AWS Onboarding per Organisation

AWS cloud onboarding using single credentials for Organisation with many Accounts

Customer Prerequisites - Creating IAM User and Roles

Customer must follow bellow requirements and prepare for onboarding as follows:

1. Login to AWS Cloud portal

Note! IAM user can be created in Customers Management or any other Account, even in another organisation.

2. Create new IAM user (for example named: 'pulse') under any Account, follow documentation: Creating an IAM user in your AWS account

3. For programmatic access, a third-party Access key needs to be created, the Access key ID and Secret access key will be required to onboard organisation with accounts.

4. IAM user need permission to assume roles, add customer inline configuration named as 'Assume_Pulse_Viewer_Role' with statement bellow:

{

   "Version": "2012-10-17",

   "Statement": [

       {

           "Sid": "Statement1",

           "Effect": "Allow",

           "Action": [

               "sts:AssumeRole"

           ],

           "Resource": "arn:aws:iam::*:role/Pulse_Viewer"

       }

   ]

}

5. Roles must be created and used for all accounts including management account.

• Name: Pulse_Viewer (or your naming standard, remember replace user permissions accordingly)

• Role: ReadOnlyAccess (built in role, AWS managed - job function) and custom permission "trustedadvisor:List*"

or:

Important! Take note that with new functionality we may require new permissions

a. Create a Permissions Policy named 'Pulse_View_Resources_policy' in IAM on each Account. Alternatively, a combination of roles/policies can be used, so long as result has all of the permissions listed below.

b. Add permissions either via services or edit JSON directly:

{

"Version": "2012-10-17",

"Statement": [

{

    "Sid": "VisualEditor0",

    "Effect": "Allow",

    "Action": [

                        "sts:GetCallerIdentity",

                        "organizations:DescribeOrganization",

                        "organizations:DescribeAccount",

                        "organizations:ListAccounts",

                        "account:ListRegions",

                        "backup:ListBackupJobs",

                        "backup:ListProtectedResources",

                        "cloudformation:GetResource",

                        "cloudformation:ListResources",

                        "config:DescribeDeliveryChannels",

                        "config:DescribeConfigurationRecorderStatus",

                        "config:ListDiscoveredResources",

                        "config:SelectResourceConfig",

                        "guardduty:GetFindings",

                        "guardduty:ListFindings",

                        "inspector:ListFindings",

                        "inspector:DescribeFindings",

                        "inspector2:ListFindings",

                        "ssm:DescribeMaintenanceWindows",

                        "ssm:ListCommandInvocations",

                        "tag:GetResources",

                        "trustedadvisor:List*"

  ],

  "Resource": "*"

}

]

}

• Trust Relationships add example bellow, by changing <UserAccountID to Account ID where you created IAM user and IAM user name:

{

   "Version": "2012-10-17",

   "Statement": [

       {

           "Sid": "Statement1",

           "Effect": "Allow",

           "Principal": {

                "AWS": [

                    "arn:aws:iam::<UserAccountID>:user/pulse"

                ]

           },

           "Action": "sts:AssumeRole",

           "Condition": {}

       }

   ]

}

6. For getting Cloud resources enable Config service and do this for all(or relevant where resources deployed) regions: Change Region, Open AWS Config Service, select '1-click setup', select 'Confirm'. Change Account. Enable Config for all regions. Repeat for all Accounts and all Regions.

Customer Prerequisites - Creating Cost Export

Customer must follow bellow requirements and prepare cost export to proceed on onboarding to PULSE platform. To start collecting your Cloud Billing data, you must create cost export following this guide steps you need to do:

• Login to Cloud portal

• Open Billing and Cost Management, Select menu: Data Exports

• Press Create and select options:

• - Standard data export

• - Enter Export name: 'DailyExports'

• - Select 'Include resource IDs'

• - Select 'Split cost allocation data'

• - Select 'Daily'

• - Leave Selection 'Column selection (125/125)' as is

• - Select 'gzip - text/csv'

• - Select 'Overwrite existing data export file'

• - Configure S3, general purpose bucket, name it for example <prefix#-costexports-s3bucket-no#>, select your usually used region.

• - Enter S3 path prefix: 'Pulse'

• - Create!

• You need to wait for data to come in before proceeding, usually AWS sends information twice over 24 hours.

• Open S3 Service

• Select S3 Bucket you just created

• Open twice objects (folders) prefix and export names, until you see data and metadata objects

• Copy browser URL for later use.

• If you are using custom permission sets for access then update to include additional permissions to access this bucket, add additional set named 'Pulse_Costs_Viewer' (change <bucketname>):

PULSE Configuration - Onboarding SA

• Login to PULSE platform

• Open Cloud Management under Administration

• Add AWS credentials

  • Access Key ID

  • Secret Access Key

  • Role Name (optional, but preferred way)

  • Customer Management Account ID

• Save [done]

PULSE Configuration - Onboarding Cost Export

• Login to PULSE platform

• Open Cloud Management menu under Administration

• Add Billing Export Configuration

  • Project Name [Account name where cost export data set is located]

  • Cost Export URL [Example: https://us-east-2.console.aws.amazon.com/s3/buckets/examplecostexportsname17?region=us-east-2&bucketType=general&prefix=Pulse/DailyExports/]

• Save [done]