Setting up and running AWS Organization-level discovery and visibility - Adaptive Applications - BlueCat Gateway - 25.3

Cloud Discovery & Visibility Administration Guide
ft:locale
en-US
Product name
BlueCat Gateway
Version
25.3

If your AWS infrastructure structures nodes are all under the same Organization, you can run Cloud Discovery & Visibility (CDV) on all accounts in the Organization.

Tip: Organization-level discovery also supports Visibility (the Monitoring option Real time updates). Visibility continually updates Address Manager with new and changed resources in the network infrastructure. For more details about actions covered during Organization-level Visibility, see Actions taken during AWS Organization-level visibility.
Note: Organization-level Discovery cannot be used with AWS role assumption during discovery and visibility (in the AWS Credentials section of the AWS Setup page)

To set up Organization-level discovery and visibility on an AWS infrastructure, you must do the following:

  1. Set up CDV with a user or a role that has the permissions necessary to perform AWS Organization-level discoveries on your infrastructure. You can do so in one of the following ways.

    1. If you are using a delegated admin account to run organization-level discovery and visibility:

      1. You must first register the delegated administrator for the account where CDV is deployed. Then:

        1. If you will be using user credentials, you must add the organization-level permissions to the user.

        2. If you will be using EC2 instance credentials, you must instead add the organization-level permissions to the role that is attached to the EC2 instance.

    2. If you are using a member account to assume a role from the management or delegated admin account to run organization-level discovery and visibility:

      You must add the organization-level permissions to the role that is created under the management or delegated admin account. This must be the role assumed by the member account.

      Note: If you use this approach, you must also set the Role ARN used for Operations of Organizations setting in the Credentials section of the AWS Setup page. For more details, see AWS job settings: Credentials.

    The organization-level permissions referenced in the two approaches above are as follows:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "organizations:ListAccountsForParent",
                "organizations:ListRoots",
                "organizations:ListAccounts",
                "organizations:ListTagsForResource",
                "account:ListRegions",
                "organizations:ListOrganizationalUnitsForParent",
                "organizations:ListChildren"
            ],
            "Resource": "*"
        }
    ]
}

  2. Set up a YML file for a "cross-account" role with privileges and permissions needed to access each of the accounts.

  3. Deploy this template to the AWS infrastructure, in a new StackSet.

  4. In CDV, make sure your AWS credentials specify either the CDV account with this new role or the Management Account.

  5. In CDV, configure and run the Organization-level Discovery job.