Overview
A master AWS account is the management account of an AWS Organization. You connect it through the single-account flow, reached from Connect Multiple Accounts → Connect single account first. Uniskai automatically recognizes it as a management account. Once it is connected, the Account Manager lists every account in the organization beneath the master, and you can onboard those member accounts using Connect via AWS Organization.
Add the master account first if you plan to onboard the rest of an AWS Organization through it.
How it works
Uniskai connects to the account through a dedicated access role, created automatically by a CloudFormation stack. During setup, a Cost & Usage Report (CUR) bucket is created in the selected region if one is not already present. Because the management account holds consolidated billing for the organization, connecting it gives Uniskai the organization's cost foundation and lets it discover the member accounts for later onboarding.
The objects involved in this setup:
Resource | Name / Type | Purpose |
Access role | IAM role (created by the stack) | The role Uniskai assumes to read cost and inventory data, and to act if read-write. |
CloudFormation stack |
| Creates the access role automatically. |
CUR bucket | S3 bucket in the selected region (default us-east-1) | Holds the Cost & Usage Report Uniskai reads. Created only if one is not already present. |
Access determines what Uniskai can do once connected:
Read/write — "You will be able to actively save money and fix all issues." Full functionality, including optimization actions.
Read-only — "You will get full visibility of your cloud environment and optimization insights." Visibility and recommendations only.
You can switch between access modes, or cancel the connection, at any time after connecting.
Prerequisites
Before you start:
You can sign in to the AWS management (master) account.
You have permission to create CloudFormation stacks and IAM roles in that account.
Way 1: Connect via AWS Organization
Use this method to connect one or more member accounts from the Connect multiple accounts page after selecting Connect via AWS Organization.
Step 1 — Choose your cloud service
In Uniskai, open the Account Manager and click Add New Account.
On the Step 1. Choose your cloud service screen, select Amazon Web Services (Cross account role).
Step 2 — Choose the connection method
Step 3 — Start the master (single-account) connection
Option A. Connect via AWS Organization is blocked
On the Connect multiple accounts screen you can see either blocked Connect via AWS Organization with option shows "Requires a management account."
Press on the Connect single account first and add the account as usual for read/write or read-only.
After that, confirm the master account and discovered accounts
In the Account Manager, the connected account appears with a MASTER badge, Read/write (or your chosen access), Cross-account role as the connection, and Status: OK.
Beneath it, the section "Accounts with master account" lists every account discovered in the organization (for example, Audit, Log Archive, and other member accounts), each with a Connect button.
Option B. Connect via AWS Organization is not blocked
You will see the possible Accounts to connect.
Step 4 — Connect subaccounts
2. Select the access level. Under Access level, select Read/write (full functionality) or Read-only (visibility only).
3. Open the Region dropdown and select the AWS Region (default us-east-1).
4. Under Start connection, click Generate setup commands. The button becomes active once the required fields are valid.
5. You will see the next window
Step 5 — Run commands
After generating, the screen switches to Run in AWS and shows the numbered command blocks plus a live connection status table.
The commands include a one-time token that expires in 1 hour — run them within that window. If the token expires, generate the commands again.
2. Click Open AWS CloudShell to open a command session in your AWS environment. Sign in if prompted.
3. Run each command block in order
Copy each block using its copy button and paste it into CloudShell. Run them in order:
Copy each block with its copy button rather than retyping — the commands contain generated, one-time values.
Bootstrap IAM roles — creates the StackSet administration role (in the account you are running from) and an execution role in each target account. (This step appears only when these roles do not already exist; on later connections from the same account it may be omitted.)
Create StackSet — creates the Uniskai StackSet from the Uniskai-provided template, passing your chosen access level and the one-time connection tokens as parameters.
Deploy to accounts — creates the stack instances in each target account in the selected region, which creates the Uniskai access role there.
4. Watch the connection status
Return to the Uniskai screen. A message indicates "Waiting for CloudFormation to start your stack instances — this usually takes 2–5 minutes."
The status table updates per account. Each row moves from Pending to Connected, and the header shows progress such as "1 of 2 connected".
When an account is connected, a View environment → link appears in its Details column.
Way 2: Connect from Account Manager
After the management account has been connected, you can also start the connection process for member accounts directly from Account Manager.
Step 1 — Open Account Manager.
Step 2 — Expand the management account marked with the MASTER badge to display the discovered member accounts.
Step 3 — Click Connect next to the member account you want to add
Step 4 — Connect multiple accounts at once
You are redirected to the Connect multiple accounts at once page.
On this page:
Connect via AWS Organization is selected automatically.
The member account you selected in Account Manager is already selected in the account tree.
If you want to connect additional member accounts, simply select them using the checkboxes before continuing.
Step 5 — Run commands
After generating, the screen switches to Run in AWS and shows the numbered command blocks plus a live connection status table.
The commands include a one-time token that expires in 1 hour — run them within that window. If the token expires, generate the commands again.
2. Click Open AWS CloudShell to open a command session in your AWS environment. Sign in if prompted.
3. Run each command block in order
Copy each block using its copy button and paste it into CloudShell. Run them in order:
Copy each block with its copy button rather than retyping — the commands contain generated, one-time values.
Bootstrap IAM roles — creates the StackSet administration role (in the account you are running from) and an execution role in each target account. (This step appears only when these roles do not already exist; on later connections from the same account it may be omitted.)
Create StackSet — creates the Uniskai StackSet from the Uniskai-provided template, passing your chosen access level and the one-time connection tokens as parameters.
Deploy to accounts — creates the stack instances in each target account in the selected region, which creates the Uniskai access role there.
4. Watch the connection status
Return to the Uniskai screen. A message indicates "Waiting for CloudFormation to start your stack instances — this usually takes 2–5 minutes."
The status table updates per account. Each row moves from Pending to Connected, and the header shows progress such as "1 of 2 connected".
When an account is connected, a View environment → link appears in its Details column.
Results
After completing the steps:
The Uniskai access role exists in every targeted AWS account.
The status table shows each account as Connected, and the connected accounts are available from Account Manager.
Resources and cost data from those accounts become available across the Dashboard, Cloudview, and optimization features (subject to the chosen Access level).
Key notes / limitations
The master/management account cannot be changed once the AWS Organization is created. Choose it carefully on the AWS side.
Read-only access has no optimization actions. Read/write is required for spot conversion, scheduling, resource removal, and right-sizing.
The CUR bucket defaults to us-east-1. Use Change region on the connection form to select a different region.
Do not refresh the page during stack creation.
Connecting the master account discovers member accounts but does not connect them. Use Connect via AWS Organization to onboard them.
Verifying it worked
The connection is confirmed when Uniskai shows "Account successfully added" and, in the Account Manager, the account appears with the MASTER badge and Status: OK. As a further check, the organization's member accounts are then listed under "Accounts with master account", ready to be connected.


















