(Optional) Configure OpsCenter to manage OpsItems across accounts by using Quick Setup - Amazon Systems Manager
Troubleshooting issues with a Quick Setup configuration for OpsCenter
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

(Optional) Configure OpsCenter to manage OpsItems across accounts by using Quick Setup

Quick Setup, a capability of Amazon Systems Manager, simplifies set up and configuration tasks for Systems Manager capabilities. Quick Setup for OpsCenter helps you complete the following tasks for managing OpsItems across accounts:

  • Specifying the delegated administrator account

  • Creating required Amazon Identity and Access Management (IAM) policies and roles

  • Specifying an Amazon Organizations organization, or a subset of member accounts, where a delegated administrator can manage OpsItems across accounts

When you configure OpsCenter to manage OpsItems across accounts by using Quick Setup, Quick Setup creates the following resources in the specified accounts. These resources give the specified accounts permission to work with OpsItems and use Automation runbooks to fix issues with Amazon resources generating OpsItems.

Resources Accounts

AWSServiceRoleForAmazonSSM_AccountDiscovery Amazon Identity and Access Management (IAM) service-linked role

For more information about this role, see Using roles to collect Amazon Web Services account information for OpsCenter and Explorer.

Amazon Organizations management account and delegated administrator account

OpsItem-CrossAccountManagementRole IAM role

AWS-SystemsManager-AutomationAdministrationRole IAM role

Delegated administrator account

OpsItem-CrossAccountExecutionRole IAM role

AWS-SystemsManager-AutomationExecutionRole IAM role

AWS::SSM::ResourcePolicy Systems Manager resource policy for the default OpsItem group (OpsItemGroup)

All Amazon Organizations member accounts
Note

If you previously configured OpsCenter to manage OpsItems across accounts using the manual method, you must delete the Amazon CloudFormation stacks or stack sets created during Steps 4 and 5 of that process. If those resources exist in your account when you complete the following procedure, Quick Setup fails to configure cross-account OpsItem management properly.

To configure OpsCenter to manage OpsItems across accounts by using Quick Setup

  1. Sign in to the Amazon Web Services Management Console using the Amazon Organizations management account.

  2. Open the Amazon Systems Manager console at https://console.amazonaws.cn/systems-manager/.

  3. In the navigation pane, choose Quick Setup.

  4. Choose the Library tab.

  5. Scroll to the bottom and locate the OpsCenter configuration tile. Choose Create.

  6. On the Quick Setup OpsCenter page, in the Delegated administrator section, enter an account ID. If you are unable to edit this field, then a delegated administrator account has already been specified for Systems Manager.

  7. In the Targets section, choose an option. If you choose Custom, then select the organizational units (OU) where you want to manage OpsItems across accounts.

  8. Choose Create.

Quick Setup creates the OpsCenter configuration and deploys the required Amazon resources to the designated OUs.

Note

If you don't want to manage OpsItems across multiple accounts, you can delete the configuration from Quick Setup. When you delete the configuration, Quick Setup deletes the following IAM policies and roles created when the configuration was originally deployed:

  • OpsItem-CrossAccountManagementRole from the delegated administrator account

  • OpsItem-CrossAccountExecutionRole and SSM::ResourcePolicy from all Organizations member accounts

Quick Setup removes the configuration from all organizational units and Amazon Web Services Regions where the configuration was originally deployed.

Troubleshooting issues with a Quick Setup configuration for OpsCenter

This section includes information to help you troubleshoot issues when configuring cross-account OpsItem management using Quick Setup.

Deployment to these StackSets failed: delegatedAdmin

When creating an OpsCenter configuration, Quick Setup deploys two Amazon CloudFormation stack sets in the Organizations management account. The stack sets use the following prefix: AWS-QuickSetup-SSMOpsCenter. If Quick Setup displays the following error: Deployment to these StackSets failed: delegatedAdmin use the following procedure to fix this issue.

To troubleshoot a StackSets failed:delegatedAdmin error

  1. If you received the Deployment to these StackSets failed: delegatedAdmin error in a red banner in the Quick Setup console, sign in to the delegated administrator account and the Amazon Web Services Region designated as the Quick Setup home Region.

  2. Open the Amazon CloudFormation console at https://console.amazonaws.cn/cloudformation.

  3. Choose the stack created by your Quick Setup configuration. The stack name includes the following: AWS-QuickSetup-SSMOpsCenter.

    Note

    Sometimes CloudFormation deletes failed stack deployments. If the stack isn't available in the Stacks table, choose Deleted from the filter list.

  4. View the Status and Status reason. For more information about stack statuses, see Stack status codes in the Amazon CloudFormation User Guide.

  5. To understand the exact step that failed, view the Events tab and review each event's Status. For more information, see Troubleshooting in the Amazon CloudFormation User Guide.

Note

If you are unable to resolve the deployment failure using the CloudFormation troubleshooting steps, delete the configuration and try again.

Quick Setup configuration status shows Failed

If the Configuration details table on the Configuration details page shows a configuration status of Failed, sign in to the Amazon Web Services account and Region where it failed.

To troubleshoot a Quick Setup failure to create an OpsCenter configuration

  1. Sign in to the Amazon Web Services account and the Amazon Web Services Region where the failure occured.

  2. Open the Amazon CloudFormation console at https://console.amazonaws.cn/cloudformation.

  3. Choose the stack created by your Quick Setup configuration. The stack name includes the following: AWS-QuickSetup-SSMOpsCenter.

    Note

    Sometimes CloudFormation deletes failed stack deployments. If the stack isn't available in the Stacks table, choose Deleted from the filter list.

  4. View the Status and Status reason. For more information about stack statuses, see Stack status codes in the Amazon CloudFormation User Guide.

  5. To understand the exact step that failed, view the Events tab and review each event's Status. For more information, see Troubleshooting in the Amazon CloudFormation User Guide.

Member account configuration shows ResourcePolicyLimitExceededException

If a stack status shows ResourcePolicyLimitExceededException, the account has previously onboarded to OpsCenter cross-account management by using the manual method. To resolve this issue, you must delete the Amazon CloudFormation stacks or stack sets created during Steps 4 and 5 of the manual onboarding process. For more information, see Delete a stack set and Deleting a stack on the Amazon CloudFormation console in the Amazon CloudFormation User Guide.