Skip to main content

How to Connect entire AWS Organization

How it works

From the Connect multiple accounts at once screen you provide your management account ID, choose the region, and click Generate setup commands. Uniskai then shows a set of commands to run in AWS (via AWS CloudShell). The commands create a service-managed StackSet with auto-deployment enabled and deploy it to the organization's root, which creates the Uniskai access role in every account. Uniskai detects each connection and marks the account as connected.

Because the StackSet is service-managed with auto-deployment, accounts that join the organization later are onboarded automatically.

The objects involved in this setup:

Resource

Name / Type

Purpose

StackSet IAM roles

StackSet administration role (management account) and execution roles (each account)

Allow CloudFormation to deploy across the organization's accounts.

CloudFormation StackSet

Uniskai-StackSet-… (service-managed)

Deploys the access role across all organization accounts and auto-deploys to new ones.

Access role

IAM role, one per connected account

The role Uniskai assumes in each account to read cost and inventory data and to take optimization actions.

This method connects accounts with read/write access and does not offer an access-level choice.

Prerequisites

Before you start:

  • You know your AWS management account ID.

  • You can sign in to the management account to run the commands.

  • You can run the generated commands in AWS CloudShell.

Setup steps

Step 1 — Open the multiple-accounts screen

In Uniskai, open Account Manager → Add New Account → Amazon Web Services → Connect Multiple Accounts.

Step 2 — Select the connection method

Under Connection method, select Connect entire AWS Organization"Enter your management account ID to onboard all organization accounts automatically."

Step 3 — Enter the management account ID

In the Management account ID field, enter your AWS management account ID (for example, 123456789012).

Step 4 — Select the region

Open the Region dropdown and select the AWS Region (default us-east-1).

Step 5 — Generate the setup commands

Under Start connection, click Generate setup commands. The button becomes active once a management account ID is entered.

Step 6 — Open AWS CloudShell in the management account

  1. The screen switches to Run in AWS and shows: "Run these commands in account <management account ID>. Make sure you are logged into this account."

  2. Sign in to that account and open AWS CloudShell.

The commands include a one-time token that expires in 1 hour. The screen shows a session timer (for example, "Session open — closes in 59m 30s"). Run the commands within that window.

Step 7 — Run each command block in order

Copy each block with its copy button and run it in CloudShell, in order:

  1. Bootstrap IAM roles — enables CloudFormation StackSet access for the organization and creates the StackSet administration role, plus an execution role in every active organization account.

  2. Create StackSet — creates the service-managed StackSet (with auto-deployment enabled) from the Uniskai template.

  3. Deploy to accounts — deploys the StackSet to the organization's root, which creates the Uniskai access role in all accounts.

Run all three blocks in the same AWS account and shell ("Run this in the same AWS account and shell where you ran the first command").

Step 8 — Watch the connection status

  1. Return to the Uniskai screen. It shows "Waiting for CloudFormation to start your stack instances — this usually takes 2–5 minutes."

  2. The progress label updates (for example, "2 accounts connected so far"), and the status table moves each account from Pending to Connected, with a View environment → link→Account manager opens with added account

Results

After completing the steps:

  • The Uniskai access role exists in every account in the organization.

  • All organization accounts appear as Connected and are available from Account Manager.

  • Accounts that join the organization later are onboarded automatically.

  • Resources and cost data from the connected accounts become available across the Dashboard, Cloudview, and optimization features.

Key notes / limitations

  • Connects with read/write access. This method does not offer an access-level choice.

  • Auto-onboards future accounts. The service-managed StackSet with auto-deployment connects accounts added to the organization later, automatically.

  • Run the commands in the management account. Use the same account and shell for all three command blocks.

  • The setup token is one-time and expires in 1 hour. Generate and run the commands within the session window shown.

Verifying it worked

The connection is confirmed when the status table shows each account as Connected (green) with a View environment → link, and the connected accounts appear under the master in Account Manager. To verify on the AWS side, run aws cloudformation list-stack-instances --stack-set-name <your-stackset-name> in CloudShell and confirm each instance reports SUCCEEDED.

Did this answer your question?