Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon VPC Reachability Analyzer and Amazon Organizations

Reachability Analyzer is a configuration analysis tool that enables you to perform connectivity testing between a source resource and a destination resource in your virtual private clouds (VPCs).

Using Amazon Organizations with Reachability Analyzer allows you to trace paths across accounts in your organizations.

For more information, see Cross-account analyses for Reachability Analyzer in the Reachability Analyzer user guide.

Use the following information to help you integrate Reachability Analyzer with Amazon Organizations.

Service-linked roles created when you enable integration

The following service-linked role is automatically created in your organization's management account when you enable trusted access. This role allows Reachability Analyzer to perform supported operations within your organization's accounts in your organization.

You can delete or modify this role only if you disable trusted access between Reachability Analyzer and Organizations, or if you remove the member account from the organization.

For more information, see Cross-account analyses for Reachability Analyzer in the Reachability Analyzer user guide.

Service principals used by the service-linked roles

The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Reachability Analyzer grant access to the following service principals:

To enable trusted access with Reachability Analyzer

For information about the permissions needed to enable trusted access, see Permissions required to enable trusted access.

When you designate a delegated administrator for Reachability Analyzer it automatically enables trusted access for Reachability Analyzer for your organization.

Reachability Analyzer requires trusted access to Amazon Organizations before you can designate a member account to be the delegated administrator for this service for your organization.

You can enable trusted access by using either the Amazon Organizations console, by running a Amazon CLI command, or by calling an API operation in one of the Amazon SDKs.

Amazon Web Services Management Console

To enable trusted service access using the Organizations console

1. Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

2. On the Services page, find the row for VPC Reachability Analyzer, choose the service’s name, and then choose Enable trusted access.

3. In the confirmation dialog box, enable Show the option to enable trusted access, enter enable in the box, and then choose Enable trusted access.

4. If you are the administrator of only Amazon Organizations, tell the administrator of Reachability Analyzer that they can now enable that service using its console to work with Amazon Organizations.

Amazon CLI, Amazon API

To enable trusted service access using the OrganizationsCLI/SDK

You can use the following Amazon CLI commands or API operations to enable trusted service access:

• Amazon CLI: enable-aws-service-access

  You can run the following command to enable Reachability Analyzer as a trusted service with Organizations.

  $ aws organizations enable-aws-service-access \ 
      --service-principal reachabilityanalyzer.networkinsights.amazonaws.com

  This command produces no output when successful.

• Amazon API: EnableAWSServiceAccess

To disable trusted access with Reachability Analyzer

For information about the permissions needed to disable trusted access, see Permissions required to disable trusted access.

You can disable trusted access using either the Reachability Analyzer console (recommended), or the Organizations console. To disable trusted access using the Reachability Analyzer console, see Cross-account analyses for Reachability Analyzer in the Reachability Analyzer user guide.

Enabling a delegated administrator account for Reachability Analyzer

The delegated administrator account is able to run connectivity analyses across any of the resources in the organization. For more information, see Integrate Reachability Analyzer with Amazon Organizations in the Reachability Analyzer user guide.

Only an administrator in the organization management account can configure a delegated administrator for Reachability Analyzer.

You can specify a delegated administrator account from the Reachability Analyzer console, or by using the RegisterDelegatedAdministrator API. For more information, see RegisterDelegatedAdministrator in the Organizations Command Reference.

To configure a delegated administrator using the Reachability Analyzer console, see Integrate Reachability Analyzer with Amazon Organizations in the Reachability Analyzer user guide.

Disabling a delegated administrator for Reachability Analyzer

Only an administrator in the organization management account can configure a delegated administrator for Reachability Analyzer.

You can remove the delegated administrator using either the Reachability Analyzer console or API, or by using the Organizations DeregisterDelegatedAdministrator CLI or SDK operation.

To disable the delegated admin Reachability Analyzer account using the Reachability Analyzer console, see Cross-account analyses for Reachability Analyzer in the Reachability Analyzer user guide.