# Multi-account in AWS Global Networks for Transit Gateways
<a name="nm-multi-account"></a>

With AWS Global Networks for Transit Gateways, you can manage, monitor, and view dashboards of global network resources from multiple AWS accounts associated with a single organization using AWS Network Manager. For more information about setting up multi-account, see [Manage multiple accounts in global networks using AWS Organizations](#tgw-nm-multi) below.

**Important**  
We strongly recommended that you use the global networks console for enabling multi-account settings with global networks, because the console automatically creates all required roles and permissions for multi-account access. Choosing an alternative approach requires an advanced level of expertise, and opens the multi-account set up for your global network to be more prone to error.
Multi-account is not available in the AWS GovCloud (US-West) and the AWS GovCloud (US-East) Regions.

## Prerequisites
<a name="nm-multi-prereqs"></a>

To enable multi-account, you first set up an account in AWS Organizations. This first account becomes the management account. Using this account, you can then add other accounts as member accounts to your organization. For more information about how multi-account support works, see [Creating and managing an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org.html) in the *AWS Organizations User Guide*.

## Manage multiple accounts in global networks using AWS Organizations
<a name="tgw-nm-multi"></a>

AWS Global Networks for Transit Gateways allows you to centrally manage, monitor, and visualize network resources from multiple accounts within an organization in a single global network. To manage resources from multiple accounts in global networks, you first set up an organization using AWS Organizations. The first account that you use to create an organization becomes the management account. Using this account, you can add other accounts as member accounts to your organization. From the management account, you can designate one or more accounts within the orgaization as delegated administrator accounts by registering them using the global networks console. For more information about setting up an organization, see [Creating and managing an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org.html) in the *AWS Organizations User Guide*.

To enable multi-account access in the global networks console, you first enable trusted access for the Network Manager service, and then register a delegated administrator account for your organization. 

**Important**  
 We strongly recommended that you use the global networks console for enabling multi-account settings with global networks, because the console automatically creates all required roles and permissions for multi-account access. Choosing an alternative approach requires an advanced level of expertise, and opens the multi-account set up for your global network to be more prone to error.
Multi-account is not available in the AWS GovCloud (US-West) and the AWS GovCloud (US-East) Regions.

With multi-account support, you can create a single global network for any of your AWS accounts, and then register transit gateways from those accounts using the global networks console. Multi-account is supported in all AWS Regions where global networks is supported. For more information about multi-account, see [Multi-account in AWS Global Networks for Transit Gateways](#nm-multi-account).

### Trusted access
<a name="nm-multi-trust"></a>

Trusted access creates `AWSServiceAccess` for global networks and CloudFormation StackSets with AWS Organizations. Enabling trusted access provides required permissions for AWS Organizations to deploy service-linked roles (SLRs) to all member accounts within your organization. 

#### Enable trusted access
<a name="nm-enable-trust"></a>

When you enable trusted access from the global networks console, you select a one-time permission level (`IAMRoleForAWSNetworkManagerCrossAccountResourceAccess`) as either administrator or read-only for each of the management and delegated administrator accounts.
+ **Admin** — Assign this permission if the delegated administrator and management accounts need to be able to modify resources from other accounts in the global network while using the global networks console switch role.
+ **Read-only** — Assign this permission if the delegated administrator and management accounts only need to review information about resources from other accounts in the global network while using the global networks console switch role, but don't need to make any changes.

The global networks console manages all of this when calling the Network Manager API. 

When you enable trusted access, the following roles are deployed in your organization using CloudFormation StackSets and AWS Identity and Access Management (IAM) services:
+ The Network Manager SLR (`AWSServiceRoleForNetworkManager`) to all member accounts
+ The CloudFormation StackSets member SLR (`AWSServiceRoleForCloudFormationStackSetsOrgMember`) to all member accounts
+ The Network Manager SLR (`AWSServiceRoleForNetworkManager`) to the management account
+ The CloudFormation StackSets admin (`AWSServiceRoleForCloudFormationStackSetsOrgAdmin`) SLR to the management account
+ The Amazon CloudWatch sharing role (`CloudWatch-CrossAccountSharingRole`) to all member accounts
+ The global networks console switch role (`IAMRoleForAWSNetworkManagerCrossAccountResourceAccess`) to all member accounts
+ The Amazon CloudWatch monitoring role (`AWSServiceRoleForCloudWatchCrossAccount`) to the management account

For more information about enabling trusted access, see [Enable trusted access in an AWS global network](nm-enable-trusted.md).

##### Disable trusted access
<a name="nm-how-it-works-disable"></a>

**Note**  
Disabling trusted access through the global networks console removes `AWSServiceAccess` for global networks with AWS Organizations. Disabling trusted access removes global networks access to perform tasks within your organization. AWS Organizations won't allow you to disable an organization's trusted access for the Network Manager service if there are any delegated administrators that haven't been deregistered from that organization. 
+ Disabling trusted access through the global networks console won't remove `AWSServiceAccess` for CloudFormation StackSets with AWS Organizations. You can manually remove the service access for CloudFormation StackSets by using the CloudFormation StackSet console or by using the Organizations API/CLI. For more information on disabling trusted access for CloudFormation StackSets, see [Disable trusted access with AWS CloudFormation StackSets](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-cloudformation.html#integrate-disable-ta-cloudformation) in the *AWS Organizations User Guide*.
+ Disabling trusted access won't remove any SLRs that were deployed when enabling trusted access.

When you disable trusted access, the following are affected in global networks:
+ All transit gateways owned by other accounts in your organization. You won't be able to see transit gateways or their attached resources from other accounts in your organization that were registered to your global network.
+ IAM roles deployed in all member accounts managed by the Network Manager service. Disabling trusted access doesn't remove accounts, transit gateways, or resources but does deregister them from other delegated administrator's global networks. These can be added back in as needed by re-enabling trusted access. For more information about the `DeleteStackSet` API, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_DeleteStackSet.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_DeleteStackSet.html) in the *AWS CloudFormation API Reference*.

For more information about disabling trusted access, see [Disable trusted access in an AWS global network](nm-multi-disable.md).

### Delegated administrators
<a name="nm-how-it-works-delegate"></a>

Member accounts in your organization with delegated administrator access are able to leverage service-linked roles and assume IAM roles for access across multiple accounts. Only member accounts that are part of your AWS Organizations can be registered as delegated administrators. Your organization can have up to ten registered delegated administrators. Before you register a delegated administrator, you must enable global networks trusted access for your organization. For more information, see [Enable trusted access in an AWS global network](nm-enable-trusted.md).

**Important**  
Using your AWS Organizations management account to manage your global network in global networks is not recommended because the required service-linked roles are not propagated to this account. For more information on service-linked roles, see [AWS Global Networks for Transit Gateways service-linked roles](nm-service-linked-roles.md).

#### Register delegated administrators
<a name="nm-register-admin"></a>

After it's registered, a delegated administrator has the same permissions as the management account. A delegated administrator for the Network Manager service can leverage the SLRs in the member accounts that were deployed when trusted access was enabled and can view transit gateways from other member accounts and can register them to your global network. This allows transit gateways and associated resources to appear in your global network topology. In addition CloudFormation StackSets is updated to include the delegated administrator accounts in the trusted relationship of the deployed IAM roles in the member accounts.

For information about registering a delegated administrator, see [Register an administrator for multi-account in an AWS global network](nm-delegate-admin.md).

#### Deregister delegated administrators
<a name="nm-how-it-works-deregister"></a>

Deregistering a delegated administrator removes that account's permission to leverage SLRs and assume IAM roles in other member accounts that were set up using AWS Organizations.

After it's deregistered, the delegated administrator no longer has the same permissions as the management account. The following occurs:
+ A delegated administrator is no longer able to leverage the deployed SLRs in the member accounts that were deployed when trusted access was enabled.
+ All registered transit gateways from other member accounts are deregistered from any global network for the specific delegated administrator. The network topology is updated to no longer show resources from other member accounts.
+ CloudFormation StackSets are updated with the removal of the delegated administrator account. That account is no longer able to assume any IAM roles deployed in other member accounts.

For information about deregistering a delegated administrator, see [Deregister an administrator from multi-account in an AWS global network](nm-deregister-admin.md).

**Topics**
+ [Prerequisites](#nm-multi-prereqs)
+ [Manage multiple accounts](#tgw-nm-multi)
+ [Enable trusted access](nm-enable-trusted.md)
+ [Disabled trusted access](nm-multi-disable.md)
+ [Register a delegated administrator](nm-delegate-admin.md)
+ [Deregister a delegated administrator](nm-deregister-admin.md)
+ [Manage IAM role deployments](nm-multi-manage-iam.md)
+ [Troubleshoot self-managed roles](nm-multi-account-troubleshooting.md)

# Enable trusted access in an AWS global network
<a name="nm-enable-trusted"></a>

Enabling trust is a one-time task that deploys the required service-linked roles (SLRs) and custom Identity and Access Management (IAM) roles to all accounts in your organization that can be assumed by the management account or [delegated administrators](nm-delegate-admin.md) for access across multiple accounts. For more information about trusted access, see [Trusted access](nm-multi-account.md#nm-multi-trust).

**To enable multi-account trusted access**

1. Log into the global networks console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home), using the AWS Organizations management account.

1. Choose **Get started**.

1. In the navigation pane, choose **Enable trusted access**.

1. From the **Permission level** dropdown list in **Enable trusted access,** choose the Permission level for the Network Manager console switch role `IAMRoleForAWSNetworkManagerCrossAccountResourceAccess`. This role is deployed to all member accounts and is assumed by the delegated administrator or management account when accessing resources from other accounts using the global networks console. You can choose only one permission level for all accounts. Permission can be one of the following:
   + **Read-only** — Assign this permission if the delegated administrator and management accounts only need to review information about resources from other accounts in the global network while using the console switch role, but don't need to make any changes.
   + **Admin** — Assign this permission if the delegated administrator and management accounts need to be able to modify resources from other accounts in the global network while using the global networks console switch role.

1. Choose **Enable trusted access**.

   Depending on your organization size, it might take a few minutes or more to enable trusted access. During this time the **State** shown in the **Trusted access** section displays **Enabling in progress**. When access is enabled, the **State** changes to **Enabled**. Additionally, the **IAM role deployments status** section at the bottom of the page displays the status of the IAM roles being deployed to member accounts of the organization.

1. After trusted access is enabled, you can register delegated administrators.

# Disable trusted access in an AWS global network
<a name="nm-multi-disable"></a>

 Disabling trusted access removes the trust relationship between the Network Manager service access and your organization. Network Manager is no longer able to perform actions within your organization or access information about your organization. Trusted access remains for CloudFormation StackSets in the event that your organization is using that service outside of Network Manager. For more information on disabling CloudFormation StackSets, see [Disabling trusted access with AWS CloudFormation Stacksets](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-cloudformation.html#integrate-disable-ta-cloudformation) in the *AWS Organizations User Guide*.

Transit gateways from other accounts are deregistered from global networks owned by the management account and can no longer provide access to their attached resources. For more information about disabling trusted access, see [Disable trusted access](nm-multi-account.md#nm-how-it-works-disable).

You must first deregister all delegated administrators before you can disable trusted access. If you have registered delegated administrators, you will be prompted to deregister them during the disable trusted access process.

You can enable trusted access again after disabling it. However you will need to set up the list of delegated administrators again. 

**To disable trusted access**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home) with the management account.

1. Under **Connectivity**, choose **Global Networks**.

1. In the navigation pane, choose **Settings**.

1. In the **Trusted Access** section, choose **Disable trusted access**.

1. If you have any registered delegated administrators, you can deregister them by choosing **Deregister delegated administrators**.

1. Choose **Disable trusted access** on the confirmation dialog box to confirm that you want to disable trusted access. 

   Depending on the size of your organization, it might take several minutes or longer to disable trusted access. The **State** displays **Disabling in progress**. During this time you won't be able to re-enable trusted access. When finished, the Status changes to **Disabled**.

# Register an administrator for multi-account in an AWS global network
<a name="nm-delegate-admin"></a>

Use the AWS Global Networks for Transit Gateways console to register delegated administrators. You can register up to ten delegated administrators. Delegated administrators can assume the SLR and IAM roles deployed while enabling trusted access for access across multiple accounts. For more information about delegated administrators, see [Delegated administrators](nm-multi-account.md#nm-how-it-works-delegate). 

**To register a delegated administrator**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home) with the management account.

1. Under **Connectivity**, choose **Global Networks**.

1. In the navigation pane, choose **Settings**.

1. In the **Delegated Administrators** section, choose **Register delegated administrator**.

1. From the **AWS account ID** dropdown list, choose one or more AWS Organizations accounts that you want to delegate administrator permissions to.

1. Choose **Register delegated administrator**.

1. When the delegated administrator is registered, you can then register transit gateways from any transit gateways from any account within your organization to the global network in the delegated administrator account. For more information about registering transit gateways in the global network of a delegated administrator account, see [Transit gateway registrations in AWS Global Networks for Transit Gateways](tgw-registrations.md). 

# Deregister an administrator from multi-account in an AWS global network
<a name="nm-deregister-admin"></a>

Deregistering delegated administrators removes that account's permission to manage global networks for your organization. All registered transit gateways from other member accounts are deregistered from the specific delegated administrator's global networks. For more information about how deregistering delegated administrators works, see [Deregister delegated administrators](nm-multi-account.md#nm-how-it-works-deregister). 

**To deregister a delegated administrator**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home) with the management account.

1. Under **Connectivity**, choose **Global Networks**.

1. In the navigation pane, choose **Settings**.

1. In the **Delegated Administrators** section, choose one or more accounts that you want to deregister. 

   Depending on your organization size and the number of delegated administrators you're deregistering, this could take several minutes. During this time you won't be able to register any new delegated administrators. 

# Manage IAM multi-account role deployments in an AWS global network
<a name="nm-multi-manage-iam"></a>

The **IAM role deployments status** section displays the current role deployments status for all member accounts set up in your account. 
+ **Member account ID ** — The account ID for the account set up in AWS Organizations. This includes member accounts and members that have been registered as delegated administrators.
+ **CloudWatch role status** — The status of the account's Amazon CloudWatch role. If you enable multi-account using the Network Manager console, this is **StackSets-managed** if deployed successfully. Otherwise, this is **Self-managed**. 
+ **Console role status** — The status of the account's Network Manager console role. If you enable multi-account using the Network Manager console, this is **StackSets-managed** if deployed successfully. Otherwise, this is **Self-managed**. 
+ **Review required ** — This applies only to **Self-managed** roles. A review is required to ensure that the permissions set up for the account are correct. For more information, see [Multi-account access roles for AWS Global Networks for Transit Gateways](nm-custom-multi-role.md).

 If you make changes to your role policies, or if you've updated a self-managed role, you can deploy the updated policy to your AWS Organizations accounts.

**To retry the IAM role deployment status**

1. Access the Network Manager console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home) with the management account.

1. Under **Connectivity**, choose **Global Networks**.

1. In the navigation pane, choose **Settings**.

1. In the **IAM role deployments status** section, choose **Retry role deployment**. 

   Depending on your organization size and the number of member accounts in your organization, this could take several minutes. During this time you won't be able to register or deregister any new delegated administrators. 

# Troubleshoot multi-account self-managed roles in an AWS global network
<a name="nm-multi-account-troubleshooting"></a>

AWS Global Networks for Transit Gateways uses AWS CloudFormation StackSets to deploy the required `IAMRoleForAWSNetworkManagerCrossAccountResourceAccess` role and the CloudWatch monitoring `CloudWatch-CrossAccountSharingRole` role in your AWS Organizations member accounts for cross-account access. For a CloudFormation StackSets-managed deployment, IAM roles must have the required policies attached, as well as the trusted relationship to allow registered delegated administrators and the management account the ability to assume these roles. In a self-managed deployment, you own the responsibility to attach the appropriate policies and to manage the trusted relationship required for the delegated administrator and management accounts to access multiple accounts.

**Important**  
We strongly recommend that you use the global networks console for enabling multi-account settings using the global networks console as this automatically sets up all required roles and permissions for multi-account access. Choosing an alternative approach requires an advanced level of expertise and opens the multi-account setup for your global network to be more prone to error.

If the CloudFormation StackSets deployment fails, and the **Review required** message is **IAM role exists**, follow the steps below in [IAM role exists](#nm-multi-iam-role-exists) to change the role from **Self-managed** to **StackSets-managed**. For any message other than **IAM role exists**, file an AWS Support case. For more information on creating a support case, see [Creating a support case](https://docs.aws.amazon.com/awssupport/latest/user/case-management.html#creating-a-support-case) in the *AWS Support User Guide*.

## IAM role exists
<a name="nm-multi-iam-role-exists"></a>

If the IAM role has the exact same name in a current the member account, these roles appear in the **IAM role deployments status** with a status of **Self-managed**. In order to change this to StackSets-managed, delete the IAM role from the member account with the duplicate role name. After deleting the IAM role, use the global networks console to retry the role deployment. For the steps to retry a role deployment, see [Manage IAM multi-account role deployments in an AWS global network](nm-multi-manage-iam.md) to retry the role deployment.

**To change a role from self-managed to StackSets-managed**

1. Access the AWS Identity and Access Management (IAM) console at [https://console.aws.amazon.com//iamv2/home?#/](https://console.aws.amazon.com//iamv2/home?#/) with the member account that has a self-managed role status.

1. In the navigation pane, choose **Roles**.

1. In the **Roles** field, search for the role name you want to delete.

1. Choose the role, and then choose **Delete**.

1. Confirm that you want to delete the role. 
**Warning**  
This might break other functionality if a custom role has other attached policies or trusted relationships.

1. Access the global networks console at [https://console.aws.amazon.com/networkmanager/home/](https://console.aws.amazon.com/networkmanager/home) with the AWS Organizations management account.

1. Choose **Get started**.

1. In the navigation pane, choose **Settings**.

1. In the **IAM role deployment status section**, choose **Retry role deployment**. 

   Depending on the size of your organization, it might take several minutes or longer to disable trusted access. During this time you won't be able to re-enable trusted access.