Credentials per Account

AWS cloud onboarding using single credentials for single Account

AWS Cloud Onboarding

Creating IAM user - Customer Prerequisites

Customer must follow bellow requirements and prepare for onboarding as follows:

Login to Cloud portal
Create new IAM user (for example named: 'insight') must be created under each Account, follow documentation: Creating an IAM user in your AWS account
While creating user, add required permission policy: ReadOnlyAccess (built in permission policy, AWS managed - job function) and custom permission "trustedadvisor:List*" or

Create and use custom Permissions Policy with specific permissions - to view click this!

Important! Take note that with new functionality we may require new permissions

a. Create a Permissions Policy named 'Insight-Resources-Viewer' in IAM on each Account. Alternatively, a combination of roles/policies can be used, so long as result has all of the permissions listed below.

b. Add permissions either via services or edit JSON directly:

{
	"Version": "2012-10-17",
	"Statement": [
		{
		    "Sid": "VisualEditor0",
		    "Effect": "Allow",
		    "Action": [
                        "sts:GetCallerIdentity",
                        "organizations:DescribeOrganization",
                        "organizations:DescribeAccount",
                        "organizations:ListAccounts",
                        "account:ListRegions",
                        "backup:ListBackupJobs",
                        "backup:ListProtectedResources",
                        "cloudformation:GetResource",
                        "cloudformation:ListResources",
                        "config:DescribeDeliveryChannels",
                        "config:DescribeConfigurationRecorderStatus",
                        "config:ListDiscoveredResources",
                        "config:SelectResourceConfig",
                        "guardduty:GetFindings",
                        "guardduty:ListFindings",
                        "inspector:ListFindings",
                        "inspector:DescribeFindings",
                        "inspector2:ListFindings",
                        "ssm:DescribeMaintenanceWindows",
                        "ssm:ListCommandInvocations",
                        "tag:GetResources",
                        "trustedadvisor:List*"
		   ],
		   "Resource": "*"
		}
	]
}

For programmatic access, a third-party Access key needs to be created, write down Access key ID and Secret access key which will be required to onboard your account.
For getting Cloud resources enable Config service and do this for all(or relevant where resources deployed) regions: Change Region, Open AWS Config Service, select '1-click setup', select 'Confirm'. Repeat.

Onboarding SA - INSIGHT configuration

Login to INSIGHT platform
Open Cloud Management under Administration
Add AWS credentials
- Access Key ID
- Secret Access Key
Save [done]

AWS Cloud billing Onboarding

Creating Cost Export

Customer must follow bellow requirements and prepare cost export to proceed on onboarding to INSIGHT platform. To start collecting your Cloud Billing data, you must create cost export following this guide steps you need to do:

Login to Cloud portal
Open Billing and Cost Management, Select menu: Data Exports
Press Create and select options:
- Standard data export
- Enter Export name: 'DailyExports'
- Select 'Include resource IDs'
- Select 'Split cost allocation data'
- Select 'Daily'
- Leave Selection 'Column selection (125/125)' as is
- Select 'gzip - text/csv'
- Select 'Overwrite existing data export file'
- Configure S3, general purpose bucket, name it for example <prefix#-costexports-s3bucket-no#>, select your usually used region.
- Enter S3 path prefix: 'Insight'
- Create!
You need to wait for data to come in before proceeding, usually AWS sends information twice over 24 hours.
Open S3 Service
Select S3 Bucket you just created
Open twice objects (folders) prefix and export names, until you see data and metadata objects
Copy browser URL for later use.

If you are using custom permission sets for access, then update to include additional permissions to access this bucket, add additional set named 'Insight_Costs_Viewer' (change <bucketname>):

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Statement1",
			"Effect": "Allow",
		    "Action": [
                        "s3:ListBucket",
                        "s3:GetObject"
		        ],
		    "Resource": [
                        "arn:aws:s3:::<bucketname>",
                        "arn:aws:s3:::<bucketname>/*"
                        ]
		}
	]
}

Onboarding Cost Export

Login to INSIGHT platform
Open Cloud Management menu under Administration
Add Billing Export Configuration
- Project Name [Account name where cost export data set is located]
- Cost Export URL [Example: https://us-east-1.console.aws.amazon.com/s3/buckets/costexportss3bucket?region=us-east-1&bucketType=general&prefix=Insight/DailyExports/]
Save [done]

PreviousAWS Onboarding NextCredentials per Organisation

Last updated 6 days ago