Organizational view (CLI) - Amazon Health
Enabling organizational view (CLI)Viewing organizational view events (CLI)Disabling organizational view (CLI)Amazon Health organizational view API operations
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Organizational view (CLI)

You can also enable the organizational view feature from the Amazon Command Line Interface (Amazon CLI) instead of the Amazon Health console. To use the console, see Enabling organizational view (console).

Note

If you want to allow users access to the management account for the organizational view feature, they must have permissions such as the AWSHealthFullAccess policy. For more information, see Amazon Health identity-based policy examples.

Enabling organizational view (CLI)

You can enable organizational view by using the EnableHealthServiceAccessForOrganization API operation.

You can use the Amazon Command Line Interface (Amazon CLI) or your own code to call this operation.

Note

The following Amazon CLI command enables this feature from your Amazon account. You can use this command from the management account or from an account that can assume the role with the required permissions. 

aws health enable-health-service-access-for-organization --region us-east-1

The following code examples call the EnableHealthServiceAccessForOrganization API operation.

Python
import boto3

client = boto3.client('health')

response = client.enable_health_service_access_for_organization()

print(response)
Java

You can use the Amazon SDK for version Java 2.0 for the following example.

import software.amazon.awssdk.services.health.HealthClient;
import software.amazon.awssdk.services.health.HealthClientBuilder;
 
import software.amazon.awssdk.services.health.model.ConcurrentModificationException;
import software.amazon.awssdk.services.health.model.EnableHealthServiceAccessForOrganizationRequest;
import software.amazon.awssdk.services.health.model.EnableHealthServiceAccessForOrganizationResponse;
import software.amazon.awssdk.services.health.model.DescribeHealthServiceStatusForOrganizationRequest;
import software.amazon.awssdk.services.health.model.DescribeHealthServiceStatusForOrganizationResponse;
 
import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
 
import software.amazon.awssdk.regions.Region;
 
public class EnableHealthServiceAccessDemo {
    public static void main(String[] args) {
        HealthClient client = HealthClient.builder()
            .region(Region.US_EAST_1)
            .credentialsProvider(
                DefaultCredentialsProvider.builder().build()
            )
            .build();
 
        try {
            DescribeHealthServiceStatusForOrganizationResponse statusResponse = client.describeHealthServiceStatusForOrganization(
                DescribeHealthServiceStatusForOrganizationRequest.builder().build()
            );
 
            String status = statusResponse.healthServiceAccessStatusForOrganization();
            if ("ENABLED".equals(status)) {
                System.out.println("EnableHealthServiceAccessForOrganization already enabled!");
                return;
            }
 
            client.enableHealthServiceAccessForOrganization(
                EnableHealthServiceAccessForOrganizationRequest.builder().build()
            );
 
            System.out.println("EnableHealthServiceAccessForOrganization is in progress");
        } catch (ConcurrentModificationException cme) {
            System.out.println("EnableHealthServiceAccessForOrganization is already in progress. Wait for the action to complete before trying again.");
        } catch (Exception e) {
            System.out.println("EnableHealthServiceAccessForOrganization FAILED: " + e);
        }
    }
}

For more information, see the Amazon SDK for Java 2.0 Developer Guide.

When you enable this feature, the AWSServiceRoleForHealth_Organizations service-linked role with the Health_OrganizationsServiceRolePolicy Amazon managed policy is applied to the management account in the organization.

Note

Enabling this feature is an asynchronous process and takes time to complete. You can call the DescribeHealthServiceStatusForOrganization operation to check the status of the process.

Viewing organizational view events (CLI)

After you enable this feature, Amazon Health starts to record events that affect accounts in the organization. When an account joins your organization, Amazon Health automatically adds the account to organizational view.

Note

Amazon Health doesn't record events that occurred in your organization before you enabled organizational view.

When an account leaves your organization, new events from that account are no longer logged to organizational view. However, existing events remain and you can still query them up to the 90-day limit.

Amazon Web Services revokes the account's administrative access from the service and deactivates any policies that were managed by the administrator account. The protections that were provided by these policies are stopped across the organization.

  • Before closing your account, back up and then delete your policy data and other account resources. You will no longer have access to them after you close the account.

    • The account resources are subject to the policies of Amazon Web Services operating partners: Sinnet in the China (Beijing) Region and NWCD in the China (Ningxia) Region. Account closure procedures in China might take longer than in other Amazon Web Services Regions.

  • For more information, see Closing an account.

You can use the Amazon Health API operations to return events from organizational view.

Example : Describe organizational view events

The following Amazon CLI command returns health events for Amazon accounts in your organization. 

aws health describe-events-for-organization --region us-east-1

See the following section for other Amazon Health API operations.

Disabling organizational view (CLI)

You can disable organizational view by using the DisableHealthServiceAccessForOrganization API operation.

The following Amazon CLI command disables this feature from your account.

aws health disable-health-service-access-for-organization --region us-east-1
Note

You can also disable the organizational feature by using the Organizations DisableAWSServiceAccess API operation. After you call this operation, Amazon Health stops aggregating events for all other accounts in your organization. If you call the Amazon Health API operations for organizational view, Amazon Health returns an error. Amazon Health continues to aggregate health events for your Amazon account.

After you disable this feature, Amazon Health no longer aggregates events from your organization. However, the service-linked role remains in the management account until you delete it through the Amazon Identity and Access Management (IAM) console, IAM API, or Amazon CLI. For more information, see Deleting a service-linked Role in the IAM User Guide.

Amazon Health organizational view API operations

You can use the following Amazon Health API operations for organizational view:

You can use the following operations to enable or disable Amazon Health from working with Organizations:

You must have a Business, Enterprise On-Ramp, or Enterprise Support plan to call these API operations. If you call the DescribeEventForOrganization and DescribeAffectedAccountsForOrganization operations from an account that has at least a Business support plan, you can return information about any account in the organization, regardless of the support level of the individual accounts. See the following examples.

Example: An organization with accounts that have Business and Developer support plans

  • You have three accounts in your organization. The management account has a Business support plan and the other two accounts have a Developer support plan.

  • You call the DescribeEventForOrganization API operation from the management account or from an account that can assume the role with the required permissions.

  • Amazon Health returns information for all three accounts.

If you call the DescribeEventDetailsForOrganization and DescribeAffectedEntitiesForOrganization API operations from an account that has at least a Business support plan, you can only return information about accounts in the organization that have a Business, Enterprise On-Ramp, or Enterprise Support plan.

Example: An organization with accounts that have an Enterprise, Business, and Developer Support plans

  • You have five accounts in your organization. The management account has an Enterprise support plan, two accounts have a Business support plan, and two accounts have a Developer support plan.

  • You call the DescribeEventDetailsForOrganization API operation from the management account.

  • Amazon Health returns information for only the accounts that have an Enterprise or Business support plan. The accounts that have a Developer support plan appear in the failedSet of the response.