- Newest
- Most votes
- Most comments
The issue you're experiencing is related to how AWS accounts and resources are structured and accessed. Even though you've set up a Delegated Administrator account for Systems Manager in your organization, this doesn't automatically allow you to view EC2 instances or managed nodes from other member accounts in that central location.
Each AWS account is designed as a high administrative boundary, and by default, resources like EC2 instances are only visible within the account where they were created. This is intentional for security and isolation purposes.
To view managed nodes from other accounts in your organization, you'll need to take additional steps:
-
Ensure you're in the correct AWS region in the console where the instances are located.
-
To access resources in member accounts, you'll need to assume a role in those accounts from your Delegated Administrator account. This involves setting up cross-account access.
-
For Systems Manager specifically, you may need to configure resource data sync to aggregate inventory data from multiple accounts and regions into a central account.
-
Verify that the necessary permissions are in place, both in the member accounts and in the Delegated Administrator account, to allow cross-account access and visibility.
-
Check that the SSM Agent is properly installed and configured on all the EC2 instances you want to manage.
-
Ensure that the required VPC endpoints for Systems Manager are set up if you're using private subnets.
Remember, the Delegated Administrator setup doesn't automatically provide a consolidated view of all managed nodes across accounts. It's primarily for centralized management of Systems Manager settings and configurations. To achieve the consolidated view you're looking for, you'll need to implement additional cross-account access and data aggregation strategies.
Sources
How can all accounts under an organziation see EC2 instances created by other accounts? | AWS re:Post
Working with managed nodes - AWS Systems Manager
Can't access EC2 instance in same organization | AWS re:Post
EC2 machines are not showing in Fleet manager | AWS re:Post
How would I be able to setup a cross-account access? I followed the instructions here https://docs.aws.amazon.com/systems-manager/latest/userguide/running-automations-multiple-accounts-regions.html and created the AWS-SystemsManager-AutomationAdministrationRole role on Account 6 and the AWS-SystemsManager-AutomationExecutionRole role on Accounts 1-5.
I'm still not getting any results on the Explore nodes menu on Account 6, I also tried running the AWSSupport-TroubleshootManagedInstance automation and received an error The provided role: arn:aws:iam::Account1:role/AWS-SystemsManager-AutomationExecutionRole can't be assumed. (Service: null; Status Code: 0; Error Code: null; Request ID: null; Proxy: null).
I am using IAM Identity Center to manage access and permissions. I already attached an inline policy to the Permissions Set attached to my user's group:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::Account6:role/AWS-SystemsManager-AutomationAdministrationRole" ] } ] }
Relevant content
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 3 months ago
Hi @falsesec Can you verify that you used your AWS Organizations management account to elect a delegated administrator (DA) account. Then you switched to that DA account, selected which regions you want to onboard, then completed the onboarding?
If so, can you go to the "Diagnose and remediate" left nav page, then check if that page is showing you any deployment issues that might have impacted onboarding?