Skip to main content

Discover Organisation

After deploying the management role, Guardian Pro automatically discovers your AWS Organisation structure. This step maps out all of your accounts, organisational units (OUs), and hierarchy so you can choose exactly which accounts to monitor.

What Gets Discovered

Guardian Pro reads your AWS Organisation using the management role and identifies:

ItemDescription
AccountsAll member accounts in the organisation, including account ID, name, email, and status
Organisational Units (OUs)The OU hierarchy, including nested OUs and their parent-child relationships
Account-to-OU mappingWhich accounts belong to which OUs
Organisation metadataOrganisation ID, feature set (ALL or CONSOLIDATED_BILLING), and root ID
Management accountIdentified and labelled separately from member accounts
info

Discovery is entirely read-only. Guardian Pro does not modify your organisation, accounts, or any resources during this step.

How Discovery Works

  1. Guardian Pro assumes the management role you deployed in the previous step
  2. The organisation structure is queried through the AWS Organisations API
  3. Results are displayed in the onboarding wizard within seconds
  4. You review and select which accounts to include

Discovery typically completes in under 30 seconds, regardless of organisation size.

Reviewing Discovered Accounts

Once discovery completes, the onboarding wizard displays your organisation structure in a table view. For each account, you will see:

  • Account name and account ID
  • Email address associated with the account
  • OU path showing where the account sits in your hierarchy (e.g., Root > Production > EU)
  • Account status (Active, Suspended)

Organisation Tree View

For organisations with multiple OUs, the wizard also provides a tree view that mirrors your OU hierarchy. This makes it easy to understand the structure and select accounts by OU.

Selecting Accounts to Monitor

By default, all active accounts are selected for monitoring. You can customise this selection:

Select All

Monitor every account in the organisation. This is the recommended approach for comprehensive governance coverage.

Select by OU

Click on an OU to select or deselect all accounts within it. This is useful when you want to monitor specific environments (e.g., all Production accounts but not Sandbox).

Select Individual Accounts

Check or uncheck individual accounts to create a custom monitoring scope.

tip

You can change which accounts are monitored at any time after onboarding. Go to Settings > Accounts to add or remove accounts from monitoring. See Account Management for details.

Accounts You Might Exclude

Common reasons to exclude accounts from initial monitoring:

  • Sandbox or playground accounts that do not require governance
  • Suspended accounts that are no longer active
  • Accounts managed by a different team with their own governance process
  • Newly created accounts that are not yet provisioned
note

Excluded accounts are not forgotten. If you add them later, Guardian Pro will perform a full discovery and scan of those accounts at that time.

Expected Results

After discovery, you should see:

  • All active accounts listed with correct names and IDs
  • OU hierarchy matching your AWS Organisations structure
  • Management account identified and labelled
  • Account count matching what you see in the AWS Organisations console

Verifying Accuracy

If the discovered structure does not match your expectations:

  1. Missing accounts: Ensure the management role has organizations:ListAccounts permission
  2. Incorrect hierarchy: Verify organizations:ListOrganizationalUnitsForParent is granted
  3. Stale data: If you recently added accounts, they may take a few minutes to appear in the Organisations API

Handling Large Organisations

Guardian Pro handles organisations of any size. Whether you have 5 accounts or 500, the discovery process works the same way.

For very large organisations:

  • Pagination is handled automatically -- all accounts are discovered regardless of count
  • OU nesting is supported to any depth
  • Performance is consistent -- discovery time does not scale linearly with account count
info

There is no account limit on Guardian Pro. Your subscription tier determines feature availability, not the number of monitored accounts.

What Happens with New Accounts

After initial onboarding, Guardian Pro detects new accounts added to your organisation:

  • StackSet auto-deployment: If you deploy StackSets in the next step using the service-managed model, new accounts automatically receive the monitoring role
  • Periodic sync: Guardian Pro periodically syncs your organisation structure to detect changes
  • Manual sync: You can trigger a manual sync from Settings > Accounts at any time

Troubleshooting

No accounts discovered

If discovery returns zero accounts:

  1. Confirm you deployed the management role in the management account (not a member account)
  2. Verify the CloudFormation stack status is CREATE_COMPLETE
  3. Check that your AWS account is the root of an AWS Organisation with the All Features feature set enabled

Some accounts missing

If only a subset of accounts appears:

  1. Check whether missing accounts are in a Suspended state -- suspended accounts may be filtered
  2. Verify the management role has the full set of Organisations read permissions
  3. If accounts were added very recently, wait a few minutes and click Refresh

Permission errors during discovery

If you see permission-related errors:

  1. Ensure no Service Control Policies (SCPs) are blocking Organisations API calls from the management account
  2. Verify the management role trust policy allows Guardian Pro to assume it
  3. Check that the External ID matches -- see Deploy Management Role for details

Next Steps

After reviewing and selecting your accounts, proceed to Deploy StackSets to deploy monitoring roles across your selected accounts.