Troubleshooting methods for when OpsItems from member accounts are not displayed for delegated administrators in OpsCenter cross-account management
This page has been translated by machine translation. View original
Hello, I'm Nakano from Classmethod Technologies.
I'm spending my days trembling with excitement ahead of the Beppu-Oita Mainichi Marathon coming up this weekend.
In the fall of 2025, the end of new acceptance for AWS Systems Manager Incident Manager (hereafter Incident Manager) was announced.
In response, many of you may be considering migrating to or consolidating on AWS Systems Manager OpsCenter (hereafter OpsCenter) as a management foundation for organizational incident management and operational issues.
After careful consideration, AWS has decided to stop accepting new customers to AWS Systems Manager Incident Manager after November 7, 2025, and will not add new features or functionality to Incident Manager going forward. AWS will continue to invest in the security and availability of Incident Manager, and existing Incident Manager customers will be able to use the service as usual in accounts where Incident Manager is already enabled.
We recommend using AWS Systems Manager OpsCenter for managing operational issues with AWS infrastructure.
OpsCenter itself is a service released in 2019 and seems to have mature functionality.
Like Incident Manager, it also enables centralized incident management in multi-account environments.
However, when we actually built the environment, there were cases where items weren't displaying properly in the management screen even though the settings seemed correct.
In this article, I'll share the display specifications that are easy to get stuck on in OpsCenter cross-account management, and their solutions.
3-line summary
- When managing OpsCenter across accounts, there's a specification where OpsItems from accounts other than the delegated administrator account are not displayed in the list by default, even after configuration is complete.
- The cause is not insufficient permissions, but rather a console and API specification that "explicit filtering is required to display other accounts."
- The solution is simply to specify an account ID filter on the OpsCenter screen, which enables operations from the delegated administrator.
Delegated administrator can't see member account OpsItems
Desired operations
In an AWS Organizations environment, we wanted to centrally monitor and operate OpsItems from all member accounts from the delegated administrator account.
Similar to the operational feel of Incident Manager, we expected the following flow:
- The monitoring team logs into the delegated administrator account console (without switching roles to member accounts).
- On the OpsCenter list screen, view OpsItems from all accounts.
- Update statuses as needed and execute incident management.
This was intended to achieve centralized incident management across a multi-account environment from a single AWS account without missing any incidents.
Issue encountered
We completed the cross-account settings using Quick Setup by following the AWS official documentation.
After that, although there were no errors, we encountered the following situation:
- Explorer screen (dashboard): Aggregate values from all accounts are displayed.
- OpsCenter screen (OpsItem list): List shows "0 items".
Even though data could be seen in "Explorer", nothing was displayed on the "OpsCenter" screen where actual operations are performed, making it impossible to check details or change statuses.
Cause
Console filter specifications
The cause was a specification that explicit filtering is required to list cross-account OpsItems from the delegated administrator.
In the default "no filter" state, OpsItems from other accounts are not loaded in the list, even if permissions exist.
Technical verification
Checking the behavior with AWS CLI makes this specification clear:
# [FAIL] This only returns items from your own account (or empty)
aws ssm describe-ops-items
# [SUCCESS] Explicitly specifying an account ID works
aws ssm describe-ops-items \
--ops-item-filters Key=AccountId,Operator=Equal,Values=[Member account ID where OpsItem was created]
The management console follows this API behavior, with the operation being "data from other accounts will not be retrieved unless you specify an account ID."
Why it was difficult to notice
The tricky part of this problem is that there's circumstantial evidence that makes it look like a configuration error:
- Visible in Explorer: You can be confident that data integration itself is successful, making it hard to think it's a console display issue.
- Other accounts can be selected in the creation screen: In the manual OpsItem creation screen of the delegated administrator account, the "Other accounts" option appears, making cross-account permissions themselves appear normal.
- Documentation description: The mention of "centralized management" leads to the expectation of a view where all items are displayed without any action required, similar to Incident Manager.
These factors can lead to spending time investigating in the wrong direction, such as "Are permissions insufficient?" or "Does synchronization take time?" (I spent time on this).
Solution
The solution is very simple. Perform "filtering by account ID" on the console.
Steps
- Open the OpsCenter console in the delegated administrator account.
- Select the OpsItems tab.
- In the search filter field, specify:
- Filter key:
Account ID - Condition:
=(equals) - Value:
[Target member account ID](123456789012 as an example)
This will display the member account OpsItems that weren't visible before.
Once displayed, subsequent detail checking and status changes can be executed without issues.
Notes and summary
When migrating from Incident Manager to OpsCenter, it's important to understand the following peculiarities specific to the OpsCenter console screen:
1. Differences in UI for centralized management
While Incident Manager aggregates by "incident" units, OpsCenter's cross-account display is designed to "actively specify which accounts you want to see."
If you expect "a timeline where items from all accounts are lined up in chronological or status order," you may need to adjust your operational flow.
2. Browser reload clears filters
Due to management console specifications, reloading the screen or navigating in a different tab may reset the Account ID filter you've set.
During operations, it's necessary to either inform users to "check filters when items aren't displayed" or bookmark URLs with filters already applied.
Conclusion
OpsCenter is a flexible and useful feature, but there's a quirk in the cross-account UI.
I hope this article helps you use OpsCenter more smoothly.
References
