Grant permissions to your accounts in your AWS Organization


To ensure Data Collection account can collect information across all accounts in the AWS Organization you must deploy 2 IAM roles for each Management account you wish to collect data from. (if you want to collect data from multiple payers, follow steps for each one)

The rest of this page is broken into two sets of instructions:

  1. Role for Management Account - A Read Only Role WA-Lambda-Assume-Role-Management-Account must be deployed into any Management account you wish to collect data from. This allows access from your Data Collection Account to the Management account.
  2. Read Only roles for Data Collector modules - A second read only role WA-Optimization-Data-Multi-Account-Role must be deployed in each Linked account of the Organization via a StackSets.

1/2 Role for Management Account

Some of the data needed for the modules is in the Management account we will now create a read only role for the Data Collector Account to assume.

  1. Log into your Management account then click Launch CloudFormation Template

  2. Call the Stack OptimizationManagementDataRoleStack

  3. In the Parameters section set CostAccountID as the ID of Data Collection Account ( where you plan to deploy the OptimizationDataCollectionStack)

  4. NOTE If you choose to modify the Role Prefix field, keep this consistent across all the Stacks and StackSets you create as part of this lab.

  5. Scroll to the bottom and click Next

  6. Tick the acknowledge boxes and click Create stack.

  7. You can see the role that was collected by clicking on Resources and clicking on the hyperlink under Physical ID. Images/Managment_CF_deployed.png

2/2 Read Only roles for Data Collector modules

We will use a CloudFormation StackSet to deploy a single read only role to all accounts. It will allow the modules that we will deploy later with the OptimizationDataCollectionStack to collect data from all of the accounts in an AWS Organization.

  1. Login to your Management account and search for Cloud Formation Images/cloudformation.png

  2. Click on the hamburger icon on the side panel on the left hand side of the screen and select StackSets. If you have not enabled this Click the button Enable trusted access. Images/Enable_trusted_accessed.png

  3. Once Successful or if you have it enabled already click Create StackSet.

  4. Keep all ticked boxes as default and past he following URL in Amazon S3 URL. Click Next.


  1. Call the Stack OptimizationDataRoleStack. Images/ods_stackset_name.png

  2. In the Parameters section for CostAccountID use the Account ID that where you will deploy the OptimizationDataCollectionStack. Under available modules section select modules that you need. This CloudFormation StackSet will provision required roles for modules in linked accounts. Detailed description of each module can be found here


  1. NOTE If you choose to modify the Role Prefix field, keep this consistent across all the Stacks and StackSets you create as part of this lab.

  2. Leave all as default and Click Next.


  1. Select the region you are currently deploying to.


  1. Tick the boxes and click Create stack. Images/Tick_Box.png

  2. This role will now be deployed to all linked accounts.

If you face an issue with AWSCloudFormationStackSetAdministrationRole please make sure you activated ‘Tusted Access’ (2nd step) or follow AWS Documentation for activating this via additional CloudFormation.

(Optional) Read Only roles in Management Account

If you wish to also access data in your management account, deploy the same CloudFormation stack as a normal stack in your management account as you did in the Role for Management Account step above.

To do this follow these instructions