AWS Management & Member account Roles/Permissions with DiscoveryIssue ServiceNow AWS Discovery uses a management account to fetch all the AWS member accounts, and then creates Service Accounts for each of those member accounts. For these member-Service Accounts, Discovery uses the management account credential. The management account should be able to fetch all the member accounts through read permission on member accounts. Secondly, AWS discovery uses token generated using the management account credential to authenticate member accounts. Discovery should then be able to discover AWS resources provided the member account has read access to the resources. The Member account creation is set through the Pattern "Amazon AWS organizations". The pattern is responsible to execute a rest call to get the AWS accounts, and expects the response to contain the management account as well (https://organizations.us-east-1.amazonaws.com/).If the response does not contain the management account, we see the error "Could not find the management account. Unable to create account CI's". Discovery has a business rule, 'ValidateServiceAccountID', that blocks the service account with duplicate Account Id from getting created. Requirement: In the AWS Member Account, there needs to be a role present exactly named "OrganizationAccountAccessRole"In the AWS Member Account, there needs to be a trusted relationship between the aforementioned role and the AWS management account.In the AWS Member Account, the role must have attached an "AdministratorAccess" policy which grants "*" Access to "*" Resource. Permissions: ServiceNow specifically sets the string "OrganizationAccountAccessRole" when creating a new AssumeRoleRequest object with role as follows:"arn:aws:iam::%s:role/%s" becomes "arn:aws:iam::<AccountId>:role/OrganizationAccountAccessRole"If "OrganizationAccountAccessRole" has been renamed, then member account discovery will not work.Refer to AWS documentation for specific details roles, permissions, and policies required: "Accessing and Administering the Member Accounts in Your Organization" AWS EC2 Permissions: {"Version": "2012-10-17","Statement": [{ "Sid": "VisualEditor0","Effect": "Allow","Action": ["ec2:AuthorizeSecurityGroupIngress","ec2:DeleteSubnet","ec2:DescribeInstances","ec2:ModifyVolumeAttribute","ec2:CreateKeyPair","ec2:AttachInternetGateway","ec2:DescribeSnapshots","ec2:ReportInstanceStatus","ec2:GetConsoleScreenshot","ec2:AssociateRouteTable","ec2:DeleteRouteTable","ec2:DescribeInternetGateways","ec2:DeleteVolume","ec2:StartInstances","ec2:DeleteVpnGateway","ec2:CreateRoute","ec2:CreateInternetGateway","autoscaling:DescribeAutoScalingGroups","ec2:DescribeVolumes","ec2:CreateVpnGateway","ec2:DeleteInternetGateway","ec2:DescribeReservedInstances","ec2:DescribeKeyPairs","ec2:DescribeNetworkAcls","ec2:DescribeRouteTables","ec2:DescribeReservedInstancesListings","ec2:ModifyVolume","ec2:ImportKeyPair","ec2:CreateTags","ec2:DescribeTags","ec2:DescribeReservedInstancesOfferings","ec2:CreateRouteTable","ec2:RunInstances","ec2:DetachInternetGateway","ec2:StopInstances","ec2:DisassociateRouteTable","ec2:DescribeVolumeAttribute","ec2:ReplaceNetworkAclAssociation","ec2:CreateVolume","ec2:RevokeSecurityGroupIngress","ec2:DetachVpnGateway","ec2:GetPasswordData","ec2:DeleteDhcpOptions","ec2:DeleteVpc","ec2:AssociateAddress","ec2:DisassociateAddress","ec2:CreateSubnet","ec2:DescribeSubnets","ec2:DeleteKeyPair","ec2:DeleteNetworkAclEntry","ec2:DescribeVpnGateways","ec2:AttachVolume","ec2:DescribeAddresses","ec2:DeleteSnapshot","ec2:DescribeRegions","autoscaling:DescribeLaunchConfigurations","ec2:CreateVpc","ec2:DescribeDhcpOptions","ec2:GetConsoleOutput","ec2:DescribeAvailabilityZones","ec2:DescribeNetworkInterfaceAttribute","ec2:CreateSecurityGroup","ec2:CreateNetworkAcl","ec2:CreateSnapshot","ec2:ModifyInstanceAttribute","ec2:ModifyVpcAttribute","ec2:DeleteNetworkAcl","ec2:DescribeInstanceStatus","ec2:ReleaseAddress","ec2:RebootInstances","ec2:AuthorizeSecurityGroupEgress","ec2:TerminateInstances","ec2:DetachNetworkInterface","ec2:AttachVpnGateway","ec2:DeleteRoute","ec2:DescribeCustomerGateways","ec2:AllocateAddress","ec2:DescribeSecurityGroups","ec2:DescribeHosts","ec2:DescribeImages","ec2:DescribeVpcs","ec2:DeleteSecurityGroup","ec2:AttachNetworkInterface","ec2:CreateNetworkAclEntry","ec2:DescribeAccountAttributes","ec2:DescribeInstanceAttribute","ec2:CreateNetworkInterface","ec2:DeleteNetworkInterface","ec2:ModifyNetworkInterfaceAttribute","ec2:DescribeInstanceCreditSpecifications"],"Resource": "*"},{"Sid": "VisualEditor1","Effect": "Allow","Action": ["ec2:DetachVolume","ec2:AttachVolume","ec2:DeleteVolume","ec2:DeleteSnapshot","ec2:CreateTags","ec2:CreateSnapshot","ec2:CreateVolume"],"Resource": ["arn:aws:ec2:*:*:instance/*","arn:aws:ec2:*::snapshot/*","arn:aws:ec2:*:*:volume/*"]}]} Related LinksTest Account throws an error for AWS Management Service Accounts and patterns won't display more than 20 service accountsHow to make sure the sub account Discovery created from the management AWS Account works as expected