Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1

Onboarding AWS Accounts to Yotascale™ Software

Prerequisites

  • User must have AWS admin rights in each account to be added to Yotascale

Description:



Steps to complete:

Prerequisites

Note: You may skip this step if you already have your AWS billing data configured to go to an S3 bucket and have enabled billing tags.

Enable Billing Reports and Tags

  1. Sign in to the AWS Management Console and navigate to the Billing & Cost Management Dashboard.
  2. In the navigation pane, select Preferences.
  3. Enable Receive Billing Reports.
  4. Select Configure next to Save to S3 Bucket  and type a valid Amazon S3 bucket name. This is typically a bucket dedicated to your AWS billing files, feel free to create a new one if you prefer.
  5. In the Report list, select the check box for Detailed billing report with resources and tags*.
  6. Select Save Preferences.
  7. Select Manage report tags.


    The page displays a list of tags actively in use. Tag keys that currently appear in the report are selected, while the check boxes for excluded tag keys are cleared.


  8. Select Activate to enable AWS-Generated Cost Allocation Tags.
  9. Select the tags that you want to activate for your report.
  10. Select Activate to enable them.



    Note: For more information about creating an organization tag policy refer to the AWS Tagging Strategies documentation.

Access Rights - AWS IAM Policy Configuration

The Yotascale software supports both IAM user and role-based authentication into AWS. Role based authentication is the more secure method and is described below.

  1. Navigate to the AWS IAM console.
  2. Create an IAM Policy in each account you will be onboarding to the Yotascale software for monitoring. The Yotascale software uses READ-ONLY access for all but two use cases: Tagging and RI purchasing. These can be deactivated and core Yotascale software functionality will remain.
    1. Consolidated Billing Policy
      Allows access to Billing files (CUR/DBR), Organization metadata, RI purchasing, Resource tagging & metadata, and CloudWatch metrics
    2. Linked Account Policy
      Allows access to RI purchasing, Resource tagging & metadata, and CloudWatch metrics

Onboarding AWS Accounts in the Yotascale Software

Providing Yotascale Software Access with an IAM Role

This is done for every account you want to provide access to the Yotascale software.

  1. Log in to the Yotascale software and select Cloud Accounts from the top right menu.

    Screen Shot 2017-08-16 at 7.43.34 PM.png
  2. Select IAM Role Auth.
    1. Note the Yotascale Account ID: 819983868943
    2. Note the External ID. This is a random alphanumeric ID that we will associate to the AWS Role when we create it.



  3. Navigate to the AWS IAM Console
  4. Create an IAM Role in AWS
    1. Select Another AWS account
    2. Enter the Yotascale Account ID: 819983868943
    3. Enable the "Require external ID..." option.
    4. Enter the External ID generated by the Yotascale console.
    5. Select Next: Permissions.
    6. Select the previously created policy.
    7. Select Next: Tags.
    8. Assign a Role name and description.
    9. Confirm the configuration and select Create role.

      Note: Creating a Role to Delegate Permissions to an IAM User AWS documentation.



  5. For additional security you can even limit the access to a specific IAM role for the Yotascale software. To achieve this select Edit trust relationship under Trust relationships tab of the IAM role details. Update the Trust Relationship policy document and replace arn:aws:iam::819983868943:rootwith arn:aws:iam::819983868943:role/Master-Role


  6. Return to the Yotascale software console.
  7. If you are adding the Consolidated Billing account, select the billing bucket where your DBR is stored. For Linked Accounts select nothing.
  8. Select Next.

    Screen Shot 2017-05-11 at 2.30.30 PM.png
  9. The Yotascale software validates the policy permissions have been granted. You should get Allowed for all permissions but it is okay to get ‘Undetermined’ against Add/Delete tags if you don't have those resources in use in AWS. Select Finish when you are done reviewing the permissions status.

    3_KEY_Accout_Setup_Permissions_Validation.png

  10. Once the account is added, it will appear in the account list as shown in the figure below. This means the account was added successfully.
    Note: The Yotascale software initially pulls in as much as 6 months of historic data. This ingest can take up to 48 hours to transfer, analyze, and display your data.


    Screen Shot 2017-05-11 at 9.15.01 PM.png

Appendix A: AWS Policies for Yotascale Software Access

There are two policies listed below. One for the Consolidated BIlling Account (mandatory) and another that is to be used for any Linked Accounts you are adding. Adding Linked Accounts is highly recommended as it provides inventory and utilization data that allows the Yotascale software to find the optimal recommendations and configurations for your cloud deployment. Ensure that the following policy is attached to the IAM Role that you would like to use with the Yotascale software. Don’t forget to replace "YOUR-DBR-BILLING-BUCKET" and "YOUR-CUR-BILLING-BUCKET" with your actual DBR or CUR billing bucket’s name for the Consolidated Billing Account Policy discussed in the Prerequisites.

Consolidated Billing Account Policy:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1454926263000",
            "Effect": "Allow",
            "Action": [
               "s3:ListAllMyBuckets",
                "s3:GetBucketLocation",
                "autoscaling:Describe*",
                "ec2:Describe*",
                "elasticloadbalancing:Describe*",
                "cloudwatch:ListMetrics",
                "rds:Describe*",
                "rds:ListTagsForResource",
"cloudwatch:GetMetricStatistics",
                "cloudwatch:Describe*",
                "redshift:Describe*",
                "dynamodb:Describe*",
                "dynamodb:List*",
                "lambda:List*",
                "cloudtrail:List*",
                "cloudtrail:Describe*",
                "elasticache:Describe*",
                "sqs:Get*",
                "sqs:List*",
                "sns:Get*",
                "sns:List*",
                "elasticmapreduce:Describe*",
                "elasticmapreduce:List*",
                "kinesis:Describe*",
                "kinesis:List*",
                "glacier:Describe*",
                "glacier:List*",
                "route53:Get*",
                "route53:List*",
                "workspaces:Describe*"
            ],

            "Resource": [
                "*"
            ]
        },

        {
            "Sid": "Stmt1454926263001",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
"s3:GetAccelerateConfiguration"
            ],

            "Resource": [
                "arn:aws:s3:::YOUR-DBR-BILLING-BUCKET/*",
                "arn:aws:s3:::YOUR-DBR-BILLING-BUCKET"
            ]
        },

        {
            "Sid": "Stmt1454926263005",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
"s3:ListBucket",
"s3:GetAccelerateConfiguration"
            ],

            "Resource": [
                "arn:aws:s3:::YOUR-CUR-BILLING-BUCKET/*",
                "arn:aws:s3:::YOUR-CUR-BILLING-BUCKET"
            ]
        },

        {
            "Sid": "Stmt1454926263003",
            "Effect": "Allow",
            "Action": [
                "organizations:List*",
                "organizations:Describe*",
                "ce:Get*",
                "cur:Describe*"
            ],
            "Resource": [
                "*"
            ]
        },

        {
            "Sid": "Stmt1454926263002",
            "Effect": "Allow",
            "Action": [
                "ec2:*Tags*",
                "autoscaling:*Tags*",
                "rds:*Tags*",
                "redshift:*Tags*",
                "s3:*Tagging*",
                "elasticache:*Tags*",
                "elasticloadbalancing:*Tags*",
                "cloudtrail:*Tags*",
                "elasticmapreduce:*Tags*",
                "glacier:*Tags*",
                "kinesis:*Tags*",
                "route53:*Tags*",
                "workspaces:*Tags*",
                "dynamodb:TagResource",
                "dynamodb:UntagResource",
                "lambda:TagResource",
                "lambda:UntagResource"
            ],

            "Resource": [
                "*"
            ]
        },

        {
            "Sid": "Stmt1454926263004",
            "Effect": "Allow",
            "Action": [
                "ec2:PurchaseReservedInstancesOffering",
                "rds:PurchaseReservedDBInstancesOffering"
            ],

            "Resource": [
                "*"
            ]
        }
    ]
}

Linked Account Policy

{
"Version": "2012-10-17",
"Statement": [
        {
            "Sid": "Stmt1454926263000",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
              "s3:GetBucketLocation",
              "autoscaling:Describe*",
              "ec2:Describe*",
              "elasticloadbalancing:Describe*",
              "cloudwatch:ListMetrics",
              "cloudwatch:GetMetricStatistics",
              "cloudwatch:Describe*",
              "rds:Describe*",
              "rds:ListTagsForResource",
              "redshift:Describe*",
              "dynamodb:Describe*",
              "dynamodb:List*",
              "lambda:List*",
              "cloudtrail:List*",
              "cloudtrail:Describe*",
              "elasticache:Describe*",
              "sqs:Get*",
              "sqs:List*",
              "sns:Get*",
              "sns:List*",
              "elasticmapreduce:Describe*",
              "elasticmapreduce:List*",
              "kinesis:Describe*",
              "kinesis:List*",
              "glacier:Describe*",
              "glacier:List*",
              "route53:Get*",
              "route53:List*",
              "workspaces:Describe*"
          ],

            "Resource": [
                "*"
            ]
        },

        {
            "Sid": "Stmt1454926263002",
            "Effect": "Allow",
            "Action": [
                "ec2:*Tags*",
                "autoscaling:*Tags*",
                "rds:*Tags*",
                "redshift:*Tags*",
                "s3:*Tagging*",
                "elasticache:*Tags*",
                "elasticloadbalancing:*Tags*",
                "cloudtrail:*Tags*",
                "elasticmapreduce:*Tags*",
                "glacier:*Tags*",
                "kinesis:*Tags*",
                "route53:*Tags*",
                "workspaces:*Tags*",
                "dynamodb:TagResource",
                "dynamodb:UntagResource",
                "lambda:TagResource",
                "lambda:UntagResource"
            ],

            "Resource": [
                "*"
            ]
        },

        {
            "Sid": "Stmt1454926263004",
            "Effect": "Allow",
            "Action": [
                "ec2:PurchaseReservedInstancesOffering",
                "rds:PurchaseReservedDBInstancesOffering"
            ],

            "Resource": [
                "*"
            ]
        }
    ]
}
  • No labels