This section will help you onboard and integrate your AWS accounts with CoreStack. We will go through the different types of AWS accounts supported, what pre-requisites are required in AWS before on-boarding, how to onboard the account and then manage existing accounts.

Types of AWS Accounts

AWS accounts are mainly be classified into the following categories:

  • Master Account/Payer Account:
    The master account within an AWS Organization is considered the Payer account and is responsible for paying all charges that are accrued by all the member accounts. The master account is used to define Organization Hierarchy by grouping accounts under different Organizational Units and setting up Policies and Budgets for the accounts. You cannot switch the master account of your AWS Organization. (But you can move your linked accounts to a different Organization if required)
  • Member Account/Linked Account:
    A standard AWS accounts that belongs to an organization is called a member/linked account. While member accounts can now have visibility on their account level spend, billing reports and payments cannot be managed within these accounts.

You can on-board both Master and Linked Accounts into CoreStack. However you need to select the type of account while on-boarding. For Master Accounts, you need to provide the S3 bucket used for CUR reports. For Linked Accounts, please ensure that the Master account is first on-boarded (at least with “None” setting) so that you can select it from the dropdown list of Master accounts. Unless this is done, the cost data for the linked accounts cannot be fetched.

AWS Services Supported

Following AWS Services are supported for Discovery and Governance:

Service Category Service Type Resource Types
Compute EC2
  1. Key Pairs
  2. Instances
  3. Security_Groups
  4. Elastic IPs
  5. Own_Private_Images
  6. Shared Private Images
  7. Availability_Zones
  8. Load_Balancers
  9. Classic Load Balancers
  10. Spot_Instance_Requests
  11. Spot_Fleet_Requests
Lambda Functions
Lightsail
  1. Lightsail_Storages
  2. Lightsail_StaticIps
  3. Lightsail_Bundles
  4. Lightsail_DiskSnapshots
  5. Lightsail_DatabaseSnapshots
  6. Lightsail_Blueprints
  7. Lightsail_Instances
  8. Lightsail_LoadBalancers
  9. Lightsail_InstanceSnapshots
  10. Lightsail_Databases
Container ECS Clusters
Identity IAM
  1. IAM_Groups
  2. IAM_Users
  3. IAM_LocalManagedPolicy
  4. IAM_AWSManagedPolicy
  5. IAM_Roles
Network VPC
  1. Network_Interfaces
  2. Subnets
  3. VPC
  4. Route_Tables
  5. Internet_Gateways
  6. Egress_Only_Internet_Gateways
  7. DHCP_Options
  8. Vpc_Endpoints
  9. Vpc_Endpoint_Services
  10. Nat_Gateways
  11. Vpc_Peering_Connections
  12. Network_Acls
  13. Transit_Gateways
  14. Transit_Gateway_Route_Tables
VPN
  1. Customer_Gateways
  2. VPN_Gateways
  3. Site-to-Site_VPN_Connections
  4. Client_VPN_Endpoints
Traffic_Mirroring Mirror_Sessions
Route53
  1. Hosted_Zones
  2. Health_Checks
  3. Traffic_Policies
Content_Delivery CloudFront
  1. Web_Distributions
  2. Streaming_Distributions
Storage EBS
  1. Volumes
  2. Snapshots
S3 Buckets
Databases RDS
  1. DB SecurityGroups
  2. Reserved Instances
  3. Databases
  4. Subnet Groups
  5. Parameter Groups
  6. Option Groups
  7. DB Snapshots
ElastiCache
  1. Service_Updates
  2. Cache_SecurityGroups
  3. Cache_ParameterGroups
  4. Cache_SubnetGroups
  5. Cache_Clusters
  6. Reserved_CacheNodes
  7. Snapshots
Redshift
  1. Redshift_Clusters
  2. Redshift_Cluster_Snapshots
  3. Cluster_SubnetGroups
  4. Cluster_SecurityGroups
Application_Integration SNS Topics
SQS Queues
Security_Compliance Inspector
  1. Assessment_Targets
  2. Assessment_Templates
Governance AWS_Organizations Accounts
Cloudwatch Alarm_Configurations

Pre-Requisite set-up in AWS

There are certain pre-requisites that need to be set-up in your AWS accounts before they can be onboarded into CoreStack. This is primarily around creating an IAM user for CoreStack and providing it the necessary access.

CoreStack supports the following Authentication protocols:

AWS Access Key (IAM User):

AWS Access keys can be created for Root User or IAM Users to enable Programmatic access to your AWS account. It is a long-term authentication mechanism where it can be reused any number of times similar to logging in as an IAM user or the AWS account root user.

When you create your access keys, you create the access key ID (e.g. AKIAIOSFODNN7EXAMPLE) and secret access key (e.g. wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY) as a set. The secret access key is available for download only when you create it. If you don’t download your secret access key or if you lose it, you must create a new one.

Hint: It is NOT recommended to create access keys for your Root account. Always use IAM users for creating Access keys. And it is a best practice to have that user only for programmatic access and NOT providing Console access.

For more information refer the “Programmatic Access” section in this link:
https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html

Required Credentials:

  • Access Key
  • Secret Key

Assume Role – Delegated Access using IAM Role (Recommended):

You can use IAM roles to delegate access to your AWS resources. With IAM roles, you can establish trust relationships between your trusting account and other AWS trusted (CoreStack) accounts. The trusting account owns the resource to be accessed and the trusted account contains the users who need access to the resource.

CoreStack would use the AWS Security Token Service (AWS STS) “AssumeRole” API operation. This operation provides temporary security credentials that enable access to AWS resources in your account.

Refer this link for more information:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html

Required Credentials:

    • Role ARN: The Amazon Resource Name (ARN) of IAM Role.
    • External ID: The external ID can be any word or number that is agreed upon between you and the third-party account. (Note: This is a unique ID created for each CoreStack customer. Hence to get the ID for your account, please reach out to support@corestack.io. The support channel is available 24×7 and you can expect a response within 2 hours).
    • Require MFA: Flag to identify the role is restricted with multi-factor authentication (MFA) or not.

The steps for on-boarding the accounts are given below. It is recommended to start with the Master account. For Master Accounts, if the CUR (Cost and Usage Reports) are not configured already that must be completed as well.

Note: More information and automated templates to create this IAM Role with required access policies are provided in the sections below for Master and Linked accounts separately.

Add Master (Payer) Account

If you have AWS Organisation configured, and you have multiple Organisation Units and Linked Accounts under them, then we recommend that you start by on-boarding the Master Account of your Organisation.

I don’t have any resources in my Master Account. Do I still have to on-board it?

Yes. Though you don’t have any resources to be governed or managed, it is required to on-board your Master account. This is to enable CoreStack to fetch cost and usage information for all your linked accounts. This is available only in your Master (Payer) Account.

I’m concerned about providing access to my Master Account. What permissions does CoreStack need?

For Master Accounts, CoreStack requires only the following:

  • Read-only permission to the Billing Bucket (S3 Bucket mapped to CUR Report).
  • List Child Accounts for the Organization Account.

You can be assured that with the limited permissions, there will be no impact to your Master account.

Setting up Cost Reports

To set-up the Cost Usage Report you should login as “Root User” into your Master (Payer) AWS account and complete the below steps.

  1. Login as Root User
  2. Navigate to Billing Dashboard
  3. Select “Cost & Usage Reports” from the Left Navigation Menu
  4. Click on “Create report”

Note: If you already have a report configured, you can still review the below steps to ensure you have all the settings right. Use the “Edit” option to make any changes.

5. Enter details about the Report content in the first step and click on Next. Ensure to have the 2 checkboxes for “Include Resource IDs” and “Automatically refresh..”

6. In the next screen for Delivery Options, select the following values:

  1. Report Path Prefix: Optional Field. Can leave it blank. No impact even if some prefix is provided.
  2. Time Granularity: Hourly
  3. Report Versioning: Create new report version
  4. Compression Type: GZIP

5. The S3 Bucket Configuration has to be done before finishing this step:

  1. Click on Configure
  2. If you already have bucket with the appropriate permissions, you can select that. Or you can Create a bucket (this is recommended)

3. AWS will take care of creating this new bucket and also attaching the necessary policies.

4. Click on Next to see the policy to be applied. Click on the checkbox below and then Save to complete the process.

5. You will see that S3 Bucket is now successfully configured

6. Click on Next to proceed to the next step

7. The last step is to review the values provided and complete CUR configuration. Please ensure the following are configured correctly. You can then click on Review and Complete.

  1. Time Granularity: Hourly
  2. Report Versioning: Create new report version
  3. Compression Type: GZIP

8. You will now see that the report is created successfully. You can now continue with onboarding the account to CoreStack.

Note: It will take up to 24 hours before AWS places the first report (csv file in Gzip format) in the S3 bucket. Hence cost data will not be available for CoreStack till then.

9. Stay at the same page for the next step.

Select Cost Allocation Tags

1. Stay in the Billing Dashboard and select “Cost Allocation Tags” from the Left Navigation Menu

2. Choose Activate button

3. The recommended tags to be activated are: Application, Environment, Cost Center, Owner. You can also choose to add additional tags as per your requirement.

Setup IAM User and Permissions

This is required only if you are using the “Authentical Protocol” as Access Keys (IAM User). CoreStack simplifies this process by providing a CloudFormation Template that will take care of this.

S3 URL with Template for Master Account Read-Only Access: Click here

  • Login to your AWS account and navigate to “CloudFormation”
  • Click on “Create Stack” with new resources

In Step-1: Choose “Template is ready” and Amazon S3 URL. In the URL field, copy paste the URL above

2. In Step-2: Provide a “Name” for the Stack, the S3 Bucket that is mapped to CUR Reports in the step above. Click on Next


3. All fields in Step-3 are optional. You can leave them as default or make changes as necessary including assigning Tags, providing notification options etc. Click on Next to proceed.

4. In the Step-4, you can review all the info provided, scroll down to the end to click on the acknowledge checkbox and then click on “Create stack”


5. You will see that the Stack creation process has started and the status is “CREATE_IN_PROGRESS”


6. Move to “Stack Info” tab to see the overview of the stack and the final status. Click on the “Refresh” icon at the right end to get the updated status. When it is successfully completed you will see the status as “CREATE_COMPLETE”


7. Click on the “Outputs” tab to see the access credentials created. You need to copy this info and keep it handy. This is the info required to onboard the account into CoreStack.

Note: As per the best practice, we assume that there are no resources running under the Master account. If any resources running and you want them to be discovered and governed through CoreStack then please provide the access as mentioned in the next section for the Linked/Member Accounts.

Setup IAM Role and Permissions

This is required only if you are using the “Authentical Protocol” as Assume Role (IAM Role). CoreStack simplifies this process by providing a CloudFormation Template that will take care of this.

S3 URL with Template for Master Account Read-Only Access: Click here

  • Login to your AWS account and navigate to “CloudFormation”
  • Click on “Create Stack” with new resources

In Step-1: Choose “Template is ready” and Amazon S3 URL. In the URL field, copy paste the URL above.

In Step-2: Provide a “Name” for the Stack, the “Role Name” to be created. Click on Next

All fields in Step-3 are optional. You can leave them as default or make changes as necessary including assigning Tags, providing notification options etc. Click on Next to proceed.

In the Step-4, you can review all the info provided, scroll down to the end to click on the acknowledge checkbox and then click on “Create stack”

In Step-5: You will see that the Stack creation process has started and the status is “CREATE_IN_PROGRESS”

In Step-6: Move to “Stack Info” tab to see the overview of the stack and the final status. Click on the “Refresh” icon at the right end to get the updated status. When it is successfully completed you will see the status as “CREATE_COMPLETE”.

In Step-7: Click on the “Outputs” tab to see the access credentials created. You need to copy this info and keep it handy. This is the info required to onboard the account into CoreStack.

Note: As per the best practice, we assume that there are no resources running under the Master account. If any resources running and you want them to be discovered and governed through CoreStack then please provide the access as mentioned in the next section for the Linked/Member Accounts.

AWS Member (Linked) Accounts

You can on-board any number of your linked accounts into CoreStack. You would require the following set-up in terms of IAM user with access keys and necessary permissions.

CoreStack provides 2 different permission options while creating an account access. The features supported in CoreStack for that account will accordingly vary.

Permission Type Features Supported Features NOT Supported
Read-Only
  1. Resource Discovery (Inventory)
  2. Best Practices Assessment
  3. Cost Analytics (if Master Account is available)
  1. Governance Features for Operations, Cost, Compliance
  2. Industry Standards Compliance Assessment
  3. Orchestration Templates
  4. Resource Actions from Inventory
  5. Self Service Module
Read-Write ALL Some Resource Actions from Inventory or
Orchestration Templates may not work if
the required access is not provided.

Setup IAM User and Permissions

This is required only if you are using the “Authentical Protocol” as Access Keys (IAM User). CoreStack simplifies this process by providing a CloudFormation Template that will take care of this. You can use the below S3 URLs to execute it within your account.

S3 URL with Template for Read-Only Access: Click here

S3 URL with Template for Read-Write Access: Click here

  • Login to your AWS account and navigate to “CloudFormation”
  • Click on “Create Stack” with new resources

1. Step-1: Choose “Template is ready” and “Amazon S3 URL”. In the URL field, provide the appropriate S3 URL  based on Read-Only or Read-Write access


2. In Step-2: Provide a “Name” for the Stack, and the Username for the IAM user to be created. Click on Next


3. All fields in Step-3 are optional. You can leave them as default or make changes as necessary including assigning Tags, providing notification options etc. Click on Next to proceed.

4. In the Step-4, you can review all the info provided, scroll down to the end to click on the acknowledge checkbox and then click on “Create stack” .


5. You will see that the Stack creation process has started, and the status is “CREATE_IN_PROGRESS”.


6. Move to “Stack Info” tab to see the overview of the stack and the final status. Click on the “Refresh” icon at the right end to get the updated status. When it is successfully completed you will see the status as “CREATE_COMPLETE”.


7. Click on the “Outputs” tab to see the access credentials created. You need to copy this info and keep it handy. This is the info required to onboard the account into CoreStack.

Setup IAM Role and Permissions

This is required only if you are using the “Authentical Protocol” as Assume Role (IAM Role). CoreStack simplifies this process by providing a CloudFormation Template that will take care of this. You can use the below S3 URLs to execute it within your account.

S3 URL with Template for Read-Only Access: Click here

S3 URL with Template for Read-Write Access: Click here

  • Login to your AWS account and navigate to “CloudFormation”
  • Click on “Create Stack” with new resources

1. Step-1: Choose “Template is ready” and Amazon S3 URL. In the URL field, copy paste the URL above

2. In Step-2: Provide a “Name” for the Stack, the “Role Name” to be created. The other fields can be left with default values. However, if you do NOT want to configure CFN or GuardDuty or Inspector for your AWS account, you can set them to “false”. Click on Next

3. All fields in Step-3 are optional. You can leave them as default or make changes as necessary including assigning Tags, providing notification options etc. Click on Next to proceed.

4. In the Step-4, you can review all the info provided, scroll down to the end to click on the acknowledge checkbox and then click on “Create stack”

5. You will see that the Stack creation process has started and the status is “CREATE_IN_PROGRESS”

6. Move to “Stack Info” tab to see the overview of the stack and the final status. Click on the “Refresh” icon at the right end to get the updated status. When it is successfully completed you will see the status as “CREATE_COMPLETE”.

7. Click on the “Outputs” tab to see the access credentials created. You need to copy this info and keep it handy. This is the info required to onboard the account into CoreStack.

Impact on your AWS Account

Read-Only Access on Master Account

Since the access is read-only, there are no resources of configurations done by CoreStack in your AWS account.
However, the S3 Bucket that you created for capturing the Cost & Usage Report will incur some minimal cost based on the size of usage reports getting stored in your S3 Bucket. CoreStack requires the name of the S3 Bucket in which the CUR Reports are placed. This is required to be able to fetch the usage info from your AWS Account and provide Cost Analytics and Governance. This is required only for Master (Payer) Accounts.

Read-Only Access on Linked Account

Since the access is read-only, there are no resources of configurations done by CoreStack in your AWS account. There is absolutely no resource or billing impact in this case.

Read-Write Permissions

Following resources will be created based on your selection during on-boarding:

  1. Cloud Trail in all Regions: While onboarding the account, CoreStack automatically creates cloud trails for all AWS regions to be able to track even any inadvertent usage in any of the regions. CoreStack does not overwrite or reuse any existing trails. It will create a new trail with webhook configured to push the activities to CoreStack. These trails will be automatically removed if you decide to remove the account from CoreStack later.
  2. S3 Bucket in all Regions: As part of the Cloud Trail configurations, S3 buckets are also created in all AWS regions to collect the logs. These buckets will also be automatically removed if you decide to remove the account from CoreStack later.
  3. CloudWatch Alarms will be created for selected metrics for various resource types supported by CoreStack. If you use custom setting for on-boarding, you will see the list of metrics for each resource type during onboarding. For Express setting, default thresholds are applied automatically which you can view after onboarding is completed.

Billing Impact due to CoreStack onboarding:

There could be additional charges based on the configuration during on-boarding:

Configuration Description Billing Impact
CloudTrail Case-1: There are no Trails configured other than the one created by CoreStack as part of onboarding.

Case-2: There are other Trails that were created before / after onboarding your account to CoreStack

 

Case-1: Charges for the S3-Bucket where the Cloud Trails logs are stored. This is usually very minimal.

Case-2: Charges for the S3-Bucket where the Cloud Trails logs are stored. Management event charges for the second trail at the rate of $2.00 per 100,000 events

CloudWatch Alarm Standard Resolution (60 sec) $0.10 per alarm metric
CloudWatch Metric Data GetMetricData – CoreStack fetches
the metric data from AWS
$0.01 per 1,000 metrics requested
AWS Config This could be configured for
Compliance Standards assessment
$0.003 per configuration item recorded in yourAWS account per AWS Region

On-boarding Process

When logging into CoreStack, if there are no accounts setup to begin with, the user will be greeted with the following page:

Clicking on ‘Get Started’ will take the user to onboarding cloud accounts page and can then proceed with the wizard as explained below.

If you already have some accounts and want to add more accounts:

To start setting up Azure account, follow the below steps:

1. Navigate to Settings > Cloud Accounts from top right

2. From the Cloud Accounts page, select “AWS” from the different clouds on the left side

3. Once on Azure onboarding page, click on “New Account” button at the top right and select “Single Account”

Note: Bulk accounts upload using excel / csv is supported only for “None” setting.

4. This will initiate the onboarding process. It has 4 tabs as part of the workflow which are explained in detail in the sub-sections below.

  1. Authentication
  2. Activation
  3. Configuration
  4. Authorization

Authentication

This is where you first associate your cloud account, by providing the relevant Access key and secret key and selecting the type of configuration settings.

The following legend details the fields in Authentication section that must be filled to proceed further:

Field Field options Description
Account Name Required Enter the name of the Account.
Description Optional Provide a short description about the account
Settings Required Here, you can select the configuration settings for your cloud account.
There are three options to choose from – None, Express and Custom-.
None – Select None if you do not want any governance automation for this cloud account. Read-Only Permissions is sufficient. Inventory discovery will be on-demand for this setting.
Express – Express is like a quick setup wizard. If the user selects Express option the best practice configurations will automatically be setup for the cloud account. Read-Write Permissions are required.
Custom – User can select this if they want to tailor the configurations for the cloud account. All the options will be selected by default and you can modify them individually in the Configurations section.
Read – Write Permissions are required.
Environment Required Select the appropriate environment for the cloud account which will determine the governance settings. For example, if the cloud account is for development, then select that from the list. The Environment list consists of – Production, Staging, QA, Development.
Scope Required Select the scope for the account. The options are:
Private – Select Private if the cloud account is to be used only by the user setting up the account
Tenant – Select tenant if account will be shared for all the users under the CoreStack Tenant.
Account – Select Account to share this account across all CoreStack tenants within your Organisation account.
Note: This option is visible only for Account Admin users.
Protocol Required Select the AWS Authentication Protocol to be used:
AWS Access Keys (IAM User) which is a long term authentication mechanism (or) Assume Role (IAM Role based designated access) which is a temporary access token based mechanism. Refer the Pre-Requisites section to know more.
Access Key Required if Protocol = Access Keys Enter the Access Key associated with the AWS account.
Refer the Pre-Requisites section to know how to fetch this value.
Secret Key Required if Protocol = Access Keys Enter the Secret Key associated with the AWS account.
Refer the Pre-Requisites section to know how to fetch this value.
Role ARN Required if Protocol = Assume Role Enter the ARN of the IAM Role associated with AWS account. Refer the Pre-Requisites section to know how to fetch this value.
External ID Required if Protocol = Assume Role Enter the External Id configured in IAM Role. Refer the Pre-Requisitessection to know how to fetch this value.
MFA Enabled
(Flag)
Required if Protocol = Assume Role Select True if Role is restricted with Multi Factor Authentication(MFA).
Bucket Name Required for
Master Accounts
Enter the name of the S3 Bucket to be used to fetch Cost & Usage Reports. Refer the Pre-Requisites section to know how to fetch this value.
Account Type Required Select Master (Payer) or Linked Account based on the type of account you are onboarding.
Privacy Policy Required Privacy Policy must be read and accepted.

Once all the details required for Authentication is complete, Click on Next to proceed to Activation.

Note: If the user selects Settings as ‘None’, then they would be directly taken to the end of the Authorization page and Onboarding completion page.

Activation

In the Activation section you can select the Compute, Storage, Network and Application Integration cloud resource types that can be managed by CoreStack.

Cloud Products Types
Compute ECS Clusters
EC2 – Instances, Shared Private Images, Key Pairs, Own Private Images, Security Groups, Elastics IPs, Reserved Instances, Load Balancers, Availability Zones
Lambda – Functions
Light Sail – Storage, Bundle, Instances, StaticIps, Databases, LoadBalancers, Blueprint, DiskSnapshot, InstanceSnapshots, DatabaseSnapshots.
Storage S3 – Bucket
EBS – Snapshots, Volumes
Network VPCs – Route Tables, Subnets, Network Interfaces, DHCP Options,
Vpc Endpoint Services, Vpc Endpoints, Egress Only Internet Gateways, Internet Gateways, Nat Gateways, Vpc Peering Connections, VPCs.
Content delivery Network – Web Distributions, Streaming Distributions.
Traffic Mirroring – Mirror Sessions
Security – Network Acls
VPN – Customer Gateways, VPN Gateways, Client VPN Endpoints,
Site-to-Site VPN Connections.
Route53 – Hosted Zones, Health Checks, Traffic Policies.
Transit Gateway – Transit Gateways, Transit Gateway Route Tables.
Application Integration SNS – Topics
SQS – Queues
Databases ElastiCache – Reserved CacheNodes, Cache SubnetGroups, Cache ParameterGroups, Cache ClustersCache, Cluster Snapshots, Service Updates, Cache SecurityGroups
RDS – DB SecurityGroups, Reserved DBInstances, Databases, Subnet Groups, Parameter Groups, Option Groups, DB Snapshots
Redshift – Redshift Clusters, Redshift Cluster Snapshots, Cluster SecurityGroups, Cluster SubnetGroups
Identity Access Management IAM – IAM Groups, IAM Users, Policies, Users, IAM Roles, IAM LocalManagedPolicy, Roles, Groups, IAM AWSManagedPolicy.
Security Compliance Inspector – Assessment Templates, Assessment Targets.

Click on a cloud resource to select/deselect a resource type to be managed using CoreStack. By default,
all the resource types will be selected. We recommend that you select all the services as a default,
provided you have used the standard access template to grant access to the IAM user.

Click Next to proceed to the Configuration section.

Configuration

Under Configuration, settings are provided to be able to manage the 4Cs of governance – CloudOps, Compliance, Consumption and Cost.

CloudOps

This section handles all the configuration settings associated with Cloud Observability – Monitoring, Activity Tracking, Notification and Reports.

Monitoring

CoreStack creates alerts when set threshold limits are exceeded for specific resources in the onboarded cloud accounts. The alerts set here appear in the CloudOps Dashboard under the Threshold Alerts section.

How to set a threshold?

Let us take the example of CPU alert under Compute – Instances. You can set an alert stating that a CPU Utilization above a threshold limit of say, 75%, is to be flagged. This alert will be sent as an email as well as displayed in the CloudOps Dashboard.

Field Description
Threshold This is where the numerical value can be provided.
Comparison Operator Operator set in this field will be used to compare the statistic with the set threshold. Options available are: Greater than Greater than or equal Lesser than or equal Lesser than
Statistic There are four options available in the drop down – Average, Minimum,
Maximum, and Sum
This section determines how the actual performance value should be compared with the threshold for example. That is, should the average monthly CPU utilization be compared to the threshold or the maximum value hit at a specific time be compared to the threshold.
Period The period, over which the specified statistic will be applied.
Evaluation Period This is the number of times within a set period interval that CoreStack will check for a threshold violation. For example, if this is set to 2, and the period is set to 30 minutes, then CoreStack will check the threshold every 30 mins. And if there is a threshold violation more than 2 times, then it will trigger an alert and notification to the user via email and on the dashboard.
Resolve Alert The Threshold alerts when displayed in the Operations Dashboard will have some options for resolution. The possible actions to remediate an alert are configured here. Remediation Actions are Templates available in CoreStack which can be executed to resolve an alert.

  • Manual: You can select one or more templates as remediation actions. When the alert is displayed in the dashboard, the operations engineer will decide on a suitable action and then initiate that action manually.
  • User Defined: You can select a specific action which will trigger the action automatically once the threshold alert is thrown.
  • System defined: Once you set the confidence level, CoreStack AI engine will decide on the suitable action based on history of actions taken for the same alert in the past.
  • None: No options will be available for Resolving the alert. The operations engineer must decide on their own on the action required.
  • Resolve Action Delay Time You can configure the delay time for resolve actions configured for the metric alerts. This will be useful if you want to have some time to let manual review and action and if that didn’t happen, let the automated action to kick-in.

Activity Tracking

You can select the activities for which notifications should be sent as an email to you. The activity list is populated based on the Environment selected in the Authentication section. Since we have selected Staging in our example, these are some of the activities listed:

Notifications

This section enables you to add the email and webhook using which notifications can be sent to you. Enter a valid email address and webhook in the respective fields.

  • Exclude me: Excludes the current user from email notifications (Threshold Alerts, Activity Alerts
    and Scheduled Reports). Only the additional emails mentioned here will receive the email
    notifications. This is helpful if the user who is onboarding the account is the Org-Admin or Lead
    who may not want to receive all the alerts.
  • Additional Emails / Webhooks: Can add additional email addresses and webhooks as required.
    Threshold Alerts, Activity Alerts and Scheduled Reports from this account will be sent to these
    users / webhooks.

Reports

Here, you can select the reports that will be sent to the users’ email address on a daily schedule. The two reports currently available in this schedule are:

  1. Daily Cost by Cloud Accounts : This shows breakup of daily costs incurred by the cloud account.
  2. Template Execution Summary: This report shows the number of templates executed during the
    day, how many of them were successful and how many failed.

Click on Next icon to move to the next tab within Configuration.

Compliance

Compliance is one of the pillars of good cloud governance. It is vital to configure the requisite settings right at the start to ensure compliance. This section is split into two sections: Governance Rules and Schedules.

Tags
Tags help to organize AWS cloud resources and simplify the billing process by providing the cost of resources by logical groups. Enforced tags refer to those tags, the resources associated with which will be actively monitored and any non-compliance be reported in the Compliance dashboard.

Policies

Here, select the policies that you want to be applicable for your cloud account. There are different types of policies you can select from – Standards, Security, Cost Optimization and Availability.

Security & Compliance

You can select the Compliance Standard from the list of Industry specific standards. Once the it is selected, it will automatically get configured for the on-boarded subscription and starts the execution after the on-boarding is completed.
Inspector: You can select Inspector option if you have already configured AWS Inspector in your Account. CoreStack will fetch all the security issues and list them in Compliance Dashboard.

Schedules

This is to provide rules for scheduling auto shutdown of the virtual machine associated with the cloud account. The options available are:

Field Description
Shutdown Details The frequency of the shutdown must be mentioned here. For example, Daily.
Shutdown Time Select the time at which the VM shutdown must be initiated.
Restart Time Select the time at which the VM should get restarted.
Applicable Tags Add tags to specify which VMs should be auto showdown.

Consumption

This section highlights the settings for VMs specific to this cloud account in the Self Service Catalog. Here you can select the Operating Systems, Preferred Regions and Compute Sizes for VMs

Fill these fields:

Field Description
Operating System Select the Operating Systems that will be made available as Self Service catalog option for your CoreStack account.
Preferred Region Provide the list regions that would be allowed for the users while ordering for the resources through Self-Service catalog.
Preferred Compute Size Provide the list of Compute Sizes that should be allowed for the users in your account while creating a Self Service Order

Cost

You can configure the budget for this specific cloud account in this section. The budget displayed here is taken into account when computing the cost analytics and display accordingly in the Cost Analytics Dashboard. You can specify the Daily, Weekly and Monthly budget here.

User Defined: User can define their own budget and enter it in User Defined Section manually.

Auto Calculated: Cost which is suggested, is derived by the system based on the usage trends of the account currently reviewed.

Authorization

This is the last step in the onboarding process. The list of Roles in CoreStack for this Tenant will be displayed. You need to select the Roles that can have access to this cloud account. However, the level of access will depend on the role.

After selecting the roles, you can click on the “Finish” button to complete the process.

Manage Onboarded Accounts

A user can review the details and selection of an AWS onboarded account by Navigating to Settings > Cloud Accounts and select AWS from the Left Panel.

Select the account that needs to be reviewed from the list of accounts on the right side. Once you click on it, you will see the all details configured as part of the account onboarding

All the configurations done during the onboarding can be viewed here. You can also view the status of the onboarding in the left bottom of this page (as shown below).

If you need to modify any of the settings for the cloud account, go back to the accounts list and click on the “more options”  icon

From the available list of options, click on ‘Edit’. You will require the Secret Key for the account to be able to edit the configurations. The wizard is same as the Add Account sequence above.