Step 3: Setup a Discovery Role in sub accounts (if using organizations)

If your company uses AWS Organizations, you will need to deploy a stack set in each sub-account to build the Red Canary Resource Discovery Role.

1. Navigate to CloudFormation.
   
2. Click StackSets in the left navigation menu.
   
3. Click Create StackSet.
   
4. Select Service Managed Permissions.
5. Select Template is Ready.
6. Select Upload a template file.
7. Select Choose file.
8. Select the red-canary-resource-discovery-user.yaml you downloaded.
   
   
9. Select Next.
   
10. Enter a StackSet name.
11. Enter the RedCanaryResourceDiscoveryRoleName ﹣ we suggest leaving it the default red-canary-resource-discovery-role.
    Note: If you changed it in the Setup Discovery Role in Master Account step you must use the same name.
12. Enter the RedCanaryResourceDiscoveryUserARN which is the ARN of the user created in the Setup Discovery User section.
13. Click Next.
    
14. In the Configure StackSet Options leave the defaults.
    
15. Click Next.
16. In the set deployment options select Deploy new stacks.
17. Select Deploy to organization.
    
18. Under Specify regions, select US East (N. Virginia). Since roles are global, only one region is required.
    
19. Click Next.
20. Scroll to the bottom of the Review page.
21. Click the agreement.
22. Click Submit.
    

Note: Once this process is completed, continue on with creating credentials for a user.