• organizations:ListAccounts

• organizations:ListTagsForResource

• organizations:DescribeOrganization

Account Tags work differently than other assets. Account tags can only be collected via the master account.  

Note: It is not required, but it is a good practice to add the DescribeOrganization permission to the linked accounts to avoid AccessDenied errors on Cloudtrail. The platform runs DescribeOrganization on the linked accounts to find out what the master account is. 

You can use the "Setup=>Account=>AWS Account API Status" page to view any configuration errors.

• Refer to AWS Account setup section: "Option 2: Create IAM Permissions via IAM Role"