Well-Architected Tool and Trusted Advisor - Span across multiple accounts (Organization)

0

Hi everyone! I hope find you well!

I have an AWS Organization configured, with a master account (A) and an associated account (B).

I defined a workload at the Well-Architected Tool on master account, and mentioned the associated account IDs to be considered by the Trusted Advisor.

During the workload review, if a question has an automated check by the Trusted Advisor, we are getting this message indicating the associated account as the failing one:

Enter image description here

In order to solve this issue, I have created a new IAM Role on the associated account, indicating the master account as the workload owner, following this documentation: https://docs.aws.amazon.com/wellarchitected/latest/userguide/activate-ta-in-iam.html

However, I still getting this message. What should I do to solve this issue?

Thanks in advance!

2 回答
1
已接受的回答

To solve the issue where the Trusted Advisor automated checks still indicate that setup is needed for an associated account within an AWS Organization, follow these steps:

  1. Verify IAM Role Configuration:

    • Ensure that the IAM role created in the associated account (B) has the correct trust policy that allows the master account (A) to assume it.
    • Check that the role has the necessary permissions as outlined in the AWS Well-Architected Tool documentation, which includes trustedadvisor:Describe* actions and support:* actions.
  2. Check Service Control Policies (SCPs):

    • Within AWS Organizations, Service Control Policies (SCPs) can limit the actions that accounts within the organization can delegate or take. Verify that there are no SCPs blocking the Trusted Advisor checks or the assumption of roles by the master account (A).
  3. Ensure Correct Role ARN Usage:

    • Make sure that when the master account (A) assumes the role in the associated account (B), it uses the correct Amazon Resource Name (ARN) of the IAM role.
  4. Review Trusted Advisor Activation:

    • Revisit the Trusted Advisor activation steps in the associated account (B) to confirm that you have completed all the necessary actions, including:
      • Enabling Trusted Advisor checks for the associated account.
      • Ensuring that Trusted Advisor is activated and the IAM role is being utilized correctly.
  5. Check Account Access:

    • Verify that the account (A) that is trying to perform the Trusted Advisor checks has the necessary permissions to assume roles in the associated account (B).
  6. Review AWS Support Plan:

    • Some Trusted Advisor checks require a Business or Enterprise support plan. Ensure that the associated account (B) is covered by an AWS support plan that includes the necessary Trusted Advisor checks.
  7. Check Region Availability:

    • Trusted Advisor checks might be limited to certain regions. Make sure that the regions you are trying to perform checks in are supported.
  8. Use AWS Support:

    • If after verifying all the above steps, the issue still persists, the best course of action is to contact AWS Support directly. They will be able to access your specific configuration and provide guidance tailored to your AWS Organization setup.
  9. Refresh Trusted Advisor Checks:

    • Once the IAM role is correctly configured and all permissions are in place, you might need to manually refresh the Trusted Advisor checks to reflect the new configuration.

Remember that changes in permissions and role assumptions may take a few minutes to propagate through the AWS system, so after making changes, wait a little while before testing again.

AWS
Drew D
已回答 1 年前
profile picture
专家
已审核 6 个月前
0

Hi Drew!

I checked the corresponding IAM role in the associated account, adding the trustedadvisor:Describe* and support:* actions as mentioned in your answer, and the message is gone.

When checking the corresponding AssumeRole in CloudTrail, I found that the trustedadvisor:DescribeChecks action was requested, but it is not mentioned in the documentation used.

Thanks for your support.

profile picture
已回答 1 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则