Credentials per Organisation

AWS cloud onboarding using single credentials for Organisation with many Accounts

AWS Cloud Onboarding

Creating IAM user and Roles - Customer Prerequisites

Customer must follow bellow requirements and prepare for onboarding as follows:

Login to Cloud portal
Create new IAM user (for example named: 'insight') can be created under any Account, follow documentation: Creating an IAM user in your AWS account
While creating user, add required permission policy: ReadOnlyAccess (built in permission policy, AWS managed - job function)
For programmatic access, a third-party Access key needs to be created, the Access key ID and Secret access key will be required to onboard organisation with accounts.
IAM user need permission to assume roles, add customer inline configuration named as 'Assume_Insight_Viewer_Role' with statement bellow:

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "Statement1",
           "Effect": "Allow",
           "Action": [
               "sts:AssumeRole"
           ],
           "Resource": "arn:aws:iam::*:role/Insight_Viewer"
       }
   ]
}

Roles must be created and used for all accounts including management account. Name: Insight_Viewer (or your naming standard, remember replace user permissions accordingly) Role: ReadOnlyAccess (built in role, AWS managed - job function) Trust Relationships add example bellow, by changing <UserAccountID to Account ID where you created IAM user and IAM user name:

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "Statement1",
           "Effect": "Allow",
           "Principal": {
                "AWS": [
                    "arn:aws:iam::<UserAccountID>:user/insight"
                ]
           },
           "Action": "sts:AssumeRole",
           "Condition": {}
       }
   ]
}

Onboarding SA - INSIGHT configuration

Login to INSIGHT platform
Open Cloud Management under Administration
Add AWS credentials
- Access Key ID
- Secret Access Key
- Role Name (optional, but preferred way)
Save [done]

AWS Cloud billing Onboarding

Creating Cost Export

Customer must follow bellow requirements and prepare cost export to proceed on onboarding to INSIGHT platform. To start collecting your Cloud Billing data, you must create cost export following this guide steps you need to do:

Login to Cloud portal
Open Billing and Cost Management, Select menu: Data Exports
Press Create and select options:
- Standard data export
- Enter Export name: 'DailyExports'
- Select 'Include resource IDs'
- Select 'Split cost allocation data'
- Select 'Daily'
- Leave Selection 'Column selection (125/125)' as is
- Select 'gzip - text/csv'
- Select 'Overwrite existing data export file'
- Configure S3, general purpose bucket, name it for example costexportss3bucket, select your usually used region.
- Enter S3 path prefix: 'Insight'
- Create!
You need to wait for data to come in before proceeding, usually AWS sends information twice over 24 hours.
Open S3 Service
Select S3 Bucket you just created
Open twice objects (folders) prefix and export names, until you see data and metadata objects
Copy browser URL for later use.

Onboarding Cost Export

Login to INSIGHT platform
Open Cloud Management menu under Administration
Add Billing Export Configuration
- Project Name [Account name where cost export data set is located]
- Cost Export URL [Example: https://us-east-1.console.aws.amazon.com/s3/buckets/costexportss3bucket?region=us-east-1&bucketType=general&prefix=Insight/DailyExports/]
Save [done]

PreviousCredentials per Account

Last updated 6 days ago