Organizational view (CLI)
You can also enable the organizational view feature from the Amazon Command Line Interface (Amazon CLI) instead of the Amazon Health console. To use the console, see Enabling organizational view (console).
Note
If you want to allow users access to the management account for the organizational view
feature, they must have permissions such as the AWSHealthFullAccess
Contents
Enabling organizational view (CLI)
You can enable organizational view by using the EnableHealthServiceAccessForOrganization API operation.
You can use the Amazon Command Line Interface (Amazon CLI) or your own code to call this operation.
Note
-
You must have a Business
, Enterprise On-Ramp , or Enterprise Support plan to call the Amazon Health API. -
You must use the US East (N. Virginia) Region endpoint.
The following Amazon CLI command enables this feature from your Amazon account. You can use this command from the management account or from an account that can assume the role with the required permissions.
aws health enable-health-service-access-for-organization --region us-east-1
The following code examples call the EnableHealthServiceAccessForOrganization API operation.
When you enable this feature, the AWSServiceRoleForHealth_Organizations
service-linked role with the
Health_OrganizationsServiceRolePolicy
Amazon managed policy is applied
to the management account in the organization.
Note
Enabling this feature is an asynchronous process and takes time to complete. You can call the DescribeHealthServiceStatusForOrganization operation to check the status of the process.
Viewing organizational view events (CLI)
After you enable this feature, Amazon Health starts to record events that affect accounts in the organization. When an account joins your organization, Amazon Health automatically adds the account to organizational view.
Note
Amazon Health doesn't record events that occurred in your organization before you enabled organizational view.
When an account leaves your organization, new events from that account are no longer logged to organizational view. However, existing events remain and you can still query them up to the 90-day limit.
Amazon Web Services revokes the account's administrative access from the service and deactivates any policies that were managed by the administrator account. The protections that were provided by these policies are stopped across the organization.
-
Before closing your account, back up and then delete your policy data and other account resources. You will no longer have access to them after you close the account.
-
The account resources are subject to the policies of Amazon Web Services operating partners: Sinnet in the China (Beijing) Region and NWCD in the China (Ningxia) Region. Account closure procedures in China might take longer than in other Amazon Web Services Regions.
-
-
For more information, see Closing an account.
You can use the Amazon Health API operations to return events from organizational view.
Example : Describe organizational view events
The following Amazon CLI command returns health events for Amazon accounts in your organization.
aws health describe-events-for-organization --region us-east-1
See the following section for other Amazon Health API operations.
Disabling organizational view (CLI)
You can disable organizational view by using the DisableHealthServiceAccessForOrganization API operation.
The following Amazon CLI command disables this feature from your account.
aws health disable-health-service-access-for-organization --region us-east-1
Note
You can also disable the organizational feature by using the Organizations DisableAWSServiceAccess API operation. After you call this operation, Amazon Health stops aggregating events for all other accounts in your organization. If you call the Amazon Health API operations for organizational view, Amazon Health returns an error. Amazon Health continues to aggregate health events for your Amazon account.
After you disable this feature, Amazon Health no longer aggregates events from your organization. However, the service-linked role remains in the management account until you delete it through the Amazon Identity and Access Management (IAM) console, IAM API, or Amazon CLI. For more information, see Deleting a service-linked Role in the IAM User Guide.
Amazon Health organizational view API operations
You can use the following Amazon Health API operations for organizational view:
-
DescribeEventsForOrganization – Returns summary information about events across the organization.
-
DescribeAffectedAccountsForOrganization – Returns a list of Amazon accounts in the organization that are affected by the specified event.
-
DescribeEventDetailsForOrganization – Returns detailed information about the specified events for one or more accounts in the organization.
-
DescribeAffectedEntitiesForOrganization – Returns a list of entities that have been affected by one or more events for one or more accounts in an organization.
You can use the following operations to enable or disable Amazon Health from working with Organizations:
-
EnableHealthServiceAccessForOrganization – Grants Amazon Health permission to interact with Organizations and applies the SLR to the management account in the organization.
-
DisableHealthServiceAccessForOrganization – Revokes permission for Amazon Health to interact with Organizations.
-
DescribeHealthServiceStatusForOrganization – Returns status information on whether Amazon Health is enabled for your organization.
You must have a Business, Enterprise On-Ramp, or Enterprise Support plan to call these API operations. If you call the
DescribeEventForOrganization
and
DescribeAffectedAccountsForOrganization
operations from an account that
has at least a Business support plan, you can return information about any account in
the organization, regardless of the support level of the individual accounts. See the
following examples.
Example: An organization with accounts that have Business and Developer support plans
-
You have three accounts in your organization. The management account has a Business support plan and the other two accounts have a Developer support plan.
-
You call the
DescribeEventForOrganization
API operation from the management account or from an account that can assume the role with the required permissions. -
Amazon Health returns information for all three accounts.
If you call the DescribeEventDetailsForOrganization
and
DescribeAffectedEntitiesForOrganization
API operations from an account
that has at least a Business support plan, you can only return information about
accounts in the organization that have a Business, Enterprise On-Ramp, or Enterprise Support plan.
Example: An organization with accounts that have an Enterprise, Business, and Developer Support plans
-
You have five accounts in your organization. The management account has an Enterprise support plan, two accounts have a Business support plan, and two accounts have a Developer support plan.
-
You call the
DescribeEventDetailsForOrganization
API operation from the management account. -
Amazon Health returns information for only the accounts that have an Enterprise or Business support plan. The accounts that have a Developer support plan appear in the
failedSet
of the response.