Using Amazon S3 Storage Lens with Amazon Organizations - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Using Amazon S3 Storage Lens with Amazon Organizations

Amazon S3 Storage Lens is a cloud-storage analytics feature that you can use to gain organization-wide visibility into object-storage usage and activity. You can use S3 Storage Lens metrics to generate summary insights, such as finding out how much storage you have across your entire organization or which are the fastest-growing buckets and prefixes. You can also use S3 Storage Lens metrics to identify cost-optimization opportunities, implement data-protection and security best practices, and improve the performance of application workloads. For example, you can identify buckets that don't have S3 Lifecycle rules to expire incomplete multipart uploads that are more than 7 days old. You can also identify buckets that aren't following data-protection best practices, such as using S3 Replication or S3 Versioning. S3 Storage Lens also analyzes metrics to deliver contextual recommendations that you can use to optimize storage costs and apply best practices for protecting your data.

You can use Amazon S3 Storage Lens to collect storage metrics and usage data for all Amazon Web Services accounts that are part of your Amazon Organizations hierarchy. To do this, you must be using Amazon Organizations, and you must enable S3 Storage Lens trusted access by using your Amazon Organizations management account.

After enabling trusted access, you can add delegated administrator access to accounts in your organization. These accounts can then create S3 Storage Lens configurations and dashboards that collect organization-wide storage metrics and user data.

For more information about enabling trusted access, see Amazon S3 Storage Lens and Amazon Organizations in the Amazon Organizations User Guide.

Enabling trusted access for S3 Storage Lens

By enabling trusted access, you allow Amazon S3 Storage Lens to have access to your Amazon Organizations hierarchy, membership, and structure through Amazon Organizations API operations. S3 Storage Lens then becomes a trusted service for your entire organization's structure.

Whenever a dashboard configuration is created, S3 Storage Lens creates service-linked roles in your organization's management or delegated administrator accounts. The service-linked role grants S3 Storage Lens permissions to describe organizations, list accounts, verify a list of Amazon Web Service access for the organizations, and get delegated administrators for the organization. S3 Storage Lens can then ensure that it has access to collect the cross-account metrics for the accounts in your organizations. For more information, see Using service-linked roles for Amazon S3 Storage Lens.

After enabling trusted access, you can assign delegated administrator access to accounts in your organization. When an account is marked as a delegated administrator for a service, the account receives authorization to access all read-only organization API operations. This access provides the delegated administrator visibility to the members and structures of your organization so that they too can create S3 Storage Lens dashboards.

Note

Only the management account can enable trusted access for Amazon S3 Storage Lens.

Disabling trusted access for S3 Storage Lens

By disabling trusted access, you limit S3 Storage Lens to working only on an account level. In addition, each account holder can see only the S3 Storage Lens information for the scope of their account, and not their entire organization. Any dashboards that require trusted access are no longer updated, but will retain their historic data for the period that data is available for queries.

Note
  • Disabling trusted access for S3 Storage Lens also automatically stops all organization-level dashboards from collecting and aggregating storage metrics.

  • Your management and delegated administrator accounts will still be able to see the historic data for your existing organization-level dashboards during the period that data is available for queries.

Registering a delegated administrator for S3 Storage Lens

You can create organization-level dashboards by using your organization’s management account or delegated administrator accounts. Delegated administrator accounts allow other accounts besides your management account to create organization-level dashboards. Only the management account of an organization can register and deregister other accounts as delegated administrators for the organization.

To register a delegated administrator by using the Amazon S3 console, see Registering delegated administrators for S3 Storage Lens.

You can also register a delegated administrator by using the Amazon Organizations REST API, Amazon CLI, or SDKs from the management account. For more information, see RegisterDelegatedAdministrator in the Amazon Organizations API Reference.

Note

Before you can designate a delegated administrator by using the Amazon Organizations REST API, Amazon CLI, or SDKs, you must call the EnableAWSOrganizationsAccess operation.

Deregistering a delegated administrator for S3 Storage Lens

You can also deregister a delegated administrator account. Delegated administrator accounts allow other accounts besides your management account to create organization-level dashboards. Only the management account of an organization can deregister accounts as delegated administrators for the organization.

To deregister a delegated administrator by using the S3 console, see Deregistering delegated administrators for S3 Storage Lens.

You can also deregister a delegated administrator by using the Amazon Organizations REST API, Amazon CLI, or SDKs from the management account. For more information, see DeregisterDelegatedAdministrator in the Amazon Organizations API Reference.

Note
  • Deregistering a delegated administrator also automatically stops all organization-level dashboards created by that delegated administrator from aggregating new storage metrics.

  • The deregistered delegated administrator will still be able to see the historic data for the dashboards that they created while data is available for queries.