• The AWS Systems Manager CloudWatch Dashboard will no longer be available after April 30, 2026. Customers can continue to use Amazon CloudWatch console to view, create, and manage their Amazon CloudWatch dashboards, just as they do today. For more information, see [Amazon CloudWatch Dashboard documentation](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html).
# Set up OpsCenter
AWS Systems Manager uses an integrated setup experience to help you get started with OpsCenter and Explorer, which are tools in Systems Manager. Explorer is a customizable operations dashboard that reports information about your AWS resources. In this documentation, Explorer and OpsCenter setup is called *Integrated Setup*.
You must use Integrated Setup to set up OpsCenter with Explorer. Integrated Setup is only available in the AWS Systems Manager console. You can't set up Explorer and OpsCenter programmatically. For more information, see [Getting started with Systems Manager Explorer and OpsCenter](Explorer-setup.md).
**Before you begin**
When you set up OpsCenter, you enable default rules in Amazon EventBridge that automatically create OpsItems. The following table describes the default EventBridge rules that automatically create OpsItems. You can disable EventBridge rules in the OpsCenter **Settings** page under **OpsItem rules**.
**Important**
Your account is charged for OpsItems created by default rules. For more information, see [AWS Systems Manager Pricing](https://aws.amazon.com/systems-manager/pricing/).
****
| Rule name | Description |
| --- | --- |
| SSMOpsItems-Autoscaling-instance-launch-failure | This rule creates OpsItems when the launch of an EC2 auto scaling instance failed. |
| SSMOpsItems-Autoscaling-instance-termination-failure | This rule creates OpsItems when the termination of an EC2 auto scaling instance failed. |
| SSMOpsItems-EBS-snapshot-copy-failed | This rule creates OpsItems when the system failed to copy an Amazon Elastic Block Store (Amazon EBS) snapshot. |
| SSMOpsItems-EBS-snapshot-creation-failed | This rule creates OpsItems when the system failed to create an Amazon EBS snapshot. |
| SSMOpsItems-EBS-volume-performance-issue | This rule corresponds to an AWS Health tracking rule. The rule creates OpsItems whenever there is a performance issue with an Amazon EBS volume (health event = `AWS_EBS_DEGRADED_EBS_VOLUME_PERFORMANCE`). |
| SSMOpsItems-EC2-issue | This rule corresponds to an AWS Health tracking rule for unexpected events that affect AWS services or resources. The rule creates OpsItems when, for example, a service sends communications about operational issues that are causing service degradation or to raise awarness about localized resource-level issues. For example, this rule creates an OpsItem for the following event: `AWS_EC2_OPERATIONAL_ISSUE`. |
| SSMOpsItems-EC2-scheduled-change | This rule corresponds to an AWS Health tracking rule. AWS can schedule events for your instances, such as rebooting, stopping, or starting instances. The rule creates OpsItems for EC2 scheduled events. For more information about scheduled events, see [Scheduled events for your instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-instances-status-check_sched.html) in the *Amazon EC2 User Guide*. |
| SSMOpsItems-RDS-issue | This rule corresponds to an AWS Health tracking rule for unexpected events that affect AWS services or resources. The rule creates OpsItems when, for example, a service sends communications about operational issues that are causing service degradation or to raise awarness about localized resource-level issues. For example, this rule creates an OpsItem for the following events: `AWS_RDS_MYSQL_DATABASE_CRASHING_REPEATEDLY`, `AWS_RDS_EXPORT_TASK_FAILED`, and `AWS_RDS_CONNECTIVITY_ISSUE`. |
| SSMOpsItems-RDS-scheduled-change | This rule corresponds to an AWS Health tracking rule. The rule creates OpsItems for Amazon RDS scheduled events. Scheduled events provide information about upcoming changes to your Amazon RDS resources. Some events might recommend that you take action to avoid service disruptions. Other events occur automatically without any action on your part. Your resource might be temporarily unavailable during the scheduled change activity. For example, this rule creates an OpsItem for the following events: `AWS_RDS_SYSTEM_UPGRADE_SCHEDULED` and `AWS_RDS_MAINTENANCE_SCHEDULED`. For more information about scheduled events, see [Event type categories](https://docs.aws.amazon.com/health/latest/ug/aws-health-concepts-and-terms.html#event-type-categories) in the *AWS Health User Guide*. |
| SSMOpsItems-SSM-maintenance-window-execution-failed | This rule creates OpsItems when the processing of the Systems Manager maintenance window failed. |
| SSMOpsItems-SSM-maintenance-window-execution-timedout | This rule creates OpsItems when the launch of the Systems Manager maintenance window timed out. |
Use the following procedure to set up OpsCenter.
**To set up OpsCenter**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **OpsCenter**.
1. On the OpsCenter home page, choose **Get started**.
1. On the OpsCenter setup page, choose **Enable this option to have Explorer configure AWS Config and Amazon CloudWatch events to automatically create OpsItems based on commonly-used rules and events**. If you don't choose this option, OpsCenter remains disabled.
**Note**
Amazon EventBridge (formerly Amazon CloudWatch Events) provides all functionality of CloudWatch Events and some new features, such as custom event buses, third-party event sources and schema registry.
1. Choose **Enable OpsCenter**.
After you enable OpsCenter, you can do the following from **Settings**:
+ Create CloudWatch alarms using the **Open CloudWatch console** button. For more information, see [Configure CloudWatch alarms to create OpsItems](OpsCenter-create-OpsItems-from-CloudWatch-Alarms.md).
+ Enable operational insights. For more information, see [Analyzing operational insights to reduce OpsItems](OpsCenter-working-operational-insights.md).
+ Enable AWS Security Hub CSPM findings alarms. For more information, see [Understanding OpsCenter integration with AWS Security Hub CSPM](OpsCenter-applications-that-integrate.md#OpsCenter-integrate-with-security-hub).
**Topics**
+ [(Optional) Setting up OpsCenter to centrally manage OpsItems across accounts](OpsCenter-setting-up-cross-account.md)
+ [(Optional) Set up Amazon SNS to receive notifications about OpsItems](OpsCenter-getting-started-sns.md)
# (Optional) Setting up OpsCenter to centrally manage OpsItems across accounts
You can use Systems Manager OpsCenter to centrally manage OpsItems across multiple AWS accounts in a selected AWS Region. This feature is available after you set up your organization in AWS Organizations. AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. AWS Organizations includes account management and consolidated billing capabilities that enable you to better meet the budgetary, security, and compliance needs of your business. For more information, see [What is AWS Organizations?](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html) in the *AWS Organizations User Guide*
Users who belong to the AWS Organizations management account can set up a delegated administrator account for Systems Manager. In the context of OpsCenter, delegated administrators can create, edit, and view OpsItems in member accounts. The delegated administrator can also use Systems Manager Automation runbooks to bulk resolve OpsItems or remediate issues with AWS resources that are generating OpsItems.
**Note**
You can assign only one account as the delegated administrator for Systems Manager. For more information, see [Creating an AWS Organizations delegated administrator for Systems Manager](setting_up_delegated_admin.md).
Systems Manager offers the following methods for setting up OpsCenter to centrally manage OpsItems across multiple AWS accounts.
+ **Quick Setup**: Quick Setup, a tool in Systems Manager, simplifies set up and configuration tasks for Systems Manager tools. For more information, see [AWS Systems Manager Quick Setup](systems-manager-quick-setup.md).
Quick Setup for OpsCenter helps you complete the following tasks for managing OpsItems across accounts:
+ Registering an account as the delegated administrator (if the delegated administrator hasn't already been designated)
+ Creating required AWS Identity and Access Management (IAM) policies and roles
+ Specifying an AWS Organizations organization or organizational units (OUs) where a delegated administrator can manage OpsItems across accounts
For more information, see [(Optional) Configure OpsCenter to manage OpsItems across accounts by using Quick Setup](OpsCenter-quick-setup-cross-account.md).
**Note**
Quick Setup isn't available in all AWS Regions where Systems Manager is currently available. If Quick Setup isn't available in a Region where you want to use it to configure OpsCenter to centrally manage OpsItems across multiple accounts, then you must use the manual method. To view a list of AWS Regions where Quick Setup is available, see [Availability of Quick Setup in AWS Regions](systems-manager-quick-setup.md#quick-setup-getting-started-regions).
+ **Manual set up**: If Quick Setup isn't available in the Region where you want to configure OpsCenter to centrally manage OpsItems across accounts, then you can use the manual procedure to do so. For more information, see [(Optional) Manually set up OpsCenter to centrally manage OpsItems across accounts](OpsCenter-getting-started-multiple-accounts.md).
# (Optional) Configure OpsCenter to manage OpsItems across accounts by using Quick Setup
Quick Setup, a tool in AWS Systems Manager, simplifies setup and configuration tasks for Systems Manager tools. Quick Setup for OpsCenter helps you complete the following tasks for managing OpsItems across accounts:
+ Specifying the delegated administrator account
+ Creating required AWS Identity and Access Management (IAM) policies and roles
+ Specifying an AWS Organizations organization, or a subset of member accounts, where a delegated administrator can manage OpsItems across accounts
When you configure OpsCenter to manage OpsItems across accounts by using Quick Setup, Quick Setup creates the following resources in the specified accounts. These resources give the specified accounts permission to work with OpsItems and use Automation runbooks to fix issues with AWS resources generating OpsItems.
****
| Resources | Accounts |
| --- | --- |
| `AWSServiceRoleForAmazonSSM_AccountDiscovery` AWS Identity and Access Management (IAM) service-linked role For more information about this role, see [Using roles to collect AWS account information for OpsCenter and Explorer](using-service-linked-roles-service-action-2.md). | AWS Organizations management account and delegated administrator account |
| `OpsItem-CrossAccountManagementRole` IAM role `AWS-SystemsManager-AutomationAdministrationRole` IAM role | Delegated administrator account |
| `OpsItem-CrossAccountExecutionRole` IAM role `AWS-SystemsManager-AutomationExecutionRole` IAM role `AWS::SSM::ResourcePolicy` Systems Manager resource policy for the default OpsItem group (`OpsItemGroup`) | All AWS Organizations member accounts |
**Note**
If you previously configured OpsCenter to manage OpsItems across accounts using the [manual method](https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter-getting-started-multiple-accounts.html), you must delete the AWS CloudFormation stacks or stack sets created during Steps 4 and 5 of that process. If those resources exist in your account when you complete the following procedure, Quick Setup fails to configure cross-account OpsItem management properly.
**To configure OpsCenter to manage OpsItems across accounts by using Quick Setup**
1. Sign in to the AWS Management Console using the AWS Organizations management account.
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Quick Setup**.
1. Choose the **Library** tab.
1. Scroll to the bottom and locate the **OpsCenter** configuration tile. Choose **Create**.
1. On the Quick Setup OpsCenter page, in the **Delegated administrator** section, enter an account ID. If you are unable to edit this field, then a delegated administrator account has already been specified for Systems Manager.
1. In the **Targets** section, choose an option. If you choose **Custom**, then select the organizational units (OU) where you want to manage OpsItems across accounts.
1. Choose **Create**.
Quick Setup creates the OpsCenter configuration and deploys the required AWS resources to the designated OUs.
**Note**
If you don't want to manage OpsItems across multiple accounts, you can delete the configuration from Quick Setup. When you delete the configuration, Quick Setup deletes the following IAM policies and roles created when the configuration was originally deployed:
`OpsItem-CrossAccountManagementRole` from the delegated administrator account
`OpsItem-CrossAccountExecutionRole` and `SSM::ResourcePolicy` from all Organizations member accounts
Quick Setup removes the configuration from all organizational units and AWS Regions where the configuration was originally deployed.
## Troubleshooting issues with a Quick Setup configuration for OpsCenter
This section includes information to help you troubleshoot issues when configuring cross-account OpsItem management using Quick Setup.
**Topics**
+ [Deployment to these StackSets failed: delegatedAdmin](#OpsCenter-quick-setup-cross-account-troubleshooting-stack-set-failed)
+ [Quick Setup configuration status shows Failed](#OpsCenter-quick-setup-cross-account-troubleshooting-configuration-failed)
### Deployment to these StackSets failed: delegatedAdmin
When creating an OpsCenter configuration, Quick Setup deploys two AWS CloudFormation stack sets in the Organizations management account. The stack sets use the following prefix: `AWS-QuickSetup-SSMOpsCenter`. If Quick Setup displays the following error: `Deployment to these StackSets failed: delegatedAdmin` use the following procedure to fix this issue.
**To troubleshoot a StackSets failed:delegatedAdmin error**
1. If you received the `Deployment to these StackSets failed: delegatedAdmin` error in a red banner in the Quick Setup console, sign in to the delegated administrator account and the AWS Region designated as the Quick Setup home Region.
1. Open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).
1. Choose the stack created by your Quick Setup configuration. The stack name includes the following: **AWS-QuickSetup-SSMOpsCenter**.
**Note**
Sometimes CloudFormation deletes failed stack deployments. If the stack isn't available in the **Stacks** table, choose **Deleted** from the filter list.
1. View the **Status** and **Status reason**. For more information about stack statuses, see [Stack status codes](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-view-stack-data-resources.html#cfn-console-view-stack-data-resources-status-codes) in the *AWS CloudFormation User Guide*.
1. To understand the exact step that failed, view the **Events** tab and review each event's **Status**. For more information, see [Troubleshooting](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/troubleshooting.html) in the *AWS CloudFormation User Guide*.
**Note**
If you are unable to resolve the deployment failure using the CloudFormation troubleshooting steps, delete the configuration and try again.
### Quick Setup configuration status shows Failed
If the **Configuration details** table on the **Configuration details** page shows a configuration status of `Failed`, sign in to the AWS account and Region where it failed.
**To troubleshoot a Quick Setup failure to create an OpsCenter configuration**
1. Sign in to the AWS account and the AWS Region where the failure occurred.
1. Open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).
1. Choose the stack created by your Quick Setup configuration. The stack name includes the following: **AWS-QuickSetup-SSMOpsCenter**.
**Note**
Sometimes CloudFormation deletes failed stack deployments. If the stack isn't available in the **Stacks** table, choose **Deleted** from the filter list.
1. View the **Status** and **Status reason**. For more information about stack statuses, see [Stack status codes](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-view-stack-data-resources.html#cfn-console-view-stack-data-resources-status-codes) in the *AWS CloudFormation User Guide*.
1. To understand the exact step that failed, view the **Events** tab and review each event's **Status**. For more information, see [Troubleshooting](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/troubleshooting.html) in the *AWS CloudFormation User Guide*.
#### Member account configuration shows ResourcePolicyLimitExceededException
If a stack status shows `ResourcePolicyLimitExceededException`, the account has previously onboarded to OpsCenter cross-account management by using the [manual method](https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter-getting-started-multiple-accounts.html). To resolve this issue, you must delete the AWS CloudFormation stacks or stack sets created during Steps 4 and 5 of the manual onboarding process. For more information, see [Delete a stack set](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-delete.html) and [Deleting a stack on the CloudFormation console](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-delete-stack.html) in the *AWS CloudFormation User Guide*.
# (Optional) Manually set up OpsCenter to centrally manage OpsItems across accounts
This section describes how to manually configure OpsCenter for cross-account OpsItem management. While this process is still supported, it has been replaced by a newer process that uses Systems Manager Quick Setup. For more information, see [(Optional) Configure OpsCenter to manage OpsItems across accounts by using Quick Setup](OpsCenter-quick-setup-cross-account.md).
You can set up a central account to create manual OpsItems for member accounts, and manage and remediate those OpsItems. The central account can be the AWS Organizations management account, or both the AWS Organizations management account and Systems Manager delegated administrator account. We recommend that you use the Systems Manager delegated administrator account as a central account. You can only use this feature after you configure AWS Organizations.
With AWS Organizations, you can consolidate multiple AWS accounts into an organization that you create and manage centrally. The central account user can create OpsItems for all selected member accounts simultaneously, and manage those OpsItems.
Use the process in this section to enable the Systems Manager service principal in Organizations and configure AWS Identity and Access Management (IAM) permissions for working with OpsItems across accounts.
**Topics**
+ [Before you begin](#OpsCenter-before-you-begin)
+ [Step 1: Creating a resource data sync](#OpsCenter-getting-started-multiple-accounts-onboarding-rds)
+ [Step 2: Enabling the Systems Manager service principal in AWS Organizations](#OpsCenter-getting-started-multiple-accounts-onboarding-service-principal)
+ [Step 3: Creating the `AWSServiceRoleForAmazonSSM_AccountDiscovery` service-linked role](#OpsCenter-getting-started-multiple-accounts-onboarding-SLR)
+ [Step 4: Configuring permissions to work with OpsItems across accounts](#OpsCenter-getting-started-multiple-accounts-onboarding-resource-policy)
+ [Step 5: Configuring permissions to work with related resources across accounts](#OpsCenter-getting-started-multiple-accounts-onboarding-related-resources-permissions)
**Note**
Only OpsItems of type `/aws/issue` are supported when working in OpsCenter across accounts.
## Before you begin
Before you set up OpsCenter to work with OpsItems across accounts, ensure that you have set up the following:
+ A Systems Manager delegated administrator account. For more information, see [Configuring a delegated administrator for Explorer](Explorer-setup-delegated-administrator.md).
+ One organization set up and configured in Organizations. For more information, see [Creating and managing an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org.html) in the *AWS Organizations User Guide*.
+ You configured Systems Manager Automation to run automation runbooks across multiple AWS Regions and AWS accounts. For more information, see [Running automations in multiple AWS Regions and accounts](running-automations-multiple-accounts-regions.md).
## Step 1: Creating a resource data sync
After you set up and configure AWS Organizations, you can aggregate OpsItems in OpsCenter for an entire organization by creating a resource data sync. For more information, see [Creating a resource data sync](Explorer-resource-data-sync-configuring-multi.md). When you create the sync, in the **Add accounts** section, be sure to choose the **Include all accounts from my AWS Organizations configuration** option.
## Step 2: Enabling the Systems Manager service principal in AWS Organizations
To enable a user to work with OpsItems across accounts, the Systems Manager service principal must be enabled in AWS Organizations. If you previously configured Systems Manager for multi-account scenarios using other tools, the Systems Manager service principal might already be configured in Organizations. Run the following commands from the AWS Command Line Interface (AWS CLI) to verify. If you *haven't* configured Systems Manager for other multi-account scenarios, skip to the next procedure, *To enable the Systems Manager service principal in AWS Organizations*.
**To verify the Systems Manager service principal is enabled in AWS Organizations**
1. [Download](https://aws.amazon.com/cli/) the latest version of the AWS CLI to your local machine.
1. Open the AWS CLI, and run the following command to specify your credentials and an AWS Region.
```
aws configure
```
The system prompts you to specify the following. In the following example, replace each *user input placeholder* with your own information.
```
AWS Access Key ID [None]: key_name
AWS Secret Access Key [None]: key_name
Default region name [None]: region
Default output format [None]: ENTER
```
1. Run the following command to verify that the Systems Manager service principal is enabled for AWS Organizations.
```
aws organizations list-aws-service-access-for-organization
```
The command returns information similar to that shown in the following example.
```
{
"EnabledServicePrincipals": [
{
"ServicePrincipal": "member.org.stacksets.cloudformation.amazonaws.com",
"DateEnabled": "2020-12-11T16:32:27.732000-08:00"
},
{
"ServicePrincipal": "opsdatasync.ssm.amazonaws.com",
"DateEnabled": "2022-01-19T12:30:48.352000-08:00"
},
{
"ServicePrincipal": "ssm.amazonaws.com",
"DateEnabled": "2020-12-11T16:32:26.599000-08:00"
}
]
}
```
**To enable the Systems Manager service principal in AWS Organizations**
If you haven't previously configured the Systems Manager service principal for Organizations, use the following procedure to do so. For more information about this command, see [enable-aws-service-access](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/organizations/enable-aws-service-access.html) in the *AWS CLI Command Reference*.
1. Install and configure the AWS Command Line Interface (AWS CLI), if you haven't already. For information, see [Installing CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) and [Configuring CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html).
1. [Download](https://aws.amazon.com/cli/) the latest version of the AWS CLI to your local machine.
1. Open the AWS CLI, and run the following command to specify your credentials and an AWS Region.
```
aws configure
```
The system prompts you to specify the following. In the following example, replace each *user input placeholder* with your own information.
```
AWS Access Key ID [None]: key_name
AWS Secret Access Key [None]: key_name
Default region name [None]: region
Default output format [None]: ENTER
```
1. Run the following command to enable the Systems Manager service principal for AWS Organizations.
```
aws organizations enable-aws-service-access --service-principal "ssm.amazonaws.com"
```
## Step 3: Creating the `AWSServiceRoleForAmazonSSM_AccountDiscovery` service-linked role
A service-linked role such as the `AWSServiceRoleForAmazonSSM_AccountDiscovery` role is a unique type of IAM role that is linked directly to an AWS service, such as Systems Manager. Service-linked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf. For more information about the `AWSServiceRoleForAmazonSSM_AccountDiscovery` service-linked role, see [Service-linked role permissions for Systems Manager account discovery](using-service-linked-roles-service-action-2.md#service-linked-role-permissions-service-action-2).
Use the following procedure to create the `AWSServiceRoleForAmazonSSM_AccountDiscovery` service-linked role by using the AWS CLI. For more information about the command used in this procedure, see [create-service-linked-role](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-service-linked-role.html) in the *AWS CLI Command Reference.*
**To create the `AWSServiceRoleForAmazonSSM_AccountDiscovery` service-linked role**
1. Sign in to the AWS Organizations management account.
1. While signed in to the Organizations management account, run the following command.
```
aws iam create-service-linked-role \
--aws-service-name accountdiscovery.ssm.amazonaws.com \
--description "Systems Manager account discovery for AWS Organizations service-linked role"
```
## Step 4: Configuring permissions to work with OpsItems across accounts
Use AWS CloudFormation stacksets to create an `OpsItemGroup` resource policy and an IAM execution role that give users permission to work with OpsItems across accounts. To get started, download and unzip the [https://docs.aws.amazon.com/systems-manager/latest/userguide/samples/OpsCenterCrossAccountMembers.zip](https://docs.aws.amazon.com/systems-manager/latest/userguide/samples/OpsCenterCrossAccountMembers.zip) file. This file contains the `OpsCenterCrossAccountMembers.yaml` CloudFormation template file. When you create a stack set by using this template, CloudFormation automatically creates the `OpsItemCrossAccountResourcePolicy` resource policy and the `OpsItemCrossAccountExecutionRole` execution role in the account. For more information about creating a stack set, see [Create a stack set](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-getting-started-create.html) in the *AWS CloudFormation User Guide*.
**Important**
Note the following important information about this task:
You must deploy the stackset while signed in to the AWS Organizations management account.
You must repeat this procedure while signed in to *every* account that you want to *target* for working with OpsItems across accounts, including the delegated administrator account.
If you want to enable cross-account OpsItems administration in different AWS Regions, choose **Add all regions** in the **Specify regions** section of the template. Cross-account OpsItem administration isn't supported for opt-in Regions.
## Step 5: Configuring permissions to work with related resources across accounts
An OpsItem can include detailed information about impacted resources such as Amazon Elastic Compute Cloud (Amazon EC2) instances or Amazon Simple Storage Service (Amazon S3) buckets. The `OpsItemCrossAccountExecutionRole` execution role, which you created in the previous Step 4, provides OpsCenter with read-only permissions for member accounts to view related resources. You must also create an IAM role to provide management accounts with permission to view and interact with related resources, which you will complete in this task.
To get started, download and unzip the [https://docs.aws.amazon.com/systems-manager/latest/userguide/samples/OpsCenterCrossAccountManagementRole.zip](https://docs.aws.amazon.com/systems-manager/latest/userguide/samples/OpsCenterCrossAccountManagementRole.zip) file. This file contains the `OpsCenterCrossAccountManagementRole.yaml` CloudFormation template file. When you create a stack by using this template, CloudFormation automatically creates the `OpsCenterCrossAccountManagementRole` IAM role in the account. For more information about creating a stack, see [Creating a stack on the AWS CloudFormation console](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-create-stack.html) in the *AWS CloudFormation User Guide*.
**Important**
Note the following important information about this task:
If you plan to specify an account as a delegated administrator for OpsCenter, be sure to specify that AWS account when you create the stack.
You must perform this procedure while signed in to the AWS Organizations management account and again while signed in to the delegated administrator account.
# (Optional) Set up Amazon SNS to receive notifications about OpsItems
You can configure OpsCenter to send notifications to an Amazon Simple Notification Service (Amazon SNS) topic when the system creates an OpsItem or updates an existing OpsItem.
Complete the following steps to receive notifications for OpsItems.
+ [Step 1: Creating and subscribing to an Amazon SNS topic](#OpsCenter-getting-started-sns-create-topic)
+ [Step 2: Updating the Amazon SNS access policy](#OpsCenter-getting-started-sns-encryption-policy)
+ [Step 3: Updating the AWS KMS access policy](#OpsCenter-getting-started-sns-KMS-policy)
**Note**
If you turn on AWS Key Management Service (AWS KMS) server-side encryption in Step 2, then you must complete Step 3. Otherwise, you can skip Step 3.
+ [Step 4: Turning on default OpsItems rules to send notifications for new OpsItems](#OpsCenter-getting-started-sns-default-rules)
## Step 1: Creating and subscribing to an Amazon SNS topic
To receive notifications, you must create and subscribe to an Amazon SNS topic. For more information, see [Creating an Amazon SNS topic](https://docs.aws.amazon.com/sns/latest/dg/CreateTopic.html) and [Subscribing to an Amazon SNS topic](https://docs.aws.amazon.com/sns/latest/dg/sns-tutorial-create-subscribe-endpoint-to-topic.html) in the *Amazon Simple Notification Service Developer Guide*.
**Note**
If you're using OpsCenter in multiple AWS Regions or accounts, you must create and subscribe to an Amazon SNS topic in *each* Region or account where you want to receive OpsItem notifications.
## Step 2: Updating the Amazon SNS access policy
You have to associate an Amazon SNS topic with OpsItems. Use the following procedure to set up an Amazon SNS access policy so that Systems Manager can publish OpsItems notifications to the Amazon SNS topic that you created in Step 1.
1. Sign in to the AWS Management Console and open the Amazon SNS console at [https://console.aws.amazon.com/sns/v3/home](https://console.aws.amazon.com/sns/v3/home).
1. In the navigation pane, choose **Topics**.
1. Choose the topic that you created in Step 1, and then choose **Edit**.
1. Expand **Access policy**.
1. Add the following `Sid` block to the existing policy. Replace each *example resource placeholder* with your own information.
```
{
"Sid": "Allow OpsCenter to publish to this topic",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:region:account ID:topic name", // Account ID of the SNS topic owner
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "account ID" // Account ID of the OpsItem owner
}
}
}
```
**Note**
The `aws:SourceAccount` global condition key protects against the confused deputy scenario. To use this condition key, set the value to the account ID of the OpsItem owner. For more information, see [Confused Deputy](https://docs.aws.amazon.com//IAM/latest/UserGuide/confused-deputy.html) in the *IAM User Guide*.
1. Choose **Save changes**.
The system now sends notifications to the Amazon SNS topic when OpsItems are created or updated.
**Important**
If you configure the Amazon SNS topic with an AWS Key Management Service (AWS KMS) server-side encryption key in the Step 2, then complete Step 3. Otherwise, you can skip Step 3.
## Step 3: Updating the AWS KMS access policy
If you turned on AWS KMS server-side encryption for your Amazon SNS topic, you must also update the access policy of the AWS KMS key that you chose when you configured the topic. Use the following procedure to update the access policy so that Systems Manager can publish OpsItem notifications to the Amazon SNS topic you created in Step 1.
**Note**
OpsCenter doesn't support publishing OpsItems to an Amazon SNS topic that is configured with an AWS managed key.
1. Open the AWS KMS console at [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms).
1. To change the AWS Region, use the Region selector in the upper-right corner of the page.
1. In the navigation pane, choose **Customer managed keys**.
1. Choose the ID of the KMS key that you chose when you created the topic.
1. In the **Key policy** section, choose **Switch to policy view**.
1. Choose **Edit**.
1. Add the following `Sid` block to the existing policy. Replace each *example resource placeholder* with your own information.
```
{
"Sid": "Allow OpsItems to decrypt the key",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": ["kms:Decrypt", "kms:GenerateDataKey*"],
"Resource": "arn:aws:kms:region:account ID:key/key ID"
}
```
In the following example, the new block is entered at line 14.
![\[Editing the AWS KMS access policy of an Amazon SNS topic.\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/images/OpsItems_SNS_KMS_access_policy.png)
1. Choose **Save changes**.
## Step 4: Turning on default OpsItems rules to send notifications for new OpsItems
Default OpsItems rules in Amazon EventBridge aren't configured with an Amazon Resource Name (ARN) for Amazon SNS notifications. Use the following procedure to edit a rule in EventBridge and enter a `notifications` block.
**To add a notifications block to a default OpsItem rule**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **OpsCenter**.
1. Choose the **OpsItems** tab, and then choose **Configure sources**.
1. Choose the name of the source rule that you want to configure with a `notifications` block, as shown in the following example.
![\[Choosing an Amazon EventBridge rule to add an Amazon SNS notifications block.\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/images/OpsItems_SNS_Setup_2.png)
The rule opens in Amazon EventBridge.
1. On the rule details page, on the **Targets** tab, choose **Edit**.
1. In the **Additional settings** section, choose **Configure input transformer**.
1. In the **Template** box, add a `notifications` block in the following format.
```
"notifications":[{"arn":"arn:aws:sns:region:account ID:topic name"}],
```
Here's an example.
```
"notifications":[{"arn":"arn:aws:sns:us-west-2:1234567890:MySNSTopic"}],
```
Enter the notifications block before the `resources` block, as shown in the following example for the US West (Oregon) (us-west-2) Region.
```
{
"title": "EBS snapshot copy failed",
"description": "CloudWatch Event Rule SSMOpsItems-EBS-snapshot-copy-failed was triggered. Your EBS snapshot copy has failed. See below for more details.",
"category": "Availability",
"severity": "2",
"source": "EC2",
"notifications": [{
"arn": "arn:aws:sns:us-west-2:1234567890:MySNSTopic"
}],
"resources": ,
"operationalData": {
"/aws/dedup": {
"type": "SearchableString",
"value": "{\"dedupString\":\"SSMOpsItems-EBS-snapshot-copy-failed\"}"
},
"/aws/automations": {
"value": "[ { \"automationType\": \"AWS:SSM:Automation\", \"automationId\": \"AWS-CopySnapshot\" } ]"
},
"failure-cause": {
"value":
},
"source": {
"value":
},
"start-time": {
"value":
},
"end-time": {
"value":
}
}
}
```
1. Choose **Confirm**.
1. Choose **Next**.
1. Choose **Next**.
1. Choose **Update rule**.
The next time that the system creates an OpsItem for the default rule, it publishes a notification to the Amazon SNS topic.