Working with Amazon Organizations to create organization-level dashboards
S3 Storage Lens aggregates your metrics and displays the information in the Account snapshot section on the Amazon S3 console Buckets page. S3 Storage Lens also provides an interactive dashboard that you can use to visualize insights and trends, flag outliers, and receive recommendations for optimizing storage costs and applying data-protection best practices. Your dashboard has drill-down options to generate and visualize insights at the organization, account, Amazon Web Services Region, storage class, bucket, prefix, or Storage Lens group level. You can also send a daily metrics export in CSV or Parquet format to an S3 bucket.
The Amazon S3 Storage Lens default dashboard is default-account-dashboard. This dashboard is preconfigured by Amazon S3 to help you visualize summarized insights and trends for your entire account's aggregated free and advanced metrics on the console. You can't modify the default dashboard's configuration scope, but you can upgrade the metrics selection from the free metrics to the paid advanced metrics and recommendations, configure the optional metrics export, or even disable the default dashboard. The default dashboard cannot be deleted.
You can also create additional S3 Storage Lens dashboards that are focused on specific Amazon Web Services Regions, S3 buckets, or other Amazon Web Services accounts in your organization.
An S3 Storage Lens dashboard provides a rich resource of information about its storage scope. A dashboard visualizes more than 30 metrics that represent trends and information, including storage summary, cost efficiency, data protection, and activity.
Amazon S3 Storage Lens can be used to collect storage metrics and usage data for all accounts that are part of your Amazon Organizations hierarchy. To do this, you must be using Amazon Organizations, and you must enable S3 Storage Lens trusted access by using your Amazon Organizations management account.
When trusted access is enabled, you can add delegate administrator access to accounts in your organization. These accounts can then create organization-wide dashboards and configurations for S3 Storage Lens. For more information about enabling trusted access, see Amazon S3 Lens and Amazon Organizations in the Amazon Organizations User Guide.
The following console controls are available only to the Amazon Organizations management accounts.
Enabling trusted access for S3 Storage Lens in your organization
Enabling trusted access allows Amazon S3 Storage Lens to access your Amazon Organizations hierarchy, membership, and structure through Amazon Organizations API operations. S3 Storage Lens becomes a trusted service for your entire organization's structure. It can create service-linked roles in your organization's management or delegated administrator accounts whenever a dashboard configuration is created.
The service-linked role grants S3 Storage Lens permissions to describe organizations, list accounts, verify a list of service access for the organizations, and get delegated administrators for the organization. This allows S3 Storage Lens to collect cross-account storage usage and activity metrics for dashboards within accounts in your organization.
For more information, see Using service-linked roles for Amazon S3 Storage Lens.
Note
-
Trusted access can be enabled only by the management account.
-
Only the management account and delegated administrators can create S3 Storage Lens dashboards or configurations for your organization.
To enable S3 Storage Lens to have trusted access
Sign in to the Amazon Web Services Management Console and open the Amazon S3 console at https://console.amazonaws.cn/s3/
. -
In the left navigation pane, choose Storage Lens, Organization settings.
-
In Organizations access, choose Edit.
The Organization access page opens. Here you can Enable trusted access for S3 Storage Lens. This allows you and any other account holders that you add as delegated administrators to create dashboards for all accounts and storage in your organization.
Disabling S3 Storage Lens trusted access in your organization
Disabling trusted access will limit S3 Storage Lens to work only on an account level. Each account holder will only be able to see the benefits of S3 Storage Lens limited to the scope of their account, and not their organization. Any dashboards requiring trusted access will no longer be updated, but those dashboards will be able to query their historic data per the respective period that data is available for queries.
Removing an account as a delegated administrator limits the account owner's S3 Storage Lens dashboard metrics access to work only on an account level. Any organizational dashboards that they created will no longer be updated, but they will be able to query their historic data per the period that it is available for queries.
Note
-
Disabling trusted access also automatically disables all organization-level dashboards because S3 Storage Lens will no longer have trusted access to the organization accounts to collect and aggregate storage metrics.
-
The management and delegate administrator accounts can still see the historic data for these disabled dashboards and can query this data while it is available.
To disable trusted access for S3 Storage Lens
Sign in to the Amazon Web Services Management Console and open the Amazon S3 console at https://console.amazonaws.cn/s3/
. -
In the left navigation pane, choose Storage Lens, Organization settings.
-
In Organizations access, choose Edit.
The Organization access page opens. Here you can Disable trusted access for S3 Storage Lens.
Registering delegated administrators for S3 Storage Lens
After enabling trusted access, you can register delegate administrator access to accounts in your organization. When an account is registered as a delegate administrator, the account receives authorization to access all read-only Amazon Organizations API operations. This provides visibility to the members and structures of your organization so that they can create S3 Storage Lens dashboards on your behalf.
To register delegated administrators for S3 Storage Lens
Sign in to the Amazon Web Services Management Console and open the Amazon S3 console at https://console.amazonaws.cn/s3/
. -
In the left navigation pane, choose Storage Lens, Organization settings.
-
In the delegated access section, for Accounts, choose Add account.
The Delegated admin access page opens. Here you can add an Amazon Web Services account ID as a delegated administrator to create organization-level dashboards for all accounts and storage in your organization.
Deregistering delegated administrators for S3 Storage Lens
You can deregister delegate administrator access to accounts in your organization. When an account is deregistered as a delegated administrator, the account loses authorization to access all read-only Amazon Organizations API operations that provide visibility to the members and structures of your organization.
Note
-
Deregistering a delegated administrator also automatically disables all organization-level dashboards created by the delegated administrator.
-
The delegate administrator accounts can still see the historic data for these disabled dashboards according to the respective period that data is available for queries.
To deregister accounts for delegated administrator access
Sign in to the Amazon Web Services Management Console and open the Amazon S3 console at https://console.amazonaws.cn/s3/
. -
In the left navigation pane, choose Storage Lens, Organization settings.
-
In the Accounts with delegated access section, choose the account ID you want to deregister, and then choose Remove.