Enabling trusted access for S3 Storage Lens
By enabling trusted access, you allow Amazon S3 Storage Lens to access your Amazon Organizations hierarchy, membership, and structure through Amazon Organizations API operations. S3 Storage Lens then becomes a trusted service for your entire organization's structure.
Whenever a dashboard configuration is created, S3 Storage Lens creates service-linked roles in your organization's management or delegated administrator accounts. The service-linked role grants S3 Storage Lens permission to perform the following actions:
-
Describe organizations
-
List accounts
-
Verify a list of Amazon Web Services service access for the organizations
-
Get delegated administrators for the organizations
S3 Storage Lens can then ensure that it has access to collect the cross-account metrics for the accounts in your organization. For more information, see Using service-linked roles for Amazon S3 Storage Lens.
After enabling trusted access, you can assign delegated administrator access to accounts in your organization. When an account is marked as a delegated administrator for a service, the account receives authorization to access all read-only organization API operations. This access provides the delegated administrator visibility to the members and structures of your organization so that they too can create S3 Storage Lens dashboards.
Note
-
Trusted access can only be enabled by the management account.
-
Only the management account and delegated administrators can create S3 Storage Lens dashboards or configurations for your organization.
To enable S3 Storage Lens to have Amazon Organizations trusted access
Sign in to the Amazon Web Services Management Console and open the Amazon S3 console at https://console.amazonaws.cn/s3/
. -
On the left navigation pane, navigate to Storage Lens.
Choose Amazon Organizations settings. The Amazon Organizations access for Storage Lens page displays.
-
Under Amazon Organizations trusted access, choose Edit.
The Amazon Organizations access page displays.
Choose Enable to enable trusted access for your S3 Storage Lens dashboard.
Choose Save changes.
The following example shows you how to enable Amazon Organizations trusted access for S3 Storage Lens in Amazon CLI.
aws organizations enable-aws-service-access --service-principal storage-lens.s3.amazonaws.com.cn
Example – Enable Amazon Organizations trusted access for S3 Storage Lens using SDK for Java
The following example shows you how to enable trusted access for S3 Storage Lens in SDK for Java.
To use this example, replace the
with your own information.user input
placeholders
import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.regions.Regions; import com.amazonaws.services.organizations.AWSOrganizations; import com.amazonaws.services.organizations.AWSOrganizationsClient; import com.amazonaws.services.organizations.model.EnableAWSServiceAccessRequest; public class EnableOrganizationsTrustedAccess { private static final String S3_STORAGE_LENS_SERVICE_PRINCIPAL = "storage-lens.s3.amazonaws.com.cn"; public static void main(String[] args) { try { AWSOrganizations organizationsClient = AWSOrganizationsClient.builder() .withCredentials(new ProfileCredentialsProvider()) .withRegion(Regions.
US_EAST_1
) .build(); organizationsClient.enableAWSServiceAccess(new EnableAWSServiceAccessRequest() .withServicePrincipal(S3_STORAGE_LENS_SERVICE_PRINCIPAL)); } catch (AmazonServiceException e) { // The call was transmitted successfully, but Amazon Organizations couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // Amazon Organizations couldn't be contacted for a response, or the client // couldn't parse the response from Amazon Organizations. e.printStackTrace(); } } }