Connect to AWS for vulnerability detection and risk assessment

You can connect Security Command Center Enterprise tier to your Amazon Web Services (AWS) environment so that you can do the following:

  • Detect and remediate software vulnerabilities and misconfigurations in your AWS environment
  • Create and manage a security posture for AWS
  • Identify potential attack paths from the public internet to your high-value AWS assets
  • Map compliance of AWS resources with various standards and benchmarks

Connecting Security Command Center to AWS creates a single place for your security operations team to manage and remediate threats and vulnerabilities across Google Cloud and AWS.

To let Security Command Center monitor your AWS organization, you must configure a connection using a Google Cloud service agent and an AWS account that has access to the resources that you want to monitor. Security Command Center uses this connection to periodically collect data across all the AWS accounts and regions that you define.

You can create one AWS connection for each Google Cloud organization. The connector uses API calls to collect AWS asset data. These API calls may incur AWS charges.

This document describes how to set up the connection with AWS. When you set up a connection, you configure the following:

  • A series of accounts in AWS that have direct access to the AWS resources that you want to monitor. In the Google Cloud console, these accounts are called collector accounts.
  • An account in AWS that has the appropriate policies and roles to allow authentication to collector accounts. In the Google Cloud console, this account is called the delegated account. Both the delegated account and the collector accounts must be in the same AWS organization.
  • A service agent in Google Cloud that connects to the delegated account for authentication.
  • A pipeline to collect asset data from AWS resources.
  • (Optional) Permissions for Sensitive Data Protection to profile your AWS content.

This connection doesn't apply to the SIEM capabilities of Security Command Center that let you ingest AWS logs for threat detection.

The following diagram shows this configuration. The tenant project is a project that is created automatically and contains your asset data collection pipeline instance.

AWS and Security Command Center configuration.

Before you begin

Complete these tasks before you complete the remaining tasks on this page.

Activate Security Command Center Enterprise tier

Complete step 1 and step 2 of the setup guide to activate Security Command Center Enterprise tier.

Set up permissions

To get the permissions that you need to use the AWS connector, ask your administrator to grant you the Cloud Asset Owner (roles/cloudasset.owner) IAM role. For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Create AWS accounts

Ensure that you have created the following AWS resources:

Configure the AWS connector

  1. In the Google Cloud console, go to the Setup guide page of Security Command Center.

    Go to Setup guide

  2. Select the organization that you activated Security Command Center Enterprise tier on. The Setup guide page opens.

  3. Click Step 3: Set up Amazon Web Services (AWS) integration. The Connectors page opens.

  4. Select Add connector > Amazon Web Services. The Configure connector page opens.

  5. In Delegated account ID, enter the AWS account ID for the AWS account that you can use as the delegated account.

  6. To let Sensitive Data Protection profile your AWS data, keep Grant permissions for Sensitive Data Protection discovery selected. This option adds AWS IAM permissions in the CloudFormation template for the collector role.

    AWS IAM permissions granted by this option

    • s3:GetBucketLocation
    • s3:ListAllMyBuckets
    • s3:GetBucketPolicyStatus
    • s3:ListBucket
    • s3:GetObject
    • s3:GetObjectVersion
    • s3:GetBucketPublicAccessBlock
    • s3:GetBucketOwnershipControls
    • s3:GetBucketTagging
    • iam:ListAttachedRolePolicies
    • iam:GetPolicy
    • iam:GetPolicyVersion
    • iam:ListRolePolicies
    • iam:GetRolePolicy
    • ce:GetCostAndUsage
    • dynamodb:DescribeTableReplicaAutoScaling
    • identitystore:ListGroupMemberships
    • identitystore:ListGroups
    • identitystore:ListUsers
    • lambda:GetFunction
    • lambda:GetFunctionConcurrency
    • logs:ListTagsForResource
    • s3express:CreateSession
    • s3express:GetBucketPolicy
    • s3express:ListAllMyDirectoryBuckets
    • wafv2:GetIPSet
  7. Optionally, review and edit the Advanced options. See Customize the AWS connector configuration for information about additional options.

  8. Click Continue. The Connect to AWS page opens.

  9. Complete one of the following:

    • Download and review the CloudFormation templates for the delegated role and the collector role.
    • If you configured the advanced options or need to change the default AWS role names (aws-delegated-role, aws-collector-role, and aws-sensitive-data-protection-role), select Configure AWS accounts manually. Copy the service agent ID, delegated role name, collector role name, and the Sensitive Data Protection collector role name.

    You can't change the role names after you create the connection.

Don't click Create. Instead, configure your AWS environment.

Configure your AWS environment

You can set up your AWS environment using one of the following methods:

Use CloudFormation templates to set up your AWS environment

If you downloaded CloudFormation templates, use these steps to set up your AWS environment.

  1. Sign in to the AWS delegate account console. Make sure that you're signed in to the delegate account that is used to assume other collector AWS accounts (that is, either an AWS management account or any member account that's registered as a delegated administrator).
  2. Go to the AWS CloudFormation Template console.
  3. Create a stack that provisions the delegate role:

    1. On the Stacks page, click Create stack > With new resources (standard).
    2. When specifying a template, upload the delegated role template file.
    3. When specifying the stack details, enter a stack name.
    4. If you changed the role name for the delegated role, collector role, or Sensitive Data Protection role, update the parameters accordingly. The parameters that you enter must match the ones that are listed in the Connect to AWS page in the Google Cloud console.

    5. As required by your organization, update the stack options.

    6. On the Review and create page, select I acknowledge that AWS CloudFormation might create IAM resources with custom names.

    7. Click Submit to create the stack.

    Wait for the stack to be created. If an issue occurs, see Troubleshooting. For more information, see Creating a stack on the AWS CloudFormation console in the AWS documentation.

  4. Create a stack set that provisions collector roles.

    1. On the StackSets page, click Create StackSet.
    2. Click Service-managed permissions.

    3. When specifying a template, upload the collector role template file.

    4. When specifying the StackSet details, enter a stack set name and description.

    5. Enter the delegate account ID.

    6. If you changed the role name for the delegated role, collector role, or Sensitive Data Protection role, update the parameters accordingly. The parameters that you enter must match the ones that are listed in the Connect to AWS page in the Google Cloud console.

    7. As required by your organization, configure your stack set options.

    8. When specifying the deployment options, choose your deployment targets. You can deploy to the entire AWS organization or deploy to an organization unit (OU) that includes all the AWS accounts that you want to collect data from.

    9. Specify the AWS regions to create the roles and policies in. Because roles are global resources, you don't need to specify multiple regions.

    10. Change other settings if needed.

    11. Review the changes and click Submit to create the stack set. If you receive an error, see Troubleshooting. For more information, see Create a stack set with service-managed permissions in the AWS documentation.

  5. If you need to collect data from the management account, then sign in to the management account and deploy a separate stack to provision the collector roles. When specifying the template, upload the collector role template file.

    This step is needed because AWS CloudFormation stack sets don't create stack instances in management accounts. For more information, see DeploymentTargets in the AWS documentation.

To complete the integration process, see Complete the integration process.

Configure AWS accounts manually

If you can't use the CloudFormation templates (for example, you are using different role names or are customizing the integration), you can create the required AWS IAM policies and AWS IAM roles manually.

You must create AWS IAM policies and AWS IAM roles for the delegated account and the collector accounts.

Create the AWS IAM policy for the delegated role

To create an AWS IAM policy for the delegated role (a delegated policy), complete the following:

  1. Sign in to the AWS delegate account console.

  2. Click Policies > Create policy.

  3. Click JSON and paste one of the following, depending on whether you selected the Grant permissions for Sensitive Data Protection discovery checkbox in Configure Security Command Center.

    Grant permissions for Sensitive Data Protection discovery: cleared

    {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Action": "sts:AssumeRole",
              "Resource": "arn:aws:iam::*:role/COLLECTOR_ROLE_NAME",
              "Effect": "Allow"
          },
          {
              "Action": [
                  "organizations:List*",
                  "organizations:Describe*"
              ],
              "Resource": "*",
              "Effect": "Allow"
          }
      ]
    }
    

    Replace COLLECTOR_ROLE_NAME with the name of the collector role that you copied when configuring Security Command Center (the default is aws-collector-role).

    Grant permissions for Sensitive Data Protection discovery: selected

        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Resource": [
                "arn:aws:iam::*:role/COLLECTOR_ROLE_NAME",
                "arn:aws:iam::*:role/SCAN_SENSITIVE_DATA_COLLECTOR_ROLE_NAME"
              ],
              "Effect": "Allow"
            },
            {
              "Action": [
                "organizations:List*",
                "organizations:Describe*"
              ],
              "Resource": "*",
              "Effect": "Allow"
            }
          ]
        }
        

    Replace the following:

    • COLLECTOR_ROLE_NAME: the name of the configuration data collector role that you copied when configuring Security Command Center (the default is aws-collector-role)
    • SCAN_SENSITIVE_DATA_COLLECTOR_ROLE_NAME: the name of the Sensitive Data Protection collector role that you copied when configuring Security Command Center (the default is aws-sensitive-data-protection-role)
  4. Click Next.

  5. In the Policy details section, enter a name and description for the policy.

  6. Click Create policy.

Create an AWS IAM role for the trust relationship between AWS and Google Cloud

Create a delegated role that sets up a trusted relationship between AWS and Google Cloud. This role uses the delegated policy that was created in Create the AWS IAM policy for the delegated role.

  1. Sign in to the AWS delegate account console as an AWS user that can create IAM roles and policies.

  2. Click Roles > Create role.

  3. For Trusted entity type, click Web Identity.

  4. For Identity Provider, click Google.

  5. For Audience, enter the service agent ID that you copied when you configured Security Command Center. Click Next.

  6. To grant the delegated role access to the collector roles, attach the permission policies to the role. Search for the delegated policy that was created in Create the AWS IAM policy for the delegated role and select it.

  7. In the Role details section, enter the Delegated role name that you copied when you configured Security Command Center (the default name is aws-delegated-role).

  8. Click Create role.

Create the AWS IAM policy for asset configuration data collection

To create an AWS IAM policy for asset configuration data collection (a collector policy), complete the following:

  1. Sign in to the AWS collector account console.

  2. Click Policies > Create policy.

  3. Click JSON and paste the following:

    {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "ce:GetCostAndUsage",
                  "dynamodb:DescribeTableReplicaAutoScaling",
                  "identitystore:ListGroupMemberships",
                  "identitystore:ListGroups",
                  "identitystore:ListUsers",
                  "lambda:GetFunction",
                  "lambda:GetFunctionConcurrency",
                  "logs:ListTagsForResource",
                  "s3express:GetBucketPolicy",
                  "s3express:ListAllMyDirectoryBuckets",
                  "wafv2:GetIPSet"
              ],
              "Resource": [
                  "*"
              ]
          },
          {
              "Effect": "Allow",
              "Action": [
                  "apigateway:GET"
              ],
              "Resource": [
                  "arn:aws:apigateway:*::/usageplans",
                  "arn:aws:apigateway:*::/usageplans/*/keys",
                  "arn:aws:apigateway:*::/vpclinks/*"
              ]
          }
      ]
    
    }
    
  4. Click Next.

  5. In the Policy details section, enter a name and description for the policy.

  6. Click Create policy.

  7. Repeat these steps for each collector account.

Create the AWS IAM role for asset configuration data collection in each account

Create the collector role that lets Security Command Center get asset configuration data from AWS. This role uses the collector policy that was created in Create the AWS IAM policy for asset configuration data collection.

  1. Sign in to the AWS collector account console as a user who can create IAM roles for the collector accounts.

  2. Click Roles > Create role.

  3. For Trusted entity type, click Custom trust policy.

  4. In the Custom trust policy section, paste the following:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::DELEGATE_ACCOUNT_ID:role/DELEGATE_ACCOUNT_ROLE"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
    

    Replace the following:

    • DELEGATE_ACCOUNT_ID: the AWS account ID for the delegate account
    • DELEGATE_ACCOUNT_ROLE: the Delegated role name that you copied when you configured Security Command Center.
  5. To grant this collector role access to your AWS asset configuration data, attach the permission policies to the role. Search for the custom collector policy that was created in Create the AWS IAM policy for asset configuration data collection, and select it.

  6. Search and select the following managed policies:

    • arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
    • arn:aws:iam::aws:policy/SecurityAudit
  7. In the Role details section, enter the name of the configuration data collector role that you copied when you configured Security Command Center.

  8. Click Create role.

  9. Repeat these steps for each collector account.

If you selected the Grant permissions for Sensitive Data Protection discovery checkbox in Configure Security Command Center, then proceed to the next section.

If you didn't enable the Grant permissions for Sensitive Data Protection discovery checkbox, then complete the integration process.

Create the AWS IAM policy for Sensitive Data Protection

Complete these steps if you selected the Grant permissions for Sensitive Data Protection discovery checkbox in Configure Security Command Center.

To create an AWS IAM policy for Sensitive Data Protection (a collector policy), complete the following:

  1. Sign in to the AWS collector account console.

  2. Click Policies > Create policy.

  3. Click JSON and paste the following:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "s3:GetBucketLocation",
            "s3:ListAllMyBuckets",
            "s3:GetBucketPolicyStatus",
            "s3:ListBucket",
            "s3:GetObject",
            "s3:GetObjectVersion",
            "s3:GetBucketPublicAccessBlock",
            "s3:GetBucketOwnershipControls",
            "s3:GetBucketTagging"
          ],
          "Resource": ["arn:aws:s3:::*"]
        },
        {
          "Effect": "Allow",
          "Action": [
            "iam:ListAttachedRolePolicies",
            "iam:GetPolicy",
            "iam:GetPolicyVersion",
            "iam:ListRolePolicies",
            "iam:GetRolePolicy",
            "ce:GetCostAndUsage",
            "dynamodb:DescribeTableReplicaAutoScaling",
            "identitystore:ListGroupMemberships",
            "identitystore:ListGroups",
            "identitystore:ListUsers",
            "lambda:GetFunction",
            "lambda:GetFunctionConcurrency",
            "logs:ListTagsForResource",
            "s3express:GetBucketPolicy",
            "s3express:ListAllMyDirectoryBuckets",
            "wafv2:GetIPSet"
          ],
          "Resource": ["*"]
        },
        {
          "Effect": "Allow",
          "Action": [
              "s3express:CreateSession"
          ],
          "Resource": ["arn:aws:s3express:*:*:bucket/*"]
        }
      ]
    }
    
  4. Click Next.

  5. In the Policy details section, enter a name and description for the policy.

  6. Click Create policy.

  7. Repeat these steps for each collector account.

Create the AWS IAM role for Sensitive Data Protection in each account

Complete these steps if you selected the Grant permissions for Sensitive Data Protection discovery checkbox in Configure Security Command Center.

Create the collector role that lets Sensitive Data Protection profile the contents of your AWS resources. This role uses the collector policy that was created in Create the AWS IAM policy for Sensitive Data Protection.

  1. Sign in to the AWS collector account console as a user who can create IAM roles for collector accounts.

  2. Click Roles > Create role.

  3. For Trusted entity type, click Custom trust policy.

  4. In the Custom trust policy section, paste the following:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::DELEGATE_ACCOUNT_ID:role/DELEGATE_ACCOUNT_ROLE"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
    

    Replace the following:

    • DELEGATE_ACCOUNT_ID: the AWS account ID for the delegate account
    • DELEGATE_ACCOUNT_ROLE: the Delegated role name that you copied when you configured Security Command Center
  5. To grant this collector role access to the contents of your AWS resources, attach the permission policies to the role. Search for the custom collector policy that was created in Create the AWS IAM policy for Sensitive Data Protection, and select it.

  6. In the Role details section, enter the name of the role for Sensitive Data Protection that you copied when you configured Security Command Center.

  7. Click Create role.

  8. Repeat these steps for each collector account.

To complete the integration process, see Complete the integration process.

Complete the integration process

  1. In the Google Cloud console, on the Test connector page, click Test connector to verify that Security Command Center can connect to your AWS environment. If the connection is successful, the test determined that the delegated role has all the required permissions to assume the collector roles. If the connection isn't successful, see Troubleshooting errors when testing the connection.

  2. Click Create.

Customize the AWS connector configuration

This section describes some of the ways that you can customize the connection between Security Command Center and AWS. These options are available in the Advanced options (optional) section of the Add Amazon Web Services connector page in the Google Cloud console.

By default, Security Command Center automatically discovers your AWS accounts across all AWS regions. The connection uses the default global endpoint for the AWS Security Token Service and the default queries per second (QPS) for the AWS service that you're monitoring. These advanced options let you customize the defaults.

Option Description
Add AWS connector accounts Select the Add accounts automatically (recommended) field, to let Security Command Center discover the AWS accounts automatically, or select Add accounts individually and provide a list of AWS accounts that Security Command Center can use to find resources.
Exclude AWS connector accounts If you selected the Add accounts individually field under the Add AWS connector accounts section, provide a list of AWS accounts that Security Command Center should not use to find resources.
Select regions to collect data Select one or more AWS regions for Security Command Center to collect data from. Leave the AWS regions field empty to collect data from all regions.
Maximum queries per second (QPS) for AWS services You can change the QPS to control the quota limit for Security Command Center. Set the override to a value that is less than the default value for that service, and greater than or equal to 1. The default value is the maximum value. If you do change the QPS, Security Command Center might encounter issues fetching data. Therefore, we don't recommend changing this value.
Endpoint for AWS Security Token Service You can specify a specific endpoint for the AWS Security Token Service (for example, https://sts.us-east-2.amazonaws.com). Leave the AWS Security Token Service field empty to use the default global endpoint (https://sts.amazonaws.com).

Grant sensitive data discovery permissions to an existing AWS connector

To perform sensitive data discovery on your AWS content, you need an AWS connector that has the required AWS IAM permissions.

This section describes how to grant those permissions to an existing AWS connector. The steps that you need to take depend on whether you configured your AWS environment using CloudFormation templates or manually.

Update an existing connector using CloudFormation templates

If you set up your AWS environment using CloudFormation templates, then follow these steps to grant sensitive data discovery permissions for your existing AWS connector.

  1. In the Google Cloud console, go to the Setup guide page of Security Command Center.

    Go to Setup guide

  2. Select the organization that you activated Security Command Center Enterprise tier on. The Setup guide page opens.

  3. Click Step 3: Set up Amazon Web Services (AWS) integration. The Connectors page opens.

  4. For the AWS connector, click More > Edit.

  5. In the Review data types section, select Grant permissions for Sensitive Data Protection discovery.

  6. Click Continue. The Connect to AWS page opens.

  7. Click Download delegated role template. The template is downloaded to your computer.

  8. Click Download collector role template. The template is downloaded to your computer.

  9. Click Continue. The Test connector page opens. Don't test the connector yet.

  10. In the CloudFormation console, update the stack template for the delegated role:

    1. Sign in to the AWS delegate account console. Make sure that you're signed in to the delegate account that is used to assume other collector AWS accounts.
    2. Go to the AWS CloudFormation console.
    3. Replace the stack template for the delegated role with the updated delegated role template that you downloaded.

      For more information, see Update a stack's template (console) in the AWS documentation.

  11. Update the stack set for the collector role:

    1. Using an AWS management account or any member account that's registered as a delegated administrator, go to the AWS CloudFormation console.
    2. Replace the stack set template for the collector role with the updated collector role template that you downloaded.

      For more information, see Update your stack set using the AWS CloudFormation console in the AWS documentation.

  12. If you need to collect data from the management account, then sign in to the management account and replace the template in the collector stack with the updated collector role template that you downloaded.

    This step is needed because AWS CloudFormation stack sets don't create stack instances in management accounts. For more information, see DeploymentTargets in the AWS documentation.

  13. In the Google Cloud console, on the Test connector page, click Test connector. If the connection is successful, the test determined that the delegated role has all the required permissions to assume the collector roles. If the connection isn't successful, see Troubleshooting errors when testing the connection.

  14. Click Save.

Update an existing connector manually

If you configured your AWS accounts manually when you created the AWS connector, then follow these steps to grant sensitive data discovery permissions for your existing AWS connector.

  1. In the Google Cloud console, go to the Setup guide page of Security Command Center.

    Go to Setup guide

  2. Select the organization that you activated Security Command Center Enterprise tier on. The Setup guide page opens.

  3. Click Step 3: Set up Amazon Web Services (AWS) integration. The Connectors page opens.

  4. For the AWS connector, click More > Edit.

  5. In the Review data types section, select Grant permissions for Sensitive Data Protection discovery.

  6. Click Continue. The Connect to AWS page opens.

  7. Click Configure AWS accounts manually (recommended if you use advanced settings or customized role names).

  8. Copy the values of the following fields:

    • Delegated role name
    • Collector role name
    • Sensitive Data Protection collector role name
  9. Click Continue. The Test connector page opens. Don't test the connector yet.

  10. In the AWS delegate account console, update the AWS IAM policy for the delegated role to use the following JSON:

        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Resource": [
                "arn:aws:iam::*:role/COLLECTOR_ROLE_NAME",
                "arn:aws:iam::*:role/SCAN_SENSITIVE_DATA_COLLECTOR_ROLE_NAME"
              ],
              "Effect": "Allow"
            },
            {
              "Action": [
                "organizations:List*",
                "organizations:Describe*"
              ],
              "Resource": "*",
              "Effect": "Allow"
            }
          ]
        }
        

    Replace the following:

    • COLLECTOR_ROLE_NAME: the name of the configuration data collector role that you copied (the default is aws-collector-role)
    • SCAN_SENSITIVE_DATA_COLLECTOR_ROLE_NAME: the name of the Sensitive Data Protection collector role that you copied (the default is aws-sensitive-data-protection-role)

    For more information, see Editing customer managed policies (console) in the AWS documentation.

  11. For each collector account, perform these procedures:

    1. Create the AWS IAM policy for Sensitive Data Protection.

    2. Create the AWS IAM role for Sensitive Data Protection in each account.

  12. In the Google Cloud console, on the Test connector page, click Test connector. If the connection is successful, the test determined that the delegated role has all the required permissions to assume the collector roles. If the connection isn't successful, see Troubleshooting errors when testing the connection.

  13. Click Save.

Troubleshooting

This section includes some common issues that you might encounter when you are integrating Security Command Center with AWS.

Resources already exist

This error occurs in the AWS environment when you try to create the AWS IAM policies and AWS IAM roles. This issue occurs when the role already exists in your AWS account and you are trying to create it again.

To resolve this issue, complete the following:

  • Check whether the role or policy that you are creating already exists and satisfies the requirements listed in this guide.
  • If necessary, change the role name to avoid conflicts.

Invalid principal in policy

This error can occur in the AWS environment when you are creating the collector roles, but the delegate role doesn't exist yet.

To resolve this issue, complete the steps in Create the AWS IAM policy for the delegated role and wait until the delegate role is created before continuing.

Throttling limitations in AWS

AWS throttles API requests for each AWS account on a per-account or per-region basis. To ensure that these limits are not exceeded when Security Command Center collects asset configuration data from AWS, Security Command Center collects the data at a fixed maximum QPS for each AWS service, as described in the API documentation for the AWS service.

If you experience request throttling in your AWS environment because of the QPS consumed, you can mitigate the issue by completing the following:

  • In the AWS connector settings page, set a custom QPS for the AWS service that is experiencing request throttling issues.

  • Restrict the permissions of the AWS collector role so that the data from that specific service isn't collected anymore. This mitigation technique prevents attack path simulations from working correctly for AWS.

Revoking all permissions in AWS stops the data collector process immediately. Deleting the AWS connector doesn't immediately stop the data collector process but it won't start again after it finishes.

Troubleshooting errors when testing the connection

These errors can occur when you test the connection between Security Command Center and AWS.

AWS_FAILED_TO_ASSUME_DELEGATED_ROLE

The connection is invalid because the Google Cloud service agent can't assume the delegated role.

To resolve this issue, consider the following:

AWS_FAILED_TO_LIST_ACCOUNTS

The connection is invalid because auto-discovery is enabled and the delegated role can't get all AWS accounts in the organizations.

This issue indicates that the policy to allow the organizations:ListAccounts action on the delegated role is missing on certain resources. To resolve this issue, verify which resources are missing. To verify the settings for the delegated policy, see Create the AWS IAM policy for the delegated role.

Check that you created and configured the AWS accounts as described in the Create AWS accounts section.

AWS_ACTIVE_COLLECTOR_ACCOUNTS_NOT_FOUND

The connection is invalid because no AWS collector accounts were found with the ACTIVE status.

If you selected Add accounts automatically in the Add AWS connector accounts field, then no AWS accounts were found with the ACTIVE status, excluding those specified in the Exclude AWS connector accounts field.

If you selected Add accounts individually, in the Add AWS connector accounts field, check that the accounts you provided have the ACTIVE status.

AWS_INVALID_COLLECTOR_ACCOUNTS

The connection is invalid because there are invalid collector accounts. The error message includes more information about the possible causes, which include the following:

AWS_FAILED_TO_ASSUME_COLLECTOR_ROLE

The collector account is invalid because the delegated role cannot assume the collector role in the collector account.

To resolve this issue, consider the following:

AWS_COLLECTOR_ROLE_POLICY_MISSING_REQUIRED_PERMISSION

The connection is invalid because the collector policy is missing some of the required permission settings.

To resolve this issue, consider the following causes:

What's next