Cross-account analyses for Reachability Analyzer

Reachability Analyzer analyzes the path between a source and destination. To analyze paths across multiple AWS accounts, enable trusted access for Reachability Analyzer with your organization from AWS Organizations. You can also register member accounts as delegated administrator accounts. A user in the management account or a delegated administrator account can define a path and run an analysis using a source from any account in the organization, and a destination resource from any account in the organization.

There is no additional charge to run cross-account analyses.

Considerations

• Before accounts in the organization can use this feature in an opt-in Region, the management account must enable the opt-in Region. For more information, see Enabling a Region in the AWS General Reference.

Enable trusted access

When you enable trusted access, Reachability Analyzer deploys the AWSServiceRoleForReachabilityAnalyzer service-linked role and the required cross-account access roles to all accounts in your organization.

To enable trusted access using the console

1. Sign in to the management account.

2. Open the Network Manager console at https://console.aws.amazon.com/networkmanager/home.

3. From the navigation pane, choose Reachability Analyzer, Settings.

4. For Trusted Access, choose Turn on trusted access.

5. Do not close or navigate away from this page until you see a success notification indicating that trusted access is turned on. This can take several minutes.

To enable trusted access using the AWS CLI

From the management account, use the enable-reachability-analyzer-organization-sharing command.

IAM role deployments

When you enable trusted access, the following roles are deployed in your organization:

• AWSServiceRoleForReachabilityAnalyzer – The service-linked role for Reachability Analyzer.

• IAMRoleForReachabilityAnalyzerCrossAccountResourceAccess – The role for cross-account resource access for Reachability Analyzer.

• AWSServiceRoleForCloudFormationStackSetsOrgAdmin – The service-linked role for AWS CloudFormation StackSets for the management account.

• AWSServiceRoleForCloudFormationStackSetsOrgMember – The service-linked role for AWS CloudFormation StackSets for the member accounts.

The deployments can take several minutes to complete, depending on the number of member accounts in your organization. You can view the status of the role deployments as follows.

To view IAM role deployments

1. Sign in to the management account.

2. Open the Network Manager console at https://console.aws.amazon.com/networkmanager/home.

3. From the navigation pane, choose Reachability Analyzer, Settings.

4. Check IAM role deployments status.

Manage delegated administrator accounts

You can register up to 5 delegated administrator accounts. If you deregister a delegated administrator account, the users in the account can't run a new cross-account analysis, but they can still see the previously run analyses.

To manage delegated administrators

1. Sign in to the management account.

2. Open the Network Manager console at https://console.aws.amazon.com/networkmanager/home.

3. From the navigation pane, choose Reachability Analyzer, Settings.

4. To register a member account as a delegated administrator account, choose Register delegated administrator. Select the check box for the account, and then choose Register delegated administrator.

5. To deregister a delegated administrator account, select the checkbox for the account, and then choose Deregister.

Disable trusted access

After you disable trusted access, the users in the management account and delegated administrator accounts can't run a new cross-account analysis. However, they can still see the previously run analyses. Before you can disable trusted access, you must deregister the delegated administrator accounts.

You can enable trusted access again after disabling it. However, you must first re-register the delegated administrator accounts.

To disable trusted access using the console

1. Sign in to the management account.

2. Open the Network Manager console at https://console.aws.amazon.com/networkmanager/home.

3. From the navigation pane, choose Reachability Analyzer, Settings.

4. For Trusted Access, choose Turn off trusted access.

5. Do not close or navigate away from this page until you see a success notification indicating that trusted access is turned off. This can take several minutes.

To disable trusted access using the AWS CLI

From the management account, use the disable-aws-service-access command.