.html) in the *Reachability Analyzer user guide*.
Only an administrator in the organization management account can configure a delegated administrator for Reachability Analyzer.
You can specify a delegated administrator account from the Reachability Analyzer console, or by using the `RegisterDelegatedAdministrator` API. For more information, see [ RegisterDelegatedAdministrator](https://docs.aws.amazon.com/cli/latest/reference/organizations/register-delegated-administrator.html) in the * Organizations Command Reference*.
**Minimum permissions**
Only a user or role in the Organizations management account can configure a member account as a delegated administrator for Reachability Analyzer in the organization
To configure a delegated administrator using the Reachability Analyzer console, see [Integrate Reachability Analyzer with AWS Organizations](https://docs.aws.amazon.com//vpc/latest/ipam/enable-integ-ipam.html) in the *Reachability Analyzer user guide*.
## Disabling a delegated administrator for Reachability Analyzer
Only an administrator in the organization management account can configure a delegated administrator for Reachability Analyzer.
You can remove the delegated administrator using either the Reachability Analyzer console or API, or by using the Organizations `DeregisterDelegatedAdministrator` CLI or SDK operation.
To disable the delegated admin Reachability Analyzer account using the Reachability Analyzer console, see [Cross-account analyses for Reachability Analyzer](https://docs.aws.amazon.com//vpc/latest/reachability/multi-account.html) in the *Reachability Analyzer user guide*.