Given:<\/p>\n\n\n\n
33333333333<\/code>)<\/li>\n\n\n\n- This account is part of AWS Organization\u00a0
o-eeeeeeeee<\/code>\u00a0(Management account:\u00a066666666666666666<\/code>)<\/li>\n\n\n\n- Your account\u00a0is not the management account<\/strong>\u00a0(but a member account)<\/li>\n\n\n\n
- You want to deploy Workload Discovery on AWS for visualizing\/cloud mapping<\/li>\n<\/ul>\n\n\n\n
This guide covers best practices for organizational (Org-level) deployments<\/strong>, ensuring correct visibility and permissions.<\/p>\n\n\n\nGiven your specific AWS Organizations setup (Organization ID: o-5jsrv4oeem, Management account: 66666666666666666, Target account: 33333333333), here’s a detailed guide to install Workload Discovery:<\/p>\n\n\n\n
1. Verify Prerequisites<\/h2>\n\n\n\n\n- Confirm you have Administrator access to account 33333333333<\/li>\n\n\n\n
- Check if AWS Config is properly set up in your target region (ap-northeast-1)<\/li>\n\n\n\n
- Verify if the AWSServiceRoleForAmazonOpenSearchService role exists:\n
\n- Go to IAM console<\/li>\n\n\n\n
- Search for “AWSServiceRoleForAmazonOpenSearchService”<\/li>\n\n\n\n
- Note whether it exists for the CreateOpensearchServiceRole parameter later<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
2. Prepare AWS Organizations Setup<\/h2>\n\n\n\n\n- Log into the AWS Organizations management account (66666666666666666)<\/li>\n\n\n\n
- Enable trusted access for AWS Config in your organization:\n
\n- Go to AWS Organizations console<\/li>\n\n\n\n
- Select “Services” from the left navigation<\/li>\n\n\n\n
- Find “AWS Config” and enable trusted access<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Designate your target account (33333333333) as a delegated administrator:\n
\n- In the AWS Organizations console, go to “AWS accounts”<\/li>\n\n\n\n
- Select your target account<\/li>\n\n\n\n
- Choose “Delegated administrator” and register it for AWS Config<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
3. Configure AWS Config<\/h2>\n\n\n\n\n- In the target account (33333333333), navigate to the AWS Config console<\/li>\n\n\n\n
- Ensure “Record all resources supported in this Region” is selected<\/li>\n\n\n\n
- Make sure “Include global resources” is checked<\/li>\n\n\n\n
- Complete the AWS Config setup if not already done<\/li>\n<\/ul>\n\n\n\n
4. Launch the CloudFormation Stack<\/h2>\n\n\n\n\n- Sign in to the AWS CloudFormation console in the ap-northeast-1 region<\/li>\n\n\n\n
- Click “Create stack” > “With new resources”<\/li>\n\n\n\n
- For template source, use the AWS Solutions S3 URL for Workload Discovery<\/li>\n\n\n\n
- Set the following key parameters:\n
\n- CrossAccountDiscovery: AWS_ORGANIZATIONS<\/li>\n\n\n\n
- AccountType: DELEGATED_ADMIN<\/li>\n\n\n\n
- OrganizationUnitId: (Leave blank to discover all accounts or specify an OU ID to limit discovery)<\/li>\n\n\n\n
- ConfigAggregatorName: (Optional, specify if you have an existing aggregator)<\/li>\n\n\n\n
- CreateOpensearchServiceRole: “No” if the role exists, “Yes” if it doesn’t<\/li>\n\n\n\n
- AdminEmail: Your email address for admin notifications<\/li>\n\n\n\n
- VpcCIDR: Default or specify your preferred CIDR block<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
5. Review and Create the Stack<\/h2>\n\n\n\n\n- Review all parameters and adjust as needed for your environment<\/li>\n\n\n\n
- Acknowledge that the template will create IAM resources<\/li>\n\n\n\n
- Click “Create stack” and wait for deployment (approximately 30 minutes)<\/li>\n\n\n\n
- If you encounter the ElasticIP0 error again, request an Elastic IP quota increase as discussed earlier<\/li>\n<\/ul>\n\n\n\n
6. Post-Deployment Configuration<\/h2>\n\n\n\n\n- Once the stack is created, navigate to the “Outputs” tab of the CloudFormation stack<\/li>\n\n\n\n
- Note the “WebUiUrl” for accessing the Workload Discovery console<\/li>\n\n\n\n
- Access the URL and complete the initial setup:\n
\n- Set up your admin password<\/li>\n\n\n\n
- Configure discovery settings<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
7. Verify Resource Discovery<\/h2>\n\n\n\n\n- In the Workload Discovery console, check that resources from your organization are being discovered<\/li>\n\n\n\n
- Resources should appear within 15-30 minutes of deployment<\/li>\n\n\n\n
- Verify that cross-account discovery is working properly<\/li>\n<\/ul>\n\n\n\n
8. Enable Additional Features (Optional)<\/h2>\n\n\n\n\n- Configure cost data collection if desired<\/li>\n\n\n\n
- Set up any additional integrations you may need<\/li>\n<\/ul>\n\n\n\n
This setup will allow Workload Discovery to automatically discover resources across your entire AWS Organization, providing you with comprehensive visibility into your multi-account, multi-region AWS environment.<\/p>\n\n\n\n
Sources<\/p>\n\n\n\n
Choosing the deployment account – Workload Discovery on AWS <\/a><\/p>\n\n\n\nAWS Organizations account discovery mode – Workload Discovery on AWS <\/a><\/p>\n\n\n\n