- Created by Garrett Reynolds, last modified by John Brand on Dec 03, 2020
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 82 Next »
Onboarding AWS Accounts to Yotascale™ Software
Prerequisites:
User must have AWS admin rights in each account to be added to Yotascale
Steps to complete:
Prerequisites (5 minutes - AWS Console)
Configure Access Rights - IAM Policy Configuration (10 minutes - AWS Console)
Onboarding the Consolidated Billing Account to Yotascale Software (10 minutes - Yotascale software & AWS Console)
Onboarding Linked Accounts to Yotascale Software (10 minutes each - Yotascale software & AWS Console)
Prerequisites
Note: You may skip this step if you already have your AWS Cost & Usage Report (CUR) configured to go to an S3 bucket and have enabled billing tags.
Enable Cost Allocation Tags
Sign in to the AWS Management Console and navigate to the Billing & Cost Management Dashboard.
Navigate to Cost allocation tags.
Select Activate on AWS-Generated Cost Allocation Tags.
Select any tags you want to activate for your report in User-Defined Cost Allocation Tags. For more information about creating an organization tag policy refer to the AWS Tagging Strategies documentation.
Select Activate.
Enable Cost & Usage Reports
You can view the guide from AWS here. Specific recommendations follow.
Sign in to the AWS Management Console and navigate to the Billing & Cost Management Dashboard.
In the navigation pane, select Cost & Usage Reports.
Select Create Report.
Enter a name for your report.
Select the checkbox to Include resource IDs.
Select Next.
Select an S3 Bucket.
Report path prefix is not required but is supported. Review the AWS guide for more information here.
Select Hourly time granularity.
The rest of the defaults are set, select Next.
Review your settings, select Review and Complete. It can take up to 24 hours for AWS to start delivering your billing data to S3. Files are updated at least once a day.
Configure Access Rights
The Yotascale software supports role-based authentication into AWS. Role-based authentication is the suggested method of authentication by AWS and is described below. The preferred way to create these access rights is to run a CloudFormation stack that creates the role, associated policies, and provisions these rights. Alternatively, one can use the AWS IAM console and create the policies manually based on the policies at the end of this manual.
Option 1: AWS CloudFormation Setup - Consolidated Billing Account (recommended)
Log in to the Yotascale console, you should have received an email to set your Yotascale password. Reach out to support@yotascale.com if you haven't received the email.
Once logged in, click on your initials in the upper right-hand corner of the screen and then select “Manage Connections” to get started adding your AWS Consolidated Billing account to Yotascale, you'll need the External ID presented here as an input parameter for the CloudFormation template.
Launch the CloudFormation stack in the Consolidated Billing account by clicking this link.
Template URL: https://yotascale-onboarding.s3.amazonaws.com/YotascaleManagement.yaml
It's also available for download and review here.
Additional parameters are required for the CloudFormation stack when configuring the Consolidated Billing account:
Enter the External ID from the Yotascale console
Enter the name of the billing bucket where the CUR files are stored
Set the flags for the Tag write policy and the RI purchase policy
Deploy the stack and then review the CloudFormation output
Copy the ARN from the CloudFormation output to the Yotascale console and then complete the prompts in Yotascale
Add as many of your Linked Accounts as possible to Yotascale to receive utilization based optimization recommendations and to enable tagging resources at the Linked Account level. You can add Linked accounts by launching the CloudFormation template at each Linked Account in AWS.
Click to add a Linked Account the version of the CloudFormation template.
Option 2:AWS IAM policy Configuration Setup
Navigate to the AWS IAM console.
Create an IAM Policy in each account you will be onboarding to the Yotascale software for monitoring. The Yotascale software uses READ-ONLY access for all but two use cases: Tagging and RI purchasing. These can be deactivated and core Yotascale software functionality will remain.
Consolidated Billing Policy
Allows access to Billing files, Organization metadata, RI purchasing, Resource tagging & metadata, and CloudWatch metricsLinked Account Policy
Allows access to RI purchasing, Resource tagging & metadata, and CloudWatch metrics
Manually Onboarding AWS Accounts in the Yotascale Software
Providing Yotascale Software Access with an IAM Role
This is done for every account you want to provide access to the Yotascale software.
Log in to the Yotascale software and click on your initials in the upper right-hand corner.
Select Manage Cloud Services
Select IAM Role Auth.
Note the Yotascale Account ID: 819983868943
Note the External ID. This is a random alphanumeric ID that we will associate to the AWS Role when we create it.
Navigate to the AWS IAM Console
Create an IAM Role in AWS
Select Another AWS account
Enter the Yotascale Account ID: 819983868943
Enable the "Require external ID..." option.
Enter the External ID generated by the Yotascale console.
Select Next: Permissions.
Select the previously created policy.
Select Next: Tags.
Assign a Role name and description.
Confirm the configuration and select Create role.
Note: Creating a Role to Delegate Permissions to an IAM User AWS documentation.
Return to the Yotascale software console.
If you are adding the Consolidated Billing account, select Cost and Usage Report, and then choose the Report Name from the drop-down. For Linked Accounts, select Detailed Billing Report.
Select Next.
The Yotascale software validates the policy permissions have been granted. You should get Allowed for all permissions but it is okay to get ‘Undetermined’ against Add/Delete tags if you don't have those resources in use in AWS. Select Finish when you are done reviewing the permissions status.
Once the account is added, it will appear in the account list as shown in the figure below. This means the account was added successfully.
Note: The Yotascale software initially pulls in as much as 6 months of historic data. This ingest can take up to 48 hours to transfer, analyze, and display your data.
Appendix A: AWS Policies for Yotascale Software Access
There are two policies listed below. One for the Consolidated BIlling Account (mandatory) and another that is to be used for any Linked Accounts you are adding. Adding Linked Accounts is highly recommended as it provides inventory and utilization data that allows the Yotascale software to find the optimal recommendations and configurations for your cloud deployment. Ensure that the following policy is attached to the IAM Role that you would like to use with the Yotascale software. Don’t forget to replace "YOUR-CUR-BILLING-BUCKET" with your actual CUR billing bucket’s name for the Consolidated Billing Account Policy discussed in the Prerequisites.
Consolidated Billing Account Policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1454926263000", "Effect": "Allow", "Action": [ "autoscaling:Describe*", "cloudtrail:Describe*", "cloudtrail:List*", "cloudwatch:Describe*", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "dynamodb:Describe*", "dynamodb:List*", "ec2:Describe*", "ecr:Describe*", "ecr:List*", "ecs:Describe*", "ecs:List*", "elasticache:Describe*", "elasticloadbalancing:Describe*", "elasticmapreduce:Describe*", "elasticmapreduce:List*", "glacier:Describe*", "glacier:List*", "kinesis:Describe*", "kinesis:List*", "lambda:List*", "logs:Describe*", "logs:Get*", "logs:StartQuery", "logs:StopQuery", "rds:Describe*", "rds:ListTagsForResource", "redshift:Describe*", "route53:Get*", "route53:List*", "s3:GetBucketLocation", "s3:GetBucketTagging", "s3:ListAllMyBuckets", "sns:Get*", "sns:List*", "sqs:Get*", "sqs:List*", "trustedadvisor:Describe*", "workspaces:Describe*" ], "Resource": [ "*" ] }, { "Sid": "Stmt1454926263005", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket", "s3:GetAccelerateConfiguration" ], "Resource": [ "arn:aws:s3:::YOUR-CUR-BILLING-BUCKET/*", "arn:aws:s3:::YOUR-CUR-BILLING-BUCKET" ] }, { "Sid": "Stmt1454926263003", "Effect": "Allow", "Action": [ "organizations:List*", "organizations:Describe*", "ce:Get*", "cur:Describe*" ], "Resource": [ "*" ] }, { "Sid": "Stmt1454926263002", "Effect": "Allow", "Action": [ "ec2:*Tags*", "autoscaling:*Tags*", "rds:*Tags*", "redshift:*Tags*", "s3:*Tagging*", "elasticache:*Tags*", "elasticloadbalancing:*Tags*", "cloudtrail:*Tags*", "elasticmapreduce:*Tags*", "glacier:*Tags*", "kinesis:*Tags*", "route53:*Tags*", "workspaces:*Tags*", "dynamodb:TagResource", "dynamodb:UntagResource", "lambda:TagResource", "lambda:UntagResource" ], "Resource": [ "*" ] }, { "Sid": "Stmt1454926263004", "Effect": "Allow", "Action": [ "ec2:PurchaseReservedInstancesOffering", "rds:PurchaseReservedDBInstancesOffering" ], "Resource": [ "*" ] } ] }
Linked Account Policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1454926263000", "Effect": "Allow", "Action": [ "autoscaling:Describe*", "cloudtrail:Describe*", "cloudtrail:List*", "cloudwatch:Describe*", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "dynamodb:Describe*", "dynamodb:List*", "ec2:Describe*", "ecr:Describe*", "ecr:List*", "ecs:Describe*", "ecs:List*", "elasticache:Describe*", "elasticloadbalancing:Describe*", "elasticmapreduce:Describe*", "elasticmapreduce:List*", "glacier:Describe*", "glacier:List*", "kinesis:Describe*", "kinesis:List*", "lambda:List*", "logs:Describe*", "logs:Get*", "logs:StartQuery", "logs:StopQuery", "rds:Describe*", "rds:ListTagsForResource", "redshift:Describe*", "route53:Get*", "route53:List*", "s3:GetBucketLocation", "s3:GetBucketTagging", "s3:ListAllMyBuckets", "sns:Get*", "sns:List*", "sqs:Get*", "sqs:List*", "trustedadvisor:Describe*", "workspaces:Describe*" ], "Resource": [ "*" ] }, { "Sid": "Stmt1454926263002", "Effect": "Allow", "Action": [ "ec2:*Tags*", "autoscaling:*Tags*", "rds:*Tags*", "redshift:*Tags*", "s3:*Tagging*", "elasticache:*Tags*", "elasticloadbalancing:*Tags*", "cloudtrail:*Tags*", "elasticmapreduce:*Tags*", "glacier:*Tags*", "kinesis:*Tags*", "route53:*Tags*", "workspaces:*Tags*", "dynamodb:TagResource", "dynamodb:UntagResource", "lambda:TagResource", "lambda:UntagResource" ], "Resource": [ "*" ] }, { "Sid": "Stmt1454926263004", "Effect": "Allow", "Action": [ "ec2:PurchaseReservedInstancesOffering", "rds:PurchaseReservedDBInstancesOffering" ], "Resource": [ "*" ] } ] }
Related articles
-
Page:
-
Page:
-
Page:
-
Page:
- No labels