Setting up the AWS Environment for Multi-Account Synchronization

Setting up the AWS Environment for Multi-Account Synchronization

To import the Route 53 DNS or, starting from NIOS 9.0.4, the vDiscovery data from multiple accounts of an AWS organization to a single member in NIOS, you must set up the AWS environment as discussed in this topic. For more details, refer to the AWS documentation.

Typically, an AWS organization is an hierarchical structure with a parent container called Root at the top, which contains all the accounts of an organization. The organization consists of one management account (also referred to as, parent account) and multiple member accounts (child accounts). The member accounts can be in a nested arrangement called organizational units, which in turn contain a hierarchy of parent and child accounts.

IAM users or roles from one AWS account can be set up to assume a role configured in another AWS account to pull the Route 53 or vDiscovery data from those accounts. The account that can assume a role is a trusted account and the accounts that allow their roles to be assumed are trusting accounts. You must set up the management (or a parent account) as the trusted account and its members (or child accounts) as trusting accounts.


  • The AssumeRole role names must be the same across management and member accounts of an AWS organization.

  • Multi-account synchronization works only for the organizational units to which the management or the parent account belongs.

As a prerequisite, ensure that the AWS organization has been set up with the needed org structure.

To set up the AWS environment for multi-account synchronization, start by providing the organization-admin access to the management account, setting up the management and member accounts, and then verifying the setup as described in the following sections:

Providing the Delegated Organization Admin Access to the Management Account

You can create a delegation policy for the specified member accounts of an AWS organization for them to perform policy actions that are, by default, available only to the management account.
To create or update the resource-based delegation policies, you need permissions to run the following actions:

  • organizations:PutResourcePolicy

  • organizations:DescribeResourcePolicy

Additionally, you must grant roles and users in the delegated administrator account with the corresponding IAM permissions for the required actions.

To create a delegation policy in the management account, complete the following steps:

  1. Log in to the AWS Management Console.
    You must be logged in as an IAM user, assume an IAM role, or logged in as the root user (not recommended) in the organization’s management account with appropriate permissions that are stated above.

  2. Go to the AWS Organization's Service Console.

  3. Go to Settings.

  4. In the Delegated Administrator for AWS Organizations section, do one of the following:

    • To create the organization's delegation policy, choose Delegate.

    • To update an existing delegation policy, choose Edit.

  5. Type a JSON policy in the JSON editor or copy the below example policy and customize it for your account.
    Example of a “Delegated administrator for AWS Organizations” policy:

    "Version": "2012-10-17",
    "Statement": [
    "Sid": "DelegatingNecessaryListActionsMultiAcc",
    "Effect": "Allow",
    "Principal": {
    "AWS": [
    "Action": [
    "Resource": "*"

  6. Resolve any security warnings, errors, or general warnings generated during policy validation.

  7. Choose Create policy to save your work.
    This provides the delegated administrator access to the management account.

Setting up the Management Account

Set up the management account for the assume role action. Depending on the method that you want to use to authenticate the connection between NIOS and AWS, follow the steps in the appropriate section.

If Using IAM Credentials for Authentication

When you use IAM credentials to authenticate the connection between NIOS and AWS, complete the following steps to set up the management account:

  1. In the AWS Management Console home page, search for and click IAM.

  2. Create a policy:

    1. In the left navigation panel, expand Access management and click Policies.

    2. Click the Create policy button.

    3. Under Select a service, choose STS as the service.

    4. Under Actions allowed > Manual actions tab, expand Write and select AssumeRole as the action to ensure that you have write access to the role.

    5. Under Resources > role > click Add ARN and complete the following in the Specify ARNs dialog box:

      1. Select Any account to make all child accounts under this management account discoverable.

      2. In the ARN field, specify a role name.
        You must ensure to use the same role name in the member accounts for the delegation to work.

      3. Click Add ARNs.

    6. On the Review and create page, specify a Policy name. Add and review the policy.

    7. Click Create policy.

  3. Create an IAM user:
    On the Identity and Access Management page, create a user and attach the policy that you created in the previous step to the user (IAM user used for the data synchronization of Rout 53 or vDiscovery).

    1. In the left navigation panel, expand Access management and click Users.

    2. Click the Add users button.

    3. On the Specify User details page, specify a name in the User name field and click Next.

    4. On the Set permissions page:

      1. Select Attach policies directly.

      2. Search for the policy that you created in the previous step and select it.

      3. Click Next.

    5. Click Create user.

  4. Create a role:

    1. In the left navigation panel, expand Access management and click Roles.

    2. Click the Create role button.

    3. On the Select trusted entity page:

      1. Select the entity type as AWS account.

      2. Select This account for the account to trust itself.

      3. Click Next.

    4. On the Add Permissions page:

      1. Select the policy that you created in a prior step.

      2. Additionally, add the following permissions:

        • AWSOrganizationsReadOnlyAccess: Provides read-only access to the information about AWS organizations.

        • For the synchronization of only the Route 53 data, add:

          • AmazonRoute53ReadOnlyAccess that provides read-only access to the Route 53 data.

          • The following custom policy to gain more control over specific actions:

              "Version": "2012-10-17",

              "Statement": [


                      "Sid": "VisualEditor0",

                      "Effect": "Allow", 

                      "Action": [ 









                      "Resource": "*" 




        • For the synchronization of only the vDiscovery data:

          • iam:GetUser

          • ec2:DescribeVpcs

          • ec2:DescribeSubnets

          • ec2:DescribeRouteTables

          • ec2:DescribeAddresses

          • ec2:DescribeNetworkInterfaces

          • ec2:DescribeInstances

      3. Click Next.

    5. (Optional) Specify a meaningful tag.

    6. In the Role name field, specify the ARN that you entered when creating the policy in Step 2.

    7. Click Create Role.

If Using Instance Profiles for Authentication

When you use an instance profile to authenticate the connection between NIOS and AWS, complete the following steps to set up the management account:

For the multi-account synchronization to work, the instance should be running in the management account.

  1. In the AWS Management Console home page, search for and click IAM.

  2. Create a policy:
    Follow steps described in the If Using IAM Credentials for Authentication section to create a policy.

  3. Add a role to the instance profile.

    1. In the left navigation panel, expand Access management and click Roles.

    2. Click the Create role button.

    3. On the Select trusted entity page:

      1. Select the entity type as AWS service.

      2. Select EC2 for the vNIOS instance to call the AWS service.

      3. Click Next.

    4. On the Add Permissions page:

      1. Select the policy that you created in a prior step to attach it to the role.

      2. Additionally, add the following permissions:

        • AWSOrganizationsReadOnlyAccess: Provides read-only access to the information about AWS organizations.

        • For the synchronization of only the Route 53 data, add:

          • AmazonRoute53ReadOnlyAccess that provides read-only access to the Route 53 data.

          • The following custom policy to gain more control over specific actions:

              "Version": "2012-10-17",

              "Statement": [


                      "Sid": "VisualEditor0",

                      "Effect": "Allow", 

                      "Action": [ 









                      "Resource": "*" 




        • For the synchronization of vDiscovery data only:

          • iam:GetUser

          • ec2:DescribeVpcs

          • ec2:DescribeSubnets

          • ec2:DescribeRouteTables

          • ec2:DescribeAddresses

          • ec2:DescribeNetworkInterfaces

          • ec2:DescribeInstances

      3. Click Next.

    5. Specify a role name for the EC2 service.

    6. (Optional) Specify a meaningful tag.

    7. Click Create Role.

  4. Attach the instance profile role created in the previous step to the EC2 instance:

    1. In the AWS Management Console home page, search for and click EC2.

    2. Select your instance.

    3. In the Actions drop-down list, select Security > Modify IAM role.

    4. In the IAM role drop-down list, select the role that you created.

    5. Click the Update IAM role button.

Setting up Member Accounts

When setting up a member account, you only have to create a role with policy created for the management account and add the required permissions.

Complete the following steps for each member account:

  1. In the left navigation panel of the Identity and Access Management Dashboard, expand Access management and click Roles.

  2. Click the Create role button.

  3. On the Select trusted entity page:

    1. If using IAM credentials for authentication:

      1. Select the entity type as AWS account.

      2. Select Another AWS account and enter the account ID of the management (trusted) account.

      3. Click Next.

    2. If using an instance profile for authentication:

      1. Select the entity type as AWS service.

      2. Select EC2 for the EC2 instance to call the AWS service.

      3. Click Next.

  4. On the Add Permissions page, attach the discovery policy that has the required permissions:

    • For the Route53 synchronization of only the Route 53 data, add:

      • AmazonRoute53ReadOnlyAccess that provides read-only access to the Route 53 data.

      • The following custom policy to gain more control over specific actions:

          "Version": "2012-10-17",

          "Statement": [


                  "Sid": "VisualEditor0",

                  "Effect": "Allow", 

                  "Action": [ 









                  "Resource": "*" 




    • For the vDiscovery synchronization:

      • iam:GetUser

      • ec2:DescribeVpcs

      • ec2:DescribeSubnets

      • ec2:DescribeRouteTables

      • ec2:DescribeAddresses

      • ec2:DescribeNetworkInterfaces

      • ec2:DescribeInstances

  5. On the Name, review and create page, specify the ARN specified for the management account.

  6. (Optional) Specify a meaningful tag.

  7. Click Create Role.

Verifying the Access Permissions for Running a Multi-Account Sync

To verify the access permissions for running the multi-account synchronization, complete the following steps and run the CLI commands:

  1. Set up the AWS CLI:

    1. If you are using IAM: Set up the CLI with the credentials of the management (or parent) account

    2. If you are using an instance profile: Connect to your instance’s EC2 using SSH.

  2. Set up the AssumeRole to the management account:
    aws sts assume-role --role-arn arn:aws:iam::<parent account ID>:role/<Role to be assumed> --role-session-name <some name to the session>
    For example:
    aws sts assume-role --role-arn arn:aws:iam::123456789012:role/Orga-assume-role --role-session-name Parent-Session
    Note: In case of instance profiles, this step ensures that the management account is in the context of the multi-account synchronization. The temporary credentials will not be used for any other activity.

  3. Export the temp credentials obtained by AssumeRole (Not required if you are using instance profiles).
    For example:
    export AWS_SECRET_ACCESS_KEY="XpGLmCXHb3ly/t5NiXz7bAILvpsW008gRWKzDOTG"

  4. Check the organization permissions by executing organization APIs:
    aws organizations list-children --child-type <child type> --parent-id <parent id>
    For example:
    aws organizations list-children --child-type ORGANIZATIONAL_UNIT --parent-id ou-ur91-

    To retrieve the --parent-id value:

    1. Log in to the management account with organizational admin permission.

    2. Go to AWS Organizations services and click Policy Management.

    3. Look for the organizational unit of your account.

  5. To ensure that the permission required for the synchronization of data exists on the management
    account, run the following APIs:

    • For Route 53:
      aws route53 list-hosted-zones

    • For vDiscovery:
      aws ec2 describe-instances --region us-west-1

  6. Set up the AssumeRole for each child account.
    aws sts assume-role --role-arn arn:aws:iam::<child account ID>:role/<Role to be assumed> --role-session-name <some name to the session>
    For example:
    aws sts assume-role --role-arn arn:aws:iam::112233445566:role/Orga-assume-role --role-session-name Child-Session

  7. Set up the temp credentials for child accounts as done in step 3.

  8. Execute a Route53 API as done in step 5.



Related content