Amazon VPC Reachability Analyzer and AWS Organizations
Reachability Analyzer is a configuration analysis tool that enables you to perform connectivity testing between a source resource and a destination resource in your virtual private clouds (VPCs).
Using AWS Organizations with Reachability Analyzer allows you to trace paths across accounts in your organizations.
For more information, see Manage delegated administrator accounts in Reachability Analyzer in the Reachability Analyzer user guide.
Use the following information to help you integrate Reachability Analyzer with AWS Organizations.
Service-linked roles created when you enable integration
The following service-linked role is automatically created in your organization's management account when you enable trusted access. This role allows Reachability Analyzer to perform supported operations within your organization's accounts in your organization.
You can delete or modify this role only if you disable trusted access between Reachability Analyzer and Organizations, or if you remove the member account from the organization.
-
AWSServiceRoleForReachabilityAnalyzer
For more information, see Cross-account analyses for Reachability Analyzer in the Reachability Analyzer user guide.
Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Reachability Analyzer grant access to the following service principals:
-
reachabilityanalyzer.networkinsights.amazonaws.com
To enable trusted access with Reachability Analyzer
For information about the permissions needed to enable trusted access, see Permissions required to enable trusted access.
When you designate a delegated administrator for Reachability Analyzer it automatically enables trusted access for Reachability Analyzer for your organization.
Reachability Analyzer requires trusted access to AWS Organizations before you can designate a member account to be the delegated administrator for this service for your organization.
Important
-
You can enable trusted access using either the Reachability Analyzer console or the Organizations console. However, we strongly recommend that you use the Reachability Analyzer console or the
EnableMultiAccountAnalysisForAwsOrganization
API to enable integration with Organizations. This lets Reachability Analyzer perform any configuration that it requires, such as creating resources needed by the service. -
Granting trusted access creates the service-linked role
AWSServiceRoleForReachabilityAnalyzer
in the management account and in all of the member accounts in the organization. Reachability Analyzer uses the service-linked role to allow management, and the delegated administrator to run connectivity analyses between any resources in the organization. Reachability Analyzer is able to take snapshots of the networking elements of the accounts in an organization in order to answer connectivity queries. For more information, and for instructions on enabling trusted access through Reachability Analyzer, see Cross-account analyses for Reachability Analyzer in the Reachability Analyzer user guide.
You can enable trusted access by using either the AWS Organizations console, by running a AWS CLI command, or by calling an API operation in one of the AWS SDKs.
To disable trusted access with Reachability Analyzer
For information about the permissions needed to disable trusted access, see Permissions required to disable trusted access.
You can disable trusted access using either the Reachability Analyzer console (recommended), or the Organizations console. To disable trusted access using the Reachability Analyzer console, see Cross-account analyses for Reachability Analyzer in the Reachability Analyzer user guide.
Enabling a delegated administrator account for Reachability Analyzer
The delegated administrator account is able to run connectivity analyses across any of the resources in the organization. For more information, see Integrate Reachability Analyzer with AWS Organizations in the Reachability Analyzer user guide.
Only an administrator in the organization management account can configure a delegated administrator for Reachability Analyzer.
You can specify a delegated administrator account from the Reachability Analyzer console, or by using
the RegisterDelegatedAdministrator
API. For more information, see
RegisterDelegatedAdministrator in the Organizations
Command Reference.
Minimum permissions
Only a user or role in the Organizations management account can configure a member account as a delegated administrator for Reachability Analyzer in the organization
To configure a delegated administrator using the Reachability Analyzer console, see Integrate Reachability Analyzer with AWS Organizations in the Reachability Analyzer user guide.
Disabling a delegated administrator for Reachability Analyzer
Only an administrator in the organization management account can configure a delegated administrator for Reachability Analyzer.
You can remove the delegated administrator using either the Reachability Analyzer console or API, or
by using the Organizations DeregisterDelegatedAdministrator
CLI or SDK
operation.
To disable the delegated admin Reachability Analyzer account using the Reachability Analyzer console, see Cross-account analyses for Reachability Analyzer in the Reachability Analyzer user guide.