Well-Architected Tool and Trusted Advisor - Span across multiple accounts (Organization)

To solve the issue where the Trusted Advisor automated checks still indicate that setup is needed for an associated account within an AWS Organization, follow these steps:

1. Verify IAM Role Configuration:

   • Ensure that the IAM role created in the associated account (B) has the correct trust policy that allows the master account (A) to assume it.
   • Check that the role has the necessary permissions as outlined in the AWS Well-Architected Tool documentation, which includes trustedadvisor:Describe* actions and support:* actions.

2. Check Service Control Policies (SCPs):

   • Within AWS Organizations, Service Control Policies (SCPs) can limit the actions that accounts within the organization can delegate or take. Verify that there are no SCPs blocking the Trusted Advisor checks or the assumption of roles by the master account (A).

3. Ensure Correct Role ARN Usage:

   • Make sure that when the master account (A) assumes the role in the associated account (B), it uses the correct Amazon Resource Name (ARN) of the IAM role.

4. Review Trusted Advisor Activation:

   • Revisit the Trusted Advisor activation steps in the associated account (B) to confirm that you have completed all the necessary actions, including:
     • Enabling Trusted Advisor checks for the associated account.
     • Ensuring that Trusted Advisor is activated and the IAM role is being utilized correctly.

5. Check Account Access:

   • Verify that the account (A) that is trying to perform the Trusted Advisor checks has the necessary permissions to assume roles in the associated account (B).

6. Review AWS Support Plan:

   • Some Trusted Advisor checks require a Business or Enterprise support plan. Ensure that the associated account (B) is covered by an AWS support plan that includes the necessary Trusted Advisor checks.

7. Check Region Availability:

   • Trusted Advisor checks might be limited to certain regions. Make sure that the regions you are trying to perform checks in are supported.

8. Use AWS Support:

   • If after verifying all the above steps, the issue still persists, the best course of action is to contact AWS Support directly. They will be able to access your specific configuration and provide guidance tailored to your AWS Organization setup.

9. Refresh Trusted Advisor Checks:

   • Once the IAM role is correctly configured and all permissions are in place, you might need to manually refresh the Trusted Advisor checks to reflect the new configuration.

Remember that changes in permissions and role assumptions may take a few minutes to propagate through the AWS system, so after making changes, wait a little while before testing again.