Upgrade & Secure Your Future with DevOps, SRE, DevSecOps, MLOps!

We spend hours scrolling social media and waste money on things we forget, but won’t spend 30 minutes a day earning certifications that can change our lives.
Master in DevOps, SRE, DevSecOps & MLOps by DevOpsSchool!

Learn from Guru Rajesh Kumar and double your salary in just one year.


Get Started Now!

Uncategorised

AWS: Step-by-Step Guide to Install Workload Discovery on AWS

July 22, 2025 Leave a Comment

Given:

  • You have Administrator access to your AWS account (33333333333)
  • This account is part of AWS Organization o-eeeeeeeee (Management account: 66666666666666666)
  • Your account is not the management account (but a member account)
  • You want to deploy Workload Discovery on AWS for visualizing/cloud mapping

This guide covers best practices for organizational (Org-level) deployments, ensuring correct visibility and permissions.

Given your specific AWS Organizations setup (Organization ID: o-5jsrv4oeem, Management account: 66666666666666666, Target account: 33333333333), here’s a detailed guide to install Workload Discovery:

1. Verify Prerequisites

  • Confirm you have Administrator access to account 33333333333
  • Check if AWS Config is properly set up in your target region (ap-northeast-1)
  • Verify if the AWSServiceRoleForAmazonOpenSearchService role exists:
    • Go to IAM console
    • Search for “AWSServiceRoleForAmazonOpenSearchService”
    • Note whether it exists for the CreateOpensearchServiceRole parameter later

2. Prepare AWS Organizations Setup

  • Log into the AWS Organizations management account (66666666666666666)
  • Enable trusted access for AWS Config in your organization:
    • Go to AWS Organizations console
    • Select “Services” from the left navigation
    • Find “AWS Config” and enable trusted access
  • Designate your target account (33333333333) as a delegated administrator:
    • In the AWS Organizations console, go to “AWS accounts”
    • Select your target account
    • Choose “Delegated administrator” and register it for AWS Config

3. Configure AWS Config

  • In the target account (33333333333), navigate to the AWS Config console
  • Ensure “Record all resources supported in this Region” is selected
  • Make sure “Include global resources” is checked
  • Complete the AWS Config setup if not already done

4. Launch the CloudFormation Stack

  • Sign in to the AWS CloudFormation console in the ap-northeast-1 region
  • Click “Create stack” > “With new resources”
  • For template source, use the AWS Solutions S3 URL for Workload Discovery
  • Set the following key parameters:
    • CrossAccountDiscovery: AWS_ORGANIZATIONS
    • AccountType: DELEGATED_ADMIN
    • OrganizationUnitId: (Leave blank to discover all accounts or specify an OU ID to limit discovery)
    • ConfigAggregatorName: (Optional, specify if you have an existing aggregator)
    • CreateOpensearchServiceRole: “No” if the role exists, “Yes” if it doesn’t
    • AdminEmail: Your email address for admin notifications
    • VpcCIDR: Default or specify your preferred CIDR block

5. Review and Create the Stack

  • Review all parameters and adjust as needed for your environment
  • Acknowledge that the template will create IAM resources
  • Click “Create stack” and wait for deployment (approximately 30 minutes)
  • If you encounter the ElasticIP0 error again, request an Elastic IP quota increase as discussed earlier

6. Post-Deployment Configuration

  • Once the stack is created, navigate to the “Outputs” tab of the CloudFormation stack
  • Note the “WebUiUrl” for accessing the Workload Discovery console
  • Access the URL and complete the initial setup:
    • Set up your admin password
    • Configure discovery settings

7. Verify Resource Discovery

  • In the Workload Discovery console, check that resources from your organization are being discovered
  • Resources should appear within 15-30 minutes of deployment
  • Verify that cross-account discovery is working properly

8. Enable Additional Features (Optional)

  • Configure cost data collection if desired
  • Set up any additional integrations you may need

This setup will allow Workload Discovery to automatically discover resources across your entire AWS Organization, providing you with comprehensive visibility into your multi-account, multi-region AWS environment.

Sources

Choosing the deployment account – Workload Discovery on AWS 

AWS Organizations account discovery mode – Workload Discovery on AWS 

Prerequisites – Workload Discovery on AWS 

I’ll help you check if trusted access for AWS Config is enabled and if your account is registered as a delegated administrator, all from your target account (33333333333). Let me provide you with the steps.

Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments

Certification Courses

DevOpsSchool has introduced a series of professional certification courses designed to enhance your skills and expertise in cutting-edge technologies and methodologies. Whether you are aiming to excel in development, security, or operations, these certifications provide a comprehensive learning experience. Explore the following programs:

DevOps Certification, SRE Certification, and DevSecOps Certification by DevOpsSchool

Explore our DevOps Certification, SRE Certification, and DevSecOps Certification programs at DevOpsSchool. Gain the expertise needed to excel in your career with hands-on training and globally recognized certifications.

0
Would love your thoughts, please comment.x
()
x