Resolving the 'Connection Blocked' Error on an AWS Member Account

Aimably Documentation > Getting Started > Resolving the 'Connection Blocked' Error on an AWS Member Account

ROLE-BASED ACCESS NOTE: Some of the features and functionality described in this article require the assignment of the Admin or the DevOps user role to your user account. Without one of these roles assigned, some or all of the functionality may not be available to you.


You may discover that Aimably does not have connection access to a specific member account within your AWS Organization. You will know this is the case whenever a member account is tinted red in the organizational diagram found on the Connect to AWS page in the Configure navigation group, such as in this image below.



Why is Aimably's Connection Blocked?

Aimably accesses your AWS organization's member accounts by establishing a trusted relationship between your managing account and Aimably's AWS account, then using the default trusted relationship between your managing account and member accounts. This default trusted relationship typically exists in all AWS organizations, provided that the member account was created after the AWS organization was established or the default role was not edited or removed. In the event that this default trusted relationship does not exist on a member account or has been limited in functionality, Aimably's connection will be blocked.


Resolving the Aimably Connection to All Member Accounts by Creating a AWS StackSet

In order to ensure Aimably can gain access to all member accounts in an AWS organization, a custom trusted relationship must be installed in each member account granting limited access to Aimably via the managing account. While the default trusted relationship could be established, we always err on the side of granting the fewest permissions possible between Aimably and your AWS organization.

In order to install the custom managing-member account trusted relationship on all current and future member accounts, we recommend using a StackSet, which is a CloudFormation tool built by AWS. Using a StackSet ensures you will not need to add roles or policies in the event of creating new member accounts. The installation of an Aimably StackSet removes any blocked connections on all member accounts at once.

This guide will walk you through installing the StackSet in your managing account for propagation through to all member accounts.


Prerequisites

You must be signed in to the managing account's AWS Management Console with a user possessing sufficient permissions to create IAM StackSets, roles, and policies in that account.


Launch StackSets

In the AWS Management Console, enter the phrase 'StackSets' in the top search bar, then click on the top result titled 'StackSets' under the 'Features' header in the search results.

When the StackSets page loads, you may encounter a blue alert requesting that you enable trusted access for your AWS Organization. This is required. Click 'Enable trusted access.'



Once trusted access is enabled, a green confirmation alert will appear. You can dismiss this alert by clicking on the X in the top right of your screen.



Now, return to Aimably and re-run the integration wizard.