Multi-account - AWS Network Manager

Multi-account

With AWS Global Networks for Transit Gateways, you can manage, monitor, and visualize global network resources from multiple AWS accounts associated with a single organization. For more information about multi-account, see Manage multiple accounts in global networks with AWS Organizations.

Important
  • We strongly recommended that you use the global networks console for enabling multi-account settings with global networks, because the console automatically creates all required roles and permissions for multi-account access. Choosing an alternative approach requires an advanced level of expertise, and opens the multi-account set up for your global network to be more prone to error.

  • Multi-account is not available in the AWS GovCloud (US-West) and the AWS GovCloud (US-East) Regions.

Prerequisites

To enable multi-account, you first set up an account in AWS Organizations. This first account becomes the management account. Using this account, you can then add other accounts as member accounts to your organization. For more information about how multi-account support works, see Creating and managing an organization in the AWS Organizations User Guide.

Enable trusted access

Enabling trust is a one-time task that deploys the required service-linked roles (SLRs) and custom Identity and Access Management (IAM) roles to all accounts in your organization that can be assumed by the management account or delegated administrators for access across multiple accounts. For more information about trusted access, see Trusted access.

To enable multi-account trusted access
  1. Log into the global networks console at https://console.aws.amazon.com/networkmanager/home/, using the AWS Organizations management account.

  2. Choose Get started.

  3. In the navigation pane, choose Enable trusted access.

  4. From the Permission level dropdown list in Enable trusted access, choose the Permission level for the Network Manager console switch role IAMRoleForAWSNetworkManagerCrossAccountResourceAccess. This role is deployed to all member accounts and is assumed by the delegated administrator or management account when accessing resources from other accounts using the global networks console. You can choose only one permission level for all accounts. Permission can be one of the following:

    • Read-only — Assign this permission if the delegated administrator and management accounts only need to review information about resources from other accounts in the global network while using the console switch role, but don't need to make any changes.

    • Admin — Assign this permission if the delegated administrator and management accounts need to be able to modify resources from other accounts in the global network while using the global networks console switch role.

  5. Choose Enable trusted access.

    Depending on your organization size, it might take a few minutes or more to enable trusted access. During this time the State shown in the Trusted access section displays Enabling in progress. When access is enabled, the State changes to Enabled. Additionally, the IAM role deployments status section at the bottom of the page displays the status of the IAM roles being deployed to member accounts of the organization.

  6. After trusted access is enabled, you can register delegated administrators.

Register a delegated administrator

Use the AWS Global Networks for Transit Gateways console to register delegated administrators. You can register up to ten delegated administrators. Delegated administrators can assume the SLR and IAM roles deployed while enabling trusted access for access across multiple accounts. For more information about delegated administrators, see Delegated administrators.

To register a delegated administrator
  1. Access the Network Manager console at https://console.aws.amazon.com/networkmanager/home/ with the AWS Organizations management account.

  2. Under Connectivity, choose Global Networks.

  3. In the navigation pane, choose Settings.

  4. In the Delegated Administrators section, choose Register delegated administrator.

  5. From the AWS account ID dropdown list, choose one or more AWS Organizations accounts that you want to delegate administrator permissions to.

  6. Choose Register delegated administrator.

  7. When the delegated administrator is registered, you can then register transit gateways from any transit gateways from any account within your organization to the global network in the delegated administrator account. For more information about registering transit gateways in the global network of a delegated administrator account, see Transit gateway registrations.

Manage IAM role deployments

The IAM role deployments status section displays the current role deployments status for all member accounts set up in your account.

  • Member account ID — The account ID for the account set up in AWS Organizations. This includes member accounts and members that have been registered as delegated administrators.

  • CloudWatch role status — The status of the account's Amazon CloudWatch role. If you enable multi-account using the Network Manager console, this is StackSets-managed if deployed successfully. Otherwise, this is Self-managed.

  • Console role status — The status of the account's Network Manager console role. If you enable multi-account using the Network Manager console, this is StackSets-managed if deployed successfully. Otherwise, this is Self-managed.

  • Review required — This applies only to Self-managed roles. A review is required to ensure that the permissions set up for the account are correct. For more information, see Multi-account access roles for AWS Global Networks for Transit Gateways.

If you make changes to your role policies, or if you've updated a self-managed role, you can deploy the updated policy to your AWS Organizations accounts.

To retry the IAM role deployment status
  1. Access the Network Manager console at https://console.aws.amazon.com/networkmanager/home/ with the AWS Organizations management account.

  2. Under Connectivity, choose Global Networks.

  3. In the navigation pane, choose Settings.

  4. In the IAM role deployments status section, choose Retry role deployment.

    Depending on your organization size and the number of member accounts in your organization, this could take several minutes. During this time you won't be able to register or deregister any new delegated administrators.

Deregister a delegated administrator

Deregistering delegated administrators removes that account's permission to manage global networks for your organization. All registered transit gateways from other member accounts are deregistered from the specific delegated administrator's global networks. For more information about how deregistering delegated administrators works, see Deregister delegated administrators.

To deregister a delegated administrator
  1. Access the Network Manager console at https://console.aws.amazon.com/networkmanager/home/ with the AWS Organizations management account.

  2. Under Connectivity, choose Global Networks.

  3. In the navigation pane, choose Settings.

  4. In the Delegated Administrators section, choose one or more accounts that you want to deregister.

    Depending on your organization size and the number of delegated administrators you're deregistering, this could take several minutes. During this time you won't be able to register any new delegated administrators.

Disable trusted access

Disabling trusted access removes the trust relationship between the Network Manager service access and your organization. Network Manager is no longer able to perform actions within your organization or access information about your organization. Trusted access remains for AWS CloudFormation StackSets in the event that your organization is using that service outside of Network Manager. For more information on disabling AWS CloudFormation StackSets, see Disabling trusted access with AWS CloudFormation Stacksets in the AWS Organizations User Guide.

Transit gateways from other accounts are deregistered from global networks owned by the management account and can no longer provide access to their attached resources. For more information about disabling trusted access, see Disable trusted access.

You must first deregister all delegated administrators before you can disable trusted access. If you have registered delegated administrators, you will be prompted to deregister them during the disable trusted access process.

You can enable trusted access again after disabling it. However you will need to set up the list of delegated administrators again.

To disable trusted access
  1. Access the Network Manager console at https://console.aws.amazon.com/networkmanager/home/ with the AWS Organizations management account.

  2. Under Connectivity, choose Global Networks.

  3. In the navigation pane, choose Settings.

  4. In the Trusted Access section, choose Disable trusted access.

  5. If you have any registered delegated administrators, you can deregister them by choosing Deregister delegated administrators.

  6. Choose Disable trusted access on the confirmation dialog box to confirm that you want to disable trusted access.

    Depending on the size of your organization, it might take several minutes or longer to disable trusted access. The State displays Disabling in progress. During this time you won't be able to re-enable trusted access. When finished, the Status changes to Disabled.