When configuring the AWS V3 integration to ingest from a specific OU, only accounts within that OU are ultimately ingested. However, during each sync the integration still attempts to assume roles in all accounts across the organization, including those outside the OU where permissions are guaranteed to be missing. This results in a large number of expected failures.

Attempting to assume roles in accounts outside the intended OU creates unnecessary noise in logs and security monitoring systems, so we’d like the integration to attempt role assumption only for accounts within the configured OU.