AWS Organizational Unit Monitoring Setup

Last updated on 31 July, 2023

An AWS Organizational Unit (OU) is a group of individual accounts that are managed as a single entity. If you use AWS Organizations, the AWS Organizational Unit wizard can help you to efficiently setup and group your new or existing accounts.

Monitoring AWS Organizational Units

  1. Navigate to Resources > Add > Cloud and SaaS.
  2. Select AWS Organizational Unit > Add.
    The Add AWS Organizational Unit wizard is displayed.



  3. On the Name page of the wizard, enter a Description to add basic information about your resource.
  4. Enter or select Properties (key-value pairs) that you want to associate with this resource.
  5. Select Next: Permissions.
  6. On the Permissions page, copy the Account ID and use it to create an IAM role in AWS. For more information, see Creating a role for an IAM user.


Note: If you already have a role configured in AWS, enable the Re-use External ID toggle and choose your account from the resulting Select an existing AWS account field. If your account is present, enter the Role Name and Organizational Root ARN. Then, you can skip to the next step in the wizard by selecting Next: Accounts.

  1. Copy the External ID. In AWS, select the option to Require external ID when you create the new role, and then paste this value in the field provided.
  2. Copy the JSON policy from the Create a new policy field. In AWS, paste this code into the Select trusted entities field as you create the new role.
  3. Once the role is created in AWS, enter the Role Name and Organizational Root ARN on the Permissions page.
  4. Select Next: Accounts.
  5. On the Accounts page, select the Root folder to add all of the OUs to monitoring.



Note: The Show currently monitored accounts toggle is inactive. It becomes active once the initial setup and monitoring is complete.

  1. Select Next: Services.
  2. On the Services page, select or deselect any of the services that you want to monitor.



  3. Select Next: Test Permissions.
  4. On the Test page, select (blue highlighting) or deselect (no highlighting) the services for permissions testing.


Note: When you deselect a service, it is deselected for all accounts. Your selections are automatically updated on the Services page. This is a scrollable pane, so you may need to scroll down to view all services.

  1. In the accounts table, select or deselect the accounts (OUs) that you want to add to monitoring.
  2. Select Test Permissions to run the test. There are three potential outcomes or statuses:
    • Pass- All services passed the permissions test.
    • Warning- Some services passed the permissions test.
    • Fail- All services failed the permissions test.
  3. Select Next: Finish.
  4. On the Finish page, select View AWS Resource.
    The Organizational Units are displayed on the Resources page.

Additional Information

In This Article