# Activating support in AWS WA Tool for other AWS services
Activating Organization access permits AWS Well-Architected Tool to gather information about your organization's structure to share resources more easily (see [Activate resource sharing within AWS Organizations](sharing.md#getting-started-sharing-orgs) for more information). Activating Discovery support gathers information from [AWS Trusted Advisor](https://docs.aws.amazon.com/awssupport/latest/user/trusted-advisor.html), [AWS Service Catalog AppRegistry](https://docs.aws.amazon.com/servicecatalog/latest/arguide/intro-app-registry.html), and related resources (such as CloudFormation stacks in AppRegistry resource collections) to help you more easily discover the information needed to answer Well-Architected review questions, and tailor the Trusted Advisor checks for a workload.
Activating support for AWS Organizations, or activating Discovery support automatically creates a service-linked role for your account.
**To turn on support for other services that AWS WA Tool can interact with, navigate to Settings.**
1. To gather information from AWS Organizations, turn on **Activate AWS Organizations support**.
1. Turn on **Activate Discovery support** to gather information from other AWS services and resources.
1. Select **View role permissions** to view the service-linked role permissions or trust relationship policies.
1. Select **Save settings**.
# Activating AppRegistry for a workload
Using AppRegistry is optional, and AWS Business and Enterprise Support customers can activate it on a per-workload basis.
Whenever Discovery support is turned on and AppRegistry is associated with a new or existing workload, AWS Well-Architected Tool creates a service-managed attribute group. The attribute group **Metadata** in AppRegistry contains the workload ARN, the workload name, and the risks associated with the workload.
+ When Discovery support is turned on, any time there is a change to the workload, the attribute group is updated.
+ When Discovery support is turned off or the application is removed from the workload, the workload information is removed from AWS Service Catalog.
If you want an AppRegistry application to drive the data fetched from Trusted Advisor, set your workload **Resource definition** as **AppRegistry** or **All**. Create roles for all accounts that own resources in your application following the guidelines in [Activating Trusted Advisor for a workload in IAM](activate-ta-in-iam.md).
# Activating AWS Trusted Advisor for a workload
You can optionally integrate AWS Trusted Advisor and activate it on a per-workload basis for AWS Business and Enterprise Support customers. There is no cost to integrate Trusted Advisor with AWS WA Tool, but for Trusted Advisor pricing details, see [AWS Support Plans](https://docs.aws.amazon.com/awssupport/latest/user/aws-support-plans.html). Activating Trusted Advisor for workloads can provide you a more comprehensive, automated, and monitored approach to reviewing and optimizing your AWS workloads. This can help you improve the reliability, security, performance, and cost optimization for your workloads.
**To activate Trusted Advisor for a workload**
1. To activate Trusted Advisor, workload owners can use AWS WA Tool to update an existing workload, or create a new workload by choosing **Define workload**.
1. Enter an account ID used by Trusted Advisor in the **Account IDs** field, select an application ARN in the **Application** field, or both to activate Trusted Advisor.
1. In the **AWS Trusted Advisor** section, select **Activate Trusted Advisor**.
![\[Screenshot of the Activate Trusted Advisor section when defining a workload.\]](http://docs.aws.amazon.com/wellarchitected/latest/userguide/images/defining-workload-activate-ta-support.png)
1. A notification that the **IAM service role will be created** displays the first time Trusted Advisor is activated for a workload. Choosing **View permissions** displays the IAM role permissions. You can view the **Role name**, as well as the **Permissions** and **Trust relationships** JSON automatically created for you in IAM. After the role is created, for subsequent workloads activating** Trusted Advisor**, only the notification for **Additional setup needed** is shown.
1. In the **Resource definition** dropdown, you can select **Workload Metadata**, **AppRegistry**, or **All**. The **Resource definition** selection defines what data AWS WA Tool fetches from Trusted Advisor to provide the status checks in the workload review that map to Well-Architected best practices.
**Workload Metadata** – the workload is defined by account IDs and AWS Regions specified in the workload.
**AppRegistry** – the workload is defined by resources (such as CloudFormation stacks) that are present in the AppRegistry application associated with the workload.
**All** – the workload is defined by both the workload metadata and AppRegistry resources.
1. Choose **Next**.
1. Apply the **AWS Well-Architected Framework** to your workload, and choose **Define workload**. Trusted Advisor checks are only linked to the AWS Well-Architected Framework, and not other lenses.
The AWS WA Tool periodically gets data from Trusted Advisor using the roles created in IAM. The IAM role is automatically created for the workload owner. However, to view Trusted Advisor information, the owners of any associated accounts on the workload must go to IAM and create a role, see [Activating Trusted Advisor for a workload in IAM](activate-ta-in-iam.md) for more details. If this role does not exist, AWS WA Tool cannot obtain Trusted Advisor information for that account and displays an error.
For more information about creating a role in AWS Identity and Access Management (IAM), see [Creating a role for an AWS service (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html#roles-creatingrole-service-console) in the *IAM User Guide*.
# Activating Trusted Advisor for a workload in IAM
**Note**
Workload owners should **Activate Discovery support** for their account before creating a Trusted Advisor workload. Choosing to **Activate Discovery support** creates the role required for the workload owner. Use the following steps for all other associated accounts.
The owners of associated accounts for workloads that have activated Trusted Advisor must create a role in IAM to see Trusted Advisor information in AWS Well-Architected Tool.
**To create a role in IAM for AWS WA Tool to get information from Trusted Advisor**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane of the **IAM** console, choose **Roles**, and then choose **Create role**.
1. Under **Trusted entity type** choose **Custom trust policy**.
1. Copy and paste the following **Custom trust policy** into the JSON field in the **IAM** console, as shown in the following image. Replace *`WORKLOAD_OWNER_ACCOUNT_ID`* with the workload owner's account ID, and choose **Next**.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "wellarchitected.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "WORKLOAD_OWNER_ACCOUNT_ID"
},
"ArnEquals": {
"aws:SourceArn": "arn:aws:wellarchitected:*:111122223333:workload/*"
}
}
}
]
}
```
------
![\[Screenshot of the Custom trust policy in the IAM console.\]](http://docs.aws.amazon.com/wellarchitected/latest/userguide/images/custom-trust-policy.png)
**Note**
The `aws:sourceArn` in the condition block of the preceeding custom trust policy is `"arn:aws:wellarchitected:*:WORKLOAD_OWNER_ACCOUNT_ID:workload/*"`, which is a generic condition stating this role can be used by AWS WA Tool for all of the workload owner's workloads. However, access can be narrowed to a specific workload ARN, or set of workload ARNs. To specify multiple ARNs, see the following example trust policy.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "wellarchitected.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
},
"ArnEquals": {
"aws:SourceArn": [
"arn:aws:wellarchitected:us-east-1:111122223333:workload/WORKLOAD_ID_1",
"arn:aws:wellarchitected:us-east-1:111122223333:workload/WORKLOAD_ID_2"
]
}
}
}
]
}
```
1. On the **Add permissions** page, for **Permissions policies** choose **Create policy** to give AWS WA Tool access to read data from Trusted Advisor. Selecting **Create policy** opens a new window.
**Note**
Additionally, you have the option to skip creating the permissions during the role creation and create an inline policy after creating the role. Choose **View role** in the successful role creation message and select **Create inline policy** from the **Add permissions** dropdown in the **Permissions** tab.
1. Copy and paste the following **Permissions policy** into the JSON field. In the `Resource` ARN, replace *`YOUR_ACCOUNT_ID`* with your own account ID, specify the Region or an asterisk (`*`), and choose **Next:Tags**.
For details about ARN formats, see [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference Guide*.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"trustedadvisor:DescribeCheckRefreshStatuses",
"trustedadvisor:DescribeCheckSummaries",
"trustedadvisor:DescribeRiskResources",
"trustedadvisor:DescribeAccount",
"trustedadvisor:DescribeRisk",
"trustedadvisor:DescribeAccountAccess",
"trustedadvisor:DescribeRisks",
"trustedadvisor:DescribeCheckItems"
],
"Resource": [
"arn:aws:trustedadvisor:*:111122223333:checks/*"
]
}
]
}
```
------
1. If Trusted Advisor is activated for a workload and the **Resource definition** is set to **AppRegistry** or **All**, all of the accounts that own a resource in the AppRegistry application attached to the workload must add the following permission to their Trusted Advisor role's **Permissions policy**.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DiscoveryPermissions",
"Effect": "Allow",
"Action": [
"servicecatalog:ListAssociatedResources",
"tag:GetResources",
"servicecatalog:GetApplication",
"resource-groups:ListGroupResources",
"cloudformation:DescribeStacks",
"cloudformation:ListStackResources"
],
"Resource": "*"
}
]
}
```
------
1. (Optional) Add tags. Choose **Next: Review**.
1. Review the policy, give it a name, and select **Create policy**.
1. On the **Add permissions** page for the role, select the policy name you just created, and select **Next**.
1. Enter the **Role name**, which must use the following syntax: `WellArchitectedRoleForTrustedAdvisor-WORKLOAD_OWNER_ACCOUNT_ID` and choose **Create role**. Replace *`WORKLOAD_OWNER_ACCOUNT_ID`* with the workload owner's account ID.
You should get a success message at the top of the page notifying you that the role has been created.
1. To view the role and associated permissions policy, in the left navigation pane under **Access management**, choose **Roles** and search for the `WellArchitectedRoleForTrustedAdvisor-WORKLOAD_OWNER_ACCOUNT_ID` name. Select the name of the role to verify that the **Permissions** and **Trust relationships** are correct.
# Deactivating Trusted Advisor for a workload
**To deactivate Trusted Advisor for a workload**
You can deactivate Trusted Advisor for any workload from the AWS Well-Architected Tool by editing your workload and deselecting **Activate Trusted Advisor**. For more information on editing workloads, see [Edit a workload in AWS Well-Architected Tool](workloads-edit.md).
Deactivating Trusted Advisor from the AWS WA Tool does not delete the roles created in IAM. Deleting roles from IAM requires a separate cleanup measure. Workload owners or owners of associated accounts should delete the IAM roles created when Trusted Advisor is deactivated in AWS WA Tool, or to stop AWS WA Tool from collecting Trusted Advisor data for the workload.
**To delete the `WellArchitectedRoleForTrustedAdvisor` in IAM**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane of the **IAM** console, choose **Roles**.
1. Search for `WellArchitectedRoleForTrustedAdvisor-WORKLOAD_OWNER_ACCOUNT_ID` and select the role name.
1. Choose **Delete**. In the pop-up window, type the name of the role to confirm deletion, and select **Delete** again.
For more information about deleting a role from IAM, see [Deleting an IAM role (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html#roles-managingrole-deleting-console) in the *IAM User Guide*.