Collecting data by using management accounts
The KM can monitor and collect data of all member (or organization) accounts that are part of a organization account. For more information about the pre-requisistes to monitor these accounts, see Prerequisites-for-configuring-AWS-instance.
The following image provides an overview of how data is being collected when organization and member accounts are configured:
Here are the steps that summarize how the KM collects data by using the management account:
- In the monitor policy, you specify if you have the access and secret key of a management account (Organization Management Account). For more information, see Configuring-the-Amazon-Web-Services-monitor-type.
- The KM invokes the AWS Orgnization API and gets the list of member accounts.
- By using the IAM Cross Account Role that you configured, the KM connects to the individual accounts.
- The KM uses role-based delegations to collect the data by assuming the role.
Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*