Credentials per Organisation

AWS cloud onboarding using single credentials for Organisation with many Accounts

AWS Cloud Onboarding

Creating IAM user and Roles - Customer Prerequisites

Customer must follow bellow requirements and prepare for onboarding as follows:

  1. Login to Cloud portal

  2. Create new IAM user (for example named: 'insight') can be created under any Account, follow documentation: Creating an IAM user in your AWS account

  3. While creating user, add required permission policy: ReadOnlyAccess (built in permission policy, AWS managed - job function) and custom permission "trustedadvisor:List*".

  4. For programmatic access, a third-party Access key needs to be created, the Access key ID and Secret access key will be required to onboard organisation with accounts.

  5. IAM user need permission to assume roles, add customer inline configuration named as 'Assume_Insight_Viewer_Role' with statement bellow:

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "Statement1",
           "Effect": "Allow",
           "Action": [
               "sts:AssumeRole"
           ],
           "Resource": "arn:aws:iam::*:role/Insight_Viewer"
       }
   ]
}
  1. Roles must be created and used for all accounts including management account.

    • Name: Insight_Viewer (or your naming standard, remember replace user permissions accordingly)

    • Role: ReadOnlyAccess (built in role, AWS managed - job function)

    • Custom permission: "trustedadvisor:List*"

    • Trust Relationships add example bellow, by changing <UserAccountID to Account ID where you created IAM user and IAM user name:

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "Statement1",
           "Effect": "Allow",
           "Principal": {
                "AWS": [
                    "arn:aws:iam::<UserAccountID>:user/insight"
                ]
           },
           "Action": "sts:AssumeRole",
           "Condition": {}
       }
   ]
}

Onboarding SA - INSIGHT configuration

  1. Login to INSIGHT platform

  2. Open Cloud Management under Administration

  3. Add AWS credentials

    • Access Key ID

    • Secret Access Key

    • Role Name (optional, but preferred way)

  4. Save [done]

AWS Cloud billing Onboarding

Creating Cost Export

Customer must follow bellow requirements and prepare cost export to proceed on onboarding to INSIGHT platform. To start collecting your Cloud Billing data, you must create cost export following this guide steps you need to do:

  1. Login to Cloud portal

  2. Open Billing and Cost Management, Select menu: Data Exports

  3. Press Create and select options:

    - Standard data export

    - Enter Export name: 'DailyExports'

    - Select 'Include resource IDs'

    - Select 'Split cost allocation data'

    - Select 'Daily'

    - Leave Selection 'Column selection (125/125)' as is

    - Select 'gzip - text/csv'

    - Select 'Overwrite existing data export file'

    - Configure S3, general purpose bucket, name it for example costexportss3bucket, select your usually used region.

    - Enter S3 path prefix: 'Insight'

    - Create!

  4. You need to wait for data to come in before proceeding, usually AWS sends information twice over 24 hours.

  5. Open S3 Service

  6. Select S3 Bucket you just created

  7. Open twice objects (folders) prefix and export names, until you see data and metadata objects

  8. Copy browser URL for later use.

Onboarding Cost Export

  1. Login to INSIGHT platform

  2. Open Cloud Management menu under Administration

  3. Add Billing Export Configuration

  4. Save [done]

Last updated