Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon S3 Storage Lens and Amazon Organizations

By giving Amazon S3 Storage Lens trusted access to your organization, you allow it to collect and aggregate metrics across all of the Amazon Web Services accounts in your organization. S3 Storage Lens does this by accessing the list of accounts that belong to your organization and collects and analyzes the storage and usage and activity metrics for all of them.

For more information, see the Using service-linked roles for Amazon S3 Storage Lens in the Amazon S3 Storage Lens User Guide.

Use the following information to help you integrate Amazon S3 Storage Lens with Amazon Organizations.

Service-linked role created when you enable integration

The following service-linked role is automatically created in your organization's delegated administrator account when you enable trusted access and the Storage Lens configuration has been applied to your organization. This role allows Amazon S3 Storage Lens to perform supported operations within your organization's accounts in your organization.

You can delete or modify this role only if you disable trusted access between Amazon S3 Storage Lens and Organizations, or if you remove the member account from the organization.

Service principals used by the service-linked roles

The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Amazon S3 Storage Lens grant access to the following service principals:

Enabling trusted access with Amazon S3 Storage Lens

For information about the permissions needed to enable trusted access, see Permissions required to enable trusted access.

You can enable trusted access using either the Amazon S3 Storage Lens console or the Amazon Organizations console.

To enable trusted access using the Amazon S3 console

See Enabling trusted access for S3 Storage Lens in the Amazon Simple Storage Service User Guide.

You can enable trusted access by using either the Amazon Organizations console, by running a Amazon CLI command, or by calling an API operation in one of the Amazon SDKs.

Amazon Web Services Management Console

To enable trusted service access using the Organizations console

1. Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

2. On the Services page, find the row for Amazon S3 Storage Lens, choose the service’s name, and then choose Enable trusted access.

3. In the confirmation dialog box, enable Show the option to enable trusted access, enter enable in the box, and then choose Enable trusted access.

4. If you are the administrator of only Amazon Organizations, tell the administrator of Amazon S3 Storage Lens that they can now enable that service using its console to work with Amazon Organizations.

Amazon CLI, Amazon API

To enable trusted service access using the OrganizationsCLI/SDK

You can use the following Amazon CLI commands or API operations to enable trusted service access:

• Amazon CLI: enable-aws-service-access

  You can run the following command to enable Amazon S3 Storage Lens as a trusted service with Organizations.

  $ aws organizations enable-aws-service-access \ 
      --service-principal storage-lens.s3.amazonaws.com

  This command produces no output when successful.

• Amazon API: EnableAWSServiceAccess

Disabling trusted access with Amazon S3 Storage Lens

For information about the permissions needed to disable trusted access, see Permissions required to disable trusted access.

You can disable trusted access using only the Amazon S3 Storage Lens tools.

You can disable trusted access using the Amazon S3 console, the Amazon CLI or any of the Amazon SDKs.

To disable trusted access using the Amazon S3 console

See Disabling trusted access for S3 Storage Lens in the Amazon Simple Storage Service User Guide.

Enabling a delegated administrator account for Amazon S3 Storage Lens

When you designate a member account as a delegated administrator for the organization, users and roles from that account can perform administrative actions for Amazon S3 Storage Lens that otherwise can be performed only by users or roles in the organization's management account. This helps you to separate management of the organization from management of Amazon S3 Storage Lens.

Amazon S3 Storage Lens supports a maximum of 5 delegated administrator accounts in your organization.

To designate a member account as a delegated administrator for Amazon S3 Storage Lens

You can register a delegated administrator using the Amazon S3 console, the Amazon CLI or any of the Amazon SDKs. To register a member account as a delegated administrator account for your organization using the Amazon S3 console, see Registering a delegated administrator for S3 Storage Lens in the Amazon Simple Storage Service User Guide.

To deregister a delegated administrator for Amazon S3 Storage Lens

You can deregister a delegated administrator using the Amazon S3 console, the Amazon CLI or any of the Amazon SDKs. To deregister a delegated administrator using the Amazon S3 console, see Deregistering a delegated administrator for S3 Storage Lens in the Amazon Simple Storage Service User Guide.