How to Onboard an AWS Member Account Without Management Account

Introduction

This user guide will explain how to onboard an AWS member account in the platform without onboarding any management accounts.

Pre-onboarding

There are certain prerequisites that need to be setup in your AWS account before it can be onboarded into the platform. It primarily involves creating an IAM role for the platform and providing it with the necessary access.

Authorizing the Platform to Access your AWS Account

You can use IAM roles to delegate access to your AWS resources. With IAM roles, you can establish trust relationships between your trusting account and other AWS trusted (platform) accounts. The trusting account owns the resources to be accessed and the trusted account contains the users who need access to the resources.

ā—ļø

Note:

IAM user based authentication (i.e. access key and secret key) is no longer supported. This is in compliance with the security standards and recommendations prescribed by AWS.

The platform uses the AWS Security Token Service (AWS STS) AssumeRole API operation. This operation provides temporary security credentials that enable access to AWS resources in your account.

Refer to this link for more information: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html

Required Credentials

Credential NameDescription
Role ARNThe Amazon Resource Name (ARN) of IAM role.
External IDThe external ID can be any word or number that is agreed upon between you and the third-party account.
Required MFAFlag to identify if the role is restricted with multi-factor authentication (MFA).

The IAM role must be created with the following access permissions:

  • For Assessment: Read-Only Access
  • For Assessment + Governance: Read-Write Access

Automate IAM Role Creation with CloudFormation Templates

The platform simplifies this process by providing a CloudFormation Template that takes care of creating an IAM role and assigns the necessary permissions automatically.

You can use the S3 URLs provided below to download the appropriate template based on the type of access you wish to provide for CoreStack.

  • S3 URL with template for Assessment Only (Read-Only Access): click here to download
  • S3 URL with template for Assessment + Automation (Read-Write Access): click here to download

Setting Up an IAM Role

Perform the following steps for setting up the IAM role:

  1. Log in to your AWS account.

  2. Navigate to CloudFormation.

  3. Click Create Stack with new resources. The Step 1 screen of Create Stack section appears.

  1. In the Prepare template field, select the Template is ready option.

  2. In the Template source field, select the Amazon S3 URL option.

  3. Copy the required S3 URL with template from the above step and paste it in the Amazon S3 URL field.

  4. Click Next. The Step 2 screen appears.

  5. In Stack name and Role name fields, type appropriate values.

    • If you have used the Amazon S3 URL with template for Read-Write Access, you can view the additional fields that can be left with default values. However, if you do not want to configure CFN or GuardDuty or Inspector for your AWS account, you can set them as false.
  6. Click Next. The Step 3 screen appears.

  7. You can leave the values for the fields in this screen as default or make changes as necessary including assigning tags, providing notification options, etc.

  8. Click Next. The Step 4 screen appears.
    The information filled in all the above steps will be displayed now.

  9. Review the details and ensure they are correct.

  10. Scroll to the end of the screen and click the acknowledge checkbox.

  11. Click Create Stack.

    The stack creation process will be initiated and you can view the status.

  12. To see the overview and the final status of the stack, navigate to the Stack Info tab.

  13. To retrieve the updated status, click Refresh. When the stack creation is completed successfully, you will see the status as CREATE COMPLETE.

  14. To view the access credentials (ARN), navigate to the Outputs tab.

šŸš§

Note:

You need to copy this information and keep it ready in a notepad to be able to copy-paste into the platform fields while onboarding. This is the information required to onboard the accounts in the platform.

Setting Up Cost Reports

Cost and Usage Report (CUR) must be enabled in your AWS account -- this enables the platform to fetch the billing data from your account. This is required for providing cost visibility and cost analytics for your accounts. If you already have this enabled in your member account, you can skip the below step and just be ready with the S3 Bucket name where the CUR files are being placed by AWS.

šŸ“˜

Note:

The Billing Admin permission is required in your member accounts to perform this action.

To set up the Cost Usage Report, login with the required permissions to your AWS account and complete the following steps:

  1. Log in to the AWS account.

  2. Navigate to Billing and Cost Management.

  3. On the left navigation menu, select ā€ÆCost Analysis > Data Exports.

  4. Click Create.

  5. In the Export type field, select the Legacy CUR export option.

  6. Provide the necessary details about the report content in the first step.

  7. Ensure that the following check-boxes are enabled:

    • Include Resource IDs
    • Automatically refresh
  8. Click Next. The screen with Delivery Options appears.

  9. In the following fields, select the specified values:

    • Report Path Prefix: This is an optional field and can be left blank. There will be no impact even if some prefix is provided.
    • Time Granularity: Select Daily
    • Report Versioning: Select Create new report version.
    • Compression Type: Select GZIP.
  10. Next, the S3 Bucket configuration must be performed:

    1. Click Configure.
    2. If you already have a bucket with the appropriate permissions, you can select the same, or you can select Create a bucket (it is recommended to select this option).
      AWS will take care of creating this new bucket and attaching the necessary policies.
    3. Click Next to view the policy to be applied.
    4. Select the checkbox I have confirmed.
    5. Click Save to complete the process. The S3 Bucket will be successfully configured.
    6. Click Next to proceed to the next step.
  11. Review the values and complete the CUR configuration. Ensure that the details explained in step 9 are filled correctly.

  12. Click Review and Complete.

The report will be created successfully. You can now continue with onboarding the account to the platform. It will take up to 24 hours before AWS places the first report (CSV file in Gzip format) in the S3 bucket, hence, the cost data will not be available for the platform until then.

Onboarding

The following steps need to be performed to onboard an AWS account:

  1. Login to the platform and click Governance > Account Governance > Add New > Single Account > Start Now. The onboarding screen appears.

  2. In the Public Cloud field, select AWS.

  3. Click Get Started.

  4. In the Access Type field, select the required option. The options are: Assessment and Assessment + Governance.

  5. In the Account Type field, select the Linked Account option.

  6. In the AWS Environment field, select your preferred option. The options available are: AWS Standard and AWS Gov Cloud.

  7. In the Authentication Protocol field, select your desired option. The options available are: Assume Role and Access Key.

  8. In the Environment list, select an appropriate option. The options are: All, Production, Staging, QA, and Development.

  9. Click Next.

  10. Provide the necessary details (Amazon Resource Name ID (ARN), External ID, and MFA Enabled OR Access Key & Secret Key) explained in the Pre-onboarding section, based on the option selected in the Authentication Protocol field.

  11. Click Validate.

The Advanced Settings section will be displayed with additional fields (Name, Master Account, Cost Report Access, S3 Bucket URI, Preferred Regions, and Scope).

  1. In the Name field, modify the pre-populated name of the account, if required.
  2. In the Cost Report Access field, select the Current Account option.
  3. In the S3 Bucket URI field, specify the required S3 Bucket details, as explained above.
  4. In the Preferred Regions drop-down list, select the required regions. Multiple regions can be selected.
  5. In the Scope field, select the required option. The available options are: Account, Private, and Tenant.
  6. Click Iā€™m Done.

The AWS Account will be onboarded successfully into the platform. Relevant insights and information about the resources available in the account will be populated under each of the cloud governance pillars.