Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Onboarding AWS Accounts to Yotascale™ Software


Prerequisites: 

  • User must have AWS admin rights in each account to be added to Yotascale

Steps to complete: 

Anchor
prerequisites
prerequisites
Prerequisites

Note: You may skip this step if you already have your AWS Cost & Usage Report (CUR) configured to go to an S3 bucket and have enabled billing tags.

Enable Cost Allocation Tags

  1. Sign in to the AWS Management Console and navigate to the Billing & Cost Management Dashboard.

  2. Navigate to Cost allocation tags.

Select Activate on AWS-Generated Cost Allocation Tags.

  1. Select any tags you want to activate for your report in User-Defined Cost Allocation Tags. For more information about creating an organization tag policy refer to the AWS Tagging Strategies documentation.

  2. Select Activate.

Enable Cost & Usage Reports

You can view the guide from AWS here. Specific recommendations follow.

  1. Sign in to the AWS Management Console and navigate to the Billing & Cost Management Dashboard.

  2. In the navigation pane, select Cost & Usage Reports.

  3. Select Create Report.

  4. Enter a name for your report.

  5. Select the checkbox to Include resource IDs.

  6. Select Next.

  7. Select an S3 Bucket.

  8. Report path prefix is not required but is supported. Review the AWS guide for more information here.

  9. Select Hourly time granularity.

  10. The rest of the defaults are set, select Next.

  11. Review your settings, select Review and Complete. It can take up to 24 hours for AWS to start delivering your billing data to S3. Files are updated at least once a day.

Anchor
access_rights
access_rights
 Configure Access Rights

The Yotascale software supports role-based authentication into AWS. Role-based authentication is the suggested method of authentication by AWS and is described below. The preferred way to create these access rights is to run a CloudFormation stack that creates the role, associated policies, and provisions these rights. Alternatively, one can use the AWS IAM console and create the policies manually based on the policies at the end of this manual.

Option 1: AWS CloudFormation Setup - Consolidated Billing Account (recommended)

  1. Log in to the Yotascale console, you should have received an email to set your Yotascale password. Reach out to support@yotascale.com if you haven't received the email.

  2. Once logged in, click on your initials in the upper right-hand corner of the screen and then select “Manage Connections” to get started adding your AWS Consolidated Billing account to Yotascale, you'll need the External ID presented here as an input parameter for the CloudFormation template.

  3. Launch the CloudFormation stack in the Consolidated Billing account by clicking this link.

  4. Additional parameters are required for the CloudFormation stack when configuring the Consolidated Billing account:

    • Enter the External ID from the Yotascale console

    • Enter the name of the billing bucket where the CUR files are stored

    • Set the flags for the Tag write policy and the RI purchase policy

  5. Deploy the stack and then review the CloudFormation output

  6. Copy the ARN from the CloudFormation output to the Yotascale console and then complete the prompts in Yotascale

  7. Add as many of your Linked Accounts as possible to Yotascale to receive utilization based optimization recommendations and to enable tagging resources at the Linked Account level. You can add Linked accounts by launching the CloudFormation template at each Linked Account in AWS.

    1. Click to add a Linked Account the version of the CloudFormation template.

Option 2:AWS IAM policy Configuration Setup

  1. Navigate to the AWS IAM console.

  2. Create an IAM Policy in each account you will be onboarding to the Yotascale software for monitoring. The Yotascale software uses READ-ONLY access for all but two use cases: Tagging and RI purchasing. These can be deactivated and core Yotascale software functionality will remain.

    1. Consolidated Billing Policy
      Allows access to Billing files, Organization metadata, RI purchasing, Resource tagging & metadata, and CloudWatch metrics

    2. Linked Account Policy
      Allows access to RI purchasing, Resource tagging & metadata, and CloudWatch metrics

Anchor
onboarding_aws_accounts
onboarding_aws_accounts
Manually Onboarding AWS Accounts in the Yotascale Software

Providing Yotascale Software Access with an IAM Role

This is done for every account you want to provide access to the Yotascale software.

  1. Log in to the Yotascale software and click on your initials in the upper right-hand corner.

  2. Select Manage Cloud Services 

  3. Select IAM Role Auth.

    1. Note the Yotascale Account ID: 819983868943

    2. Note the External ID. This is a random alphanumeric ID that we will associate to the AWS Role when we create it.



  4. Navigate to the AWS IAM Console

  5. Create an IAM Role in AWS

    1. Select Another AWS account

    2. Enter the Yotascale Account ID: 819983868943

    3. Enable the "Require external ID..." option.

    4. Enter the External ID generated by the Yotascale console.

    5. Select Next: Permissions.

    6. Select the previously created policy.

    7. Select Next: Tags.

    8. Assign a Role name and description.

    9. Confirm the configuration and select Create role.

      Note: Creating a Role to Delegate Permissions to an IAM User AWS documentation.



  6. Return to the Yotascale software console.

  7. If you are adding the Consolidated Billing account, select Cost and Usage Report, and then choose the Report Name from the drop-down. For Linked Accounts, select Detailed Billing Report.

  8. Select Next.


  9. The Yotascale software validates the policy permissions have been granted. You should get Allowed for all permissions but it is okay to get ‘Undetermined’ against Add/Delete tags if you don't have those resources in use in AWS. Select Finish when you are done reviewing the permissions status.



  10. Once the account is added, it will appear in the account list as shown in the figure below. This means the account was added successfully.
    Note: The Yotascale software initially pulls in as much as 6 months of historic data. This ingest can take up to 48 hours to transfer, analyze, and display your data.


Anchor
aws_policies
aws_policies
Appendix A: AWS Policies for Yotascale Software Access

There are two policies listed below. One for the Consolidated BIlling Account (mandatory) and another that is to be used for any Linked Accounts you are adding. Adding Linked Accounts is highly recommended as it provides inventory and utilization data that allows the Yotascale software to find the optimal recommendations and configurations for your cloud deployment. Ensure that the following policy is attached to the IAM Role that you would like to use with the Yotascale software. Don’t forget to replace "YOUR-CUR-BILLING-BUCKET" with your actual CUR billing bucket’s name for the Consolidated Billing Account Policy discussed in the Prerequisites.

Anchor
consolidated_policy
consolidated_policy
Consolidated Billing Account Policy:

Code Block
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1454926263000",
            "Effect": "Allow",
             "Action": [
                "autoscaling:Describe*",
                "cloudtrail:Describe*",
                "cloudtrail:List*",
                "cloudwatch:Describe*",
                "cloudwatch:GetMetricData",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "dynamodb:Describe*",
                "dynamodb:List*",
                "ec2:Describe*",
                "ecr:Describe*",
                "ecr:List*",
                "ecs:Describe*",
                "ecs:List*",
                "elasticache:Describe*",
                "elasticloadbalancing:Describe*",
                "elasticmapreduce:Describe*",
                "elasticmapreduce:List*",
                "glacier:Describe*",
                "glacier:List*",
                "kinesis:Describe*",
                "kinesis:List*",
                "lambda:List*",
                "logs:Describe*",
                "logs:Get*",
                "logs:StartQuery",
                "logs:StopQuery",
                "rds:Describe*",
                "rds:ListTagsForResource",
                "redshift:Describe*",
                "route53:Get*",
                "route53:List*",
                "s3:GetBucketLocation",
                "s3:GetBucketTagging",
                "s3:ListAllMyBuckets",
                "sns:Get*",
                "sns:List*",
                "sqs:Get*",
                "sqs:List*",
                "trustedadvisor:Describe*",
                "workspaces:Describe*"
            ],
           "Resource": [

                "*"
            ]
        },

        {
            "Sid": "Stmt1454926263005",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:GetAccelerateConfiguration"
            ],

            "Resource": [
                "arn:aws:s3:::YOUR-CUR-BILLING-BUCKET/*",
                "arn:aws:s3:::YOUR-CUR-BILLING-BUCKET"
            ]
        },

        {
            "Sid": "Stmt1454926263003",
            "Effect": "Allow",
            "Action": [
                "organizations:List*",
                "organizations:Describe*",
                "ce:Get*",
                "cur:Describe*"
            ],
            "Resource": [
                "*"
            ]
        },

        {
            "Sid": "Stmt1454926263002",
            "Effect": "Allow",
            "Action": [
                "ec2:*Tags*",
                "autoscaling:*Tags*",
                "rds:*Tags*",
                "redshift:*Tags*",
                "s3:*Tagging*",
                "elasticache:*Tags*",
                "elasticloadbalancing:*Tags*",
                "cloudtrail:*Tags*",
                "elasticmapreduce:*Tags*",
                "glacier:*Tags*",
                "kinesis:*Tags*",
                "route53:*Tags*",
                "workspaces:*Tags*",
                "dynamodb:TagResource",
                "dynamodb:UntagResource",
                "lambda:TagResource",
                "lambda:UntagResource"
            ],

            "Resource": [
                "*"
            ]
        },

        {
            "Sid": "Stmt1454926263004",
            "Effect": "Allow",
            "Action": [
                "ec2:PurchaseReservedInstancesOffering",
                "rds:PurchaseReservedDBInstancesOffering"
            ],

            "Resource": [
                "*"
            ]
        }
    ]
}

Anchor
linked_policy
linked_policy
Linked Account Policy

Code Block
{
"Version": "2012-10-17",
"Statement": [
        {
            "Sid": "Stmt1454926263000",
            "Effect": "Allow",
            "Action": [
                "autoscaling:Describe*",
                "cloudtrail:Describe*",
                "cloudtrail:List*",
                "cloudwatch:Describe*",
                "cloudwatch:GetMetricData",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "dynamodb:Describe*",
                "dynamodb:List*",
                "ec2:Describe*",
                "ecr:Describe*",
                "ecr:List*",
                "ecs:Describe*",
                "ecs:List*",
                "elasticache:Describe*",
                "elasticloadbalancing:Describe*",
                "elasticmapreduce:Describe*",
                "elasticmapreduce:List*",
                "glacier:Describe*",
                "glacier:List*",
                "kinesis:Describe*",
                "kinesis:List*",
                "lambda:List*",
                "logs:Describe*",
                "logs:Get*",
                "logs:StartQuery",
                "logs:StopQuery",
                "rds:Describe*",
                "rds:ListTagsForResource",
                "redshift:Describe*",
                "route53:Get*",
                "route53:List*",
                "s3:GetBucketLocation",
                "s3:GetBucketTagging",
                "s3:ListAllMyBuckets",
                "sns:Get*",
                "sns:List*",
                "sqs:Get*",
                "sqs:List*",
                "trustedadvisor:Describe*",
                "workspaces:Describe*"
            ],

            "Resource": [
                "*"
            ]
        },

        {
            "Sid": "Stmt1454926263002",
            "Effect": "Allow",
            "Action": [
                "ec2:*Tags*",
                "autoscaling:*Tags*",
                "rds:*Tags*",
                "redshift:*Tags*",
                "s3:*Tagging*",
                "elasticache:*Tags*",
                "elasticloadbalancing:*Tags*",
                "cloudtrail:*Tags*",
                "elasticmapreduce:*Tags*",
                "glacier:*Tags*",
                "kinesis:*Tags*",
                "route53:*Tags*",
                "workspaces:*Tags*",
                "dynamodb:TagResource",
                "dynamodb:UntagResource",
                "lambda:TagResource",
                "lambda:UntagResource"
            ],

            "Resource": [
                "*"
            ]
        },

        {
            "Sid": "Stmt1454926263004",
            "Effect": "Allow",
            "Action": [
                "ec2:PurchaseReservedInstancesOffering",
                "rds:PurchaseReservedDBInstancesOffering"
            ],

            "Resource": [
                "*"
            ]
        }
    ]
}



Status

Filter by label (Content by label)
showLabelsfalse
max5
spacescom.atlassian.confluence.content.render.xhtml.model.resource.identifiers.SpaceResourceIdentifier@868
sortmodified
showSpacefalse
reversetrue
typepage
cqllabel in ( "setup" , "onboarding" ) and type = "page" and space = "CK"
labelstags mapping


Page Properties
hiddentrue


Related issues