Enable trusted access IAM role deployments Manage delegated administrator accounts Disable trusted access Troubleshoot

Cross-account analyses for Reachability Analyzer

Reachability Analyzer analyzes the path between a source and destination. To analyze paths across multiple AWS accounts, enable trusted access for Reachability Analyzer with your organization from AWS Organizations. You can also register member accounts as delegated administrator accounts. A user in the management account can define paths and run analyses using sources and destinations from any account in the organization. A user in a delegated administrator account can define paths and run analyses using sources and destinations from any account in the organization other than the management account, plus any resources in the management account that were explicitly shared with the delegated administrator account.

For more information, see Visualize and diagnose network reachability across AWS accounts.

Pricing

There is no additional charge to run cross-account analyses.

Considerations

Before accounts in the organization can use this feature in an opt-in Region, the management account must enable the opt-in Region. For more information, see Enable a Region in your organization in the AWS Account Management Guide.
The accounts in the organization must be able to make calls to the AWS CloudFormation API in US East (N. Virginia) (us-east-1).
AWS CloudTrail logs are always written to US East (N. Virginia) (us-east-1).

Enable trusted access

When you enable trusted access, Reachability Analyzer deploys the AWSServiceRoleForReachabilityAnalyzer service-linked role and the required cross-account access roles to all accounts in your organization.

To enable trusted access using the console

Sign in to the management account.
Open the Network Manager console at https://console.aws.amazon.com/networkmanager/home.
From the navigation pane, choose Reachability Analyzer, Settings.
For Trusted Access, choose Turn on trusted access.
Do not close or navigate away from this page until you see a success notification indicating that trusted access is turned on. This can take several minutes.

To enable trusted access using the AWS CLI

From the management account, use the enable-reachability-analyzer-organization-sharing command.

IAM role deployments

When you enable trusted access, the following roles are deployed in your organization:

AWSServiceRoleForReachabilityAnalyzer – The service-linked role for Reachability Analyzer.
IAMRoleForReachabilityAnalyzerCrossAccountResourceAccess – The role for cross-account resource access for Reachability Analyzer.
AWSServiceRoleForCloudFormationStackSetsOrgAdmin – The service-linked role for AWS CloudFormation StackSets for the management account.
AWSServiceRoleForCloudFormationStackSetsOrgMember – The service-linked role for AWS CloudFormation StackSets for the member accounts.

The deployments can take several minutes to complete, depending on the number of member accounts in your organization. You can view the status of the role deployments as follows.

To view IAM role deployments

Sign in to the management account.
Open the Network Manager console at https://console.aws.amazon.com/networkmanager/home.
From the navigation pane, choose Reachability Analyzer, Settings.
Check IAM role deployments status.

Manage delegated administrator accounts

You can register up to 5 delegated administrator accounts. If you deregister a delegated administrator account, the users in the account can't run a new cross-account analysis, but they can still see the previously run analyses.

To manage delegated administrators

Sign in to the management account.
Open the Network Manager console at https://console.aws.amazon.com/networkmanager/home.
From the navigation pane, choose Reachability Analyzer, Settings.
To register a member account as a delegated administrator account, choose Register delegated administrator. Select the check box for the account, and then choose Register delegated administrator.
To deregister a delegated administrator account, select the checkbox for the account, and then choose Deregister.

Disable trusted access

After you disable trusted access, the users in the management account and delegated administrator accounts can't run a new cross-account analysis. However, they can still see the previously run analyses. Before you can disable trusted access, you must deregister the delegated administrator accounts.

You can enable trusted access again after disabling it. However, you must first re-register the delegated administrator accounts.

To disable trusted access using the console

Sign in to the management account.
Open the Network Manager console at https://console.aws.amazon.com/networkmanager/home.
From the navigation pane, choose Reachability Analyzer, Settings.
For Trusted Access, choose Turn off trusted access.
Do not close or navigate away from this page until you see a success notification indicating that trusted access is turned off. This can take several minutes.

To disable trusted access using the AWS CLI

From the management account, use the disable-aws-service-access command.

Troubleshoot

The following information can help you troubleshoot common issues.

Issues

"StackSet is not empty" or "StackSet already exists"
"Error fetching resources"
"Organizational unit not found in StackSet"

"StackSet is not empty" or "StackSet already exists"

If you receive one of these errors while enabling trusted access, do the following to resolve the issue.

To resolve the issue

Choose Turn off trusted access.
Wait until you see a banner at the top of the screen indicating that the operation was successful.
Choose Turn on trusted access.

"Error fetching resources"

If you receive this error while attempting to access resources from another account in the organization, it usually indicates that your account doesn't have all permissions required.

Verify that you have permission to call the AssumeRole and SetSourceIdentity API actions. For example, the following policy grants permission to call these actions.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole",
                "sts:SetSourceIdentity"
            ],
            "Resource": "*"
        }
    ]
}

Verify that you have permission to call AWS CloudFormation API actions. For example, the AWSCloudFormationFullAccess and AWSCloudFormationReadOnlyAccess policies grant permissions to call these actions.
Verify that you have permission to call AWS Organizations API actions. For example, the AWSOrganizationsFullAccess and AWSOrganizationsReadOnlyAccess policies grant permissions to call these actions.

"Organizational unit not found in StackSet"

If you receive this error while disabling trusted access, do the following to resolve the issue.

To resolve the issue

Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.
In the navigation pane, choose StackSets.
Select ReachabilityAnalyzerCrossAccountResourceAccessStackSet and then choose Actions, Delete StackSet.
Return to the Reachability Analyzer settings page and refresh the page.
Choose Turn off trusted access.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Additional detail codes

Amazon Q network troubleshooting