SGC- AWS setup diagnostic shows "List Account Access API Failed."

Murali Reddy1
ServiceNow Employee
ServiceNow Employee

‎12-13-2022 01:24 PM - edited ‎12-13-2022 01:35 PM

Symptoms

The diagnostic test shows 'List Account Access API Failed'.

 

Diagnosis

A diagnostic tool can help you and an AWS administrator fix problems by identifying all AWS API IAM authorization checks.

 

There could be many reasons why it is failing 

  1. organizations:ListAccounts permission not assigned to ServiceNow user. 
  2. AWS Service Control policies restricting organizations:ListAccounts API call globally
  3. ServiceNow user created in member/child account and doesn't have ListAccount permissions. 

Solution

organizations:ListAccounts permission not assigned to ServiceNow user:

  • Make sure the role created for ServiceNow user has 'organizations:ListAccounts' permission assigned.
  • This role should be attached to the ServiceNow user wherever you are creating. 
{
    "Statement": [
        {
            "Action": [
                "ec2:DescribeRegions",
                "organizations:DescribeOrganization",
                "organizations:ListAccounts"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "ServiceNowUserReadOnlyAccess"
        }
    ]
}

AWS Service Control policies restricting organizations:ListAccounts API call globally:

Even though you gave all permissions listed in previous sections, some companies restrict API level access globally in AWS Organizations --> Policies --> Service control policies. It may looks similar to below policy template

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RestrictOrgApiAccess",
      "Effect": "Deny",
      "Action": [
        "organizations:DescribeOrganization",
        "organizations:ListAccounts"
      ],
      "Resource": "*"
    }
  ]
}

 You may have to reach out to your corporate sec-ops team who is managing this policies and allow access.

 

ServiceNow user created in member/child account and doesn't have ListAccount permissions:

  • If you have created ServiceNow user in member/child account, you need to give this role in Master Account in the guided setup and trust the member account in master account. ServiceNow user will assume role (STS Assume role) to master account and execute ListAccounts API call. 

How do I verify the fix is working?

Execute the following AWS CLI commands for the ServiceNow user's Access Key and Secret key and check your results.

 

aws organizations describe-organization
aws organizations list-accounts

Further Reading

Service Graph Connector for AWS - Introduction

Service Graph Connector for AWS - FAQ

 

References:

 

AWS API List Accounts

 

  • 1,214 Views
Version history
Last update:
‎12-13-2022 01:35 PM
Updated by:
ServiceNow Employee
Contributors