# Cross-account analyses for Reachability Analyzer Cross-account analyses Reachability Analyzer analyzes the path between a source and destination. To analyze paths across multiple AWS accounts, enable trusted access for Reachability Analyzer with your organization from AWS Organizations. You can also register member accounts as delegated administrator accounts. A user in the management account can define paths and run analyses using sources and destinations from any account in the organization. A user in a delegated administrator account can define paths and run analyses using sources and destinations from any account in the organization other than the management account, plus any resources in the management account that were explicitly shared with the delegated administrator account. For more information, see [Visualize and diagnose network reachability across AWS accounts](https://aws.amazon.com/blogs/networking-and-content-delivery/visualize-and-diagnose-network-reachability-across-aws-accounts-using-reachability-analyzer/). **Pricing** There is no additional charge to run cross-account analyses. **Considerations** + Before accounts in the organization can use this feature in an opt-in Region, the management account must enable the opt-in Region. For more information, see [Enable a Region in your organization](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html#manage-acct-regions-enable-organization) in the *AWS Account Management Guide*. + The accounts in the organization must be able to make calls to the AWS CloudFormation API in US East (N. Virginia) (`us-east-1`). + AWS CloudTrail logs are always written to US East (N. Virginia) (`us-east-1`). **Topics** + [ # Enable trusted access in Reachability Analyzer ](enable-trusted-access.md) + [ # IAM role deployments in Reachability Analyzer ](manage-role-deployments.md) + [ # Manage delegated administrator accounts in Reachability Analyzer ](manage-delegated-administrators.md) + [ # Disable trusted access in Reachability Analyzer ](disable-trusted-access.md) + [ # Troubleshoot cross-account analyses in Reachability Analyzer ](multi-account-troubleshooting.md) # Enable trusted access in Reachability Analyzer Enable trusted access When you enable trusted access, Reachability Analyzer deploys the [AWSServiceRoleForReachabilityAnalyzer](using-service-linked-roles.md) service-linked role and the required [cross-account access roles](cross-account-access-roles.md) to all accounts in your organization. **To enable trusted access using the console** 1. Sign in to the management account. 1. Open the Network Manager console at [https://console.aws.amazon.com/networkmanager/home](https://console.aws.amazon.com/networkmanager/home). 1. From the navigation pane, choose **Reachability Analyzer**, **Settings**. 1. For **Trusted Access**, choose **Turn on trusted access**. 1. Do not close or navigate away from this page until you see a success notification indicating that trusted access is turned on. This can take several minutes. **To enable trusted access using the AWS CLI** From the management account, use the [enable-reachability-analyzer-organization-sharing](https://docs.aws.amazon.com/cli/latest/reference/ec2/enable-reachability-analyzer-organization-sharing.html) command. # IAM role deployments in Reachability Analyzer IAM role deployments When you enable trusted access, the following roles are deployed in your organization: + [AWSServiceRoleForReachabilityAnalyzer ](using-service-linked-roles.md#slr-permissions) – The service-linked role for Reachability Analyzer. + [IAMRoleForReachabilityAnalyzerCrossAccountResourceAccess](cross-account-access-roles.md) – The role for cross-account resource access for Reachability Analyzer. + [AWSServiceRoleForCloudFormationStackSetsOrgAdmin](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-cloudformation.html) – The service-linked role for AWS CloudFormation StackSets for the management account. + [AWSServiceRoleForCloudFormationStackSetsOrgMember](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-cloudformation.html) – The service-linked role for AWS CloudFormation StackSets for the member accounts. The deployments can take several minutes to complete, depending on the number of member accounts in your organization. You can view the status of the role deployments as follows. **To view IAM role deployments** 1. Sign in to the management account. 1. Open the Network Manager console at [https://console.aws.amazon.com/networkmanager/home](https://console.aws.amazon.com/networkmanager/home). 1. From the navigation pane, choose **Reachability Analyzer**, **Settings**. 1. Check **IAM role deployments status**. # Manage delegated administrator accounts in Reachability Analyzer Manage delegated administrator accounts You can register up to 5 delegated administrator accounts in Reachability Analyzer. If you deregister a delegated administrator account, the users in the account can't run a new cross-account analysis, but they can still see the previously run analyses. **To manage delegated administrators** 1. Sign in to the management account. 1. Open the Network Manager console at [https://console.aws.amazon.com/networkmanager/home](https://console.aws.amazon.com/networkmanager/home). 1. From the navigation pane, choose **Reachability Analyzer**, **Settings**. 1. To register a member account as a delegated administrator account, choose **Register delegated administrator**. Select the check box for the account, and then choose **Register delegated administrator**. 1. To deregister a delegated administrator account, select the check box for the account, and then choose **Deregister**. # Disable trusted access in Reachability Analyzer Disable trusted access After you disable trusted access, the users in the management account and delegated administrator accounts can't run a new cross-account analysis in Reachability Analyzer. However, they can still see the previously run analyses. Before you can disable trusted access, you must deregister the delegated administrator accounts. You can enable trusted access again after disabling it. However, you must first re-register the delegated administrator accounts. **To disable trusted access using the console** 1. Sign in to the management account. 1. Open the Network Manager console at [https://console.aws.amazon.com/networkmanager/home](https://console.aws.amazon.com/networkmanager/home). 1. From the navigation pane, choose **Reachability Analyzer**, **Settings**. 1. For **Trusted Access**, choose **Turn off trusted access**. 1. Do not close or navigate away from this page until you see a success notification indicating that trusted access is turned off. This can take several minutes. **To disable trusted access using the AWS CLI** From the management account, use the [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html) command. # Troubleshoot cross-account analyses in Reachability Analyzer Troubleshoot The following information can help you troubleshoot common issues with running cross-account analyses in Reachability Analyzer. **Topics** + [ ## "StackSet is not empty" or "StackSet already exists" ](#stackset-not-empty) + [ ## "Error fetching resources" ](#error-fetching-resources) + [ ## "Organizational unit not found in StackSet" ](#organizational-unit-not-found) ## "StackSet is not empty" or "StackSet already exists" If you receive one of these errors while enabling trusted access, do the following to resolve the issue. **To resolve the issue** 1. Choose **Turn off trusted access**. 1. Wait until you see a banner at the top of the screen indicating that the operation was successful. 1. Choose **Turn on trusted access**. ## "Error fetching resources" If you receive this error while attempting to access resources from another account in the organization, it usually indicates that your account doesn't have all permissions required. + Verify that you have permission to call the `AssumeRole` and `SetSourceIdentity` API actions. For example, the following policy grants permission to call these actions. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole", "sts:SetSourceIdentity" ], "Resource": "*" } ] } ``` ------ + Verify that you have permission to call CloudFormation API actions. For example, the [AWSCloudFormationFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSCloudFormationFullAccess.html) and [AWSCloudFormationReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSCloudFormationReadOnlyAccess.html) policies grant permissions to call these actions. + Verify that you have permission to call AWS Organizations API actions. For example, the [AWSOrganizationsFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSOrganizationsFullAccess.html) and [AWSOrganizationsReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSOrganizationsReadOnlyAccess.html) policies grant permissions to call these actions. ## "Organizational unit not found in StackSet" If you receive this error while disabling trusted access, do the following to resolve the issue. **To resolve the issue** 1. Open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/). 1. In the navigation pane, choose **StackSets**. 1. Select `ReachabilityAnalyzerCrossAccountResourceAccessStackSet` and then choose **Actions**, **Delete StackSet**. 1. Return to the Reachability Analyzer settings page and refresh the page. 1. Choose **Turn off trusted access**.