Troubleshooting methods when OpsItems from member accounts are not displayed in the delegated administrator account in OpsCenter cross-account management
This page has been translated by machine translation. View original
Hello, I'm Nakano from Classmethod Technologies.
I'm spending my days trembling with excitement ahead of the Beppu Oita Mainichi Marathon coming up this weekend.
It has been announced that new sign-ups for AWS Systems Manager Incident Manager (hereafter Incident Manager) will end in fall 2025.
In response, many of you may be considering or working on migrating to or consolidating with AWS Systems Manager OpsCenter (hereafter OpsCenter) as a management foundation for organizational incident management and operational issues.
After careful consideration, AWS has decided to stop accepting new customers for AWS Systems Manager Incident Manager after November 7, 2025, and will not add new features or functionalities to Incident Manager going forward. AWS will continue to invest in the security and availability of Incident Manager, and existing Incident Manager customers will be able to use the service as usual in accounts where Incident Manager is already enabled.
To manage operational issues with AWS infrastructure, we recommend using AWS Systems Manager OpsCenter.
OpsCenter itself is a service released in 2019 and appears to have mature functionality.
Like Incident Manager, it also enables centralized incident management in multi-account environments.
However, when actually building the environment, there were cases where items were not displaying properly in the management console despite having the correct settings.
In this article, I'll share the display specifications that are easy to get stuck on when managing OpsCenter across accounts, and their solutions.
3-line summary
- When managing across accounts with OpsCenter, there's a specification where OpsItems from accounts other than the delegated administrator account itself are not displayed in the list by default, even after setup is complete.
- The cause is not insufficient permissions but a console and API specification requiring "explicit filtering to display other accounts."
- The solution is simply specifying an account ID filter in the OpsCenter screen, which enables operations from the delegated administrator.
OpsItems from member accounts not visible from delegated administrator
Intended operations
In an AWS Organizations environment, we wanted to centrally monitor and operate OpsItems from all member accounts from the delegated administrator account.
Similar to previous operations with Incident Manager, we expected the following flow:
- The monitoring team logs into the delegated administrator account console (without switching roles to member accounts).
- View OpsItems from all accounts in the OpsCenter list screen.
- Update statuses according to responses and execute incident management.
This was intended to achieve centralized management of incidents in a multi-account environment from a single AWS account without missing anything.
Issue encountered
I completed the cross-account setup using Quick Setup according to AWS official documentation.
Afterwards, although there were no errors, I encountered the following situation:
- Explorer screen (dashboard): Aggregate values from all accounts are displayed.
- OpsCenter screen (OpsItem list): The list shows "0 items".
While data was visible in "Explorer," nothing was displayed on the crucial "OpsCenter" screen where operations are performed, making it impossible to check details or change statuses.
Cause
Console filter specification
The cause was that the specification requires explicit filtering to display cross-account OpsItems from the delegated administrator.
In the default "no filter" state, OpsItems from other accounts are not loaded into the list, even if you have the permissions.
Technical evidence
Looking at AWS CLI behavior makes this specification clearer:
# [NOT WORKING] This only returns items from your own account (or empty)
aws ssm describe-ops-items
# [WORKING] Specifying an account ID explicitly allows retrieval
aws ssm describe-ops-items \
--ops-item-filters Key=AccountId,Operator=Equal,Values=[Member account ID where OpsItem was created]
The management console follows this API behavior, with the operation of "not retrieving data from other accounts unless an account ID is specified."
Why it was hard to figure out
The tricky part of this problem is that there's circumstantial evidence making it look like a configuration error:
- Visible in Explorer: Since you can confirm that data synchronization itself is successful, it's hard to think it's a console display specification issue.
- Other accounts can be selected in the creation screen: Since the "Other accounts" option appears in the OpsItem manual creation screen on the delegated administrator account, the cross-account permissions themselves appear normal.
- Documentation statements: From statements that it "can be centrally managed," you might expect a view where all items are displayed without doing anything, similar to Incident Manager.
These factors can lead you to spend time investigating in the wrong direction, such as "Are there insufficient permissions?" or "Is synchronization taking time?" (I did spend time on this.)
Solution
The solution is very simple. Use filtering by account ID in the console.
Steps
- Open the OpsCenter console in the delegated administrator account.
- Select the OpsItems tab.
- In the search filter field, specify:
- Filter key:
Account ID - Condition:
=(equals) - Value:
[Target member account ID](123456789012 as an example)
This will display the member account's OpsItems that weren't showing before.
Once displayed, you can check details and change statuses without issues.
Notes and summary
When migrating from Incident Manager to OpsCenter, it's important to understand the following quirks specific to the OpsCenter console screen:
1. Difference in UI regarding centralized management
While Incident Manager aggregates at the "incident" level, OpsCenter's cross-account display is designed to "actively specify which accounts you want to see."
If you expect "a timeline where all accounts' items are lined up in chronological or status order," operational flow adjustments may be necessary.
2. Filters disappear on browser reload
Due to the management console specification, the set Account ID filter may reset when you reload the screen or navigate through different tabs.
During operations, you'll need workarounds like instructing users to "check filters when items aren't displayed" or bookmarking URLs with filters already applied.
Conclusion
While OpsCenter offers flexible and convenient features, its cross-account UI has some quirks.
I hope this article helps you utilize OpsCenter more smoothly.
References
