This topic guides you to onboard an AWS Linked account into CoreStack.
There are certain prerequisites that need to be set up in your AWS account before it can be onboarded into CoreStack. It primarily involves creating an IAM Role for CoreStack and providing it with necessary access.
You can use IAM roles to delegate access to your AWS resources. With IAM roles, you can establish trust relationships between your trusting account and other AWS trusted (CoreStack) accounts. The trusting account owns the resource to be accessed and the trusted account contains the users who need access to the resource.
Note: IAM User (Access Key and Secret Key) based authentication is no longer supported. This is in compliance with the security standards and recommendations prescribed by AWS.
CoreStack would use the AWS Security Token Service (AWS STS) “AssumeRole” API operation. This operation provides temporary security credentials that enable access to AWS resources in your account.
Refer this link for more information: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html
The IAM role must be created with the following access permissions.
CoreStack simplifies this process by providing a CloudFormation Template that will take care of creating an IAM Role and assign the necessary permissions automatically.
You can use the S3 URLs provided based on the type of access you wish to provide for CoreStack.
You need to copy this information and keep it ready in a notepad to be able to copy paste into CoreStack while onboarding. This is the information required to onboard the account into CoreStack.
Cost and Usage Report (CUR) must be enabled in your AWS account which enables CoreStack to fetch the Billing data from your account. This is required for providing Cost Visibility and Cost Analytics for your accounts. If you already have this enabled, you can skip the below step and just be ready with the S3 Bucket name where the CUR files are being placed by AWS.
Note: AWS used to provide billing data only at the Management (Payer) Account level. From Dec-2020, AWS provides billing data for Linked Accounts as well. If you have onboarded both your Master and Linked Accounts, CoreStack can directly fetch the billing data from the Management Account for all the linked accounts.
To set up the Cost Usage Report, you should login as “Root User” into your Master (Payer) AWS account and complete the following steps:
1) Login to the AWS Master account as Root User. 2) Navigate to Billing Dashboard. 3) Select Cost & Usage Reports from the Left Navigation Menu.4) Click Create report.
Note: If you already have a report configured, you can still review the following steps to ensure that all the settings configured properly. Use the Edit option to make any changes.
5) Provide necessary details about the report content in the first step. Ensure that the following 2 checkboxes are enabled: “Include Resource IDs” and “Automatically refresh…”. 6) Click Next. The screen with Delivery Options appears7) Select the following values for the respective fields: a) Report Path Prefix: Optional Field. It can be left blank. There will be no impact even if some prefix is provided. b) Time Granularity: Hourly.c) Report Versioning: Create new report version. d) Compression Type: GZIP.8) Also, the S3 Bucket Configuration must be performed in this step: a) Click Configure. b) If you already have a bucket with the appropriate permissions, you can select the same. Or you can select Create a bucket (this is recommended). c) AWS will take care of creating this new bucket and attaching the necessary policies. d) Click Next to view the policy to be applied.e) Enable the checkbox “I have confirmed…” that is available below.f) Click Save to complete the process. The S3 Bucket will be successfully configured.g) Click Next to proceed to the next step.9) The last step is to review the provided values and complete CUR configuration. Ensure that the following values are configured correctly. a) Time Granularity: Hourly.b) Report Versioning: Create new report version.c) Compression Type: GZIP10) Click Review and Complete.
The report will be created successfully. You can now continue with onboarding the account to CoreStack. It will take up to 24 hours before AWS places the first report (CSV file in Gzip format) in the S3 bucket. Hence, the cost data will not be available for CoreStack till then.
It is mandatory to configure cost allocation tags in order to process the cost data.
To set up Cost Allocation Tags, perform the following steps:
The recommended tags to be activated are: Application, Environment, Cost Center, Owner. You can also choose to add additional tags as per your requirement.
Since the access is read-only, there are no resources with configurations done by CoreStack in your AWS account. There is absolutely no resource or billing impact in this case.
Note: If you had enabled Cost & Usage Report specifically for CoreStack, the S3 Bucket will incur some minimal cost based on the size of the usage reports placed by AWS.If you had enabled AWS Cost Explorer API to be used by CoreStack for a faster cost data retrieval, additional cost will be incurred based on the API requests initiated. Approximately, each request will incur a cost of $0.01. Refer AWS Cost Explorer API pricing page for more details.
Following resources will be created based on your selection during onboarding:
1) Cloud Trail: CoreStack requires a cloud trail to be available in each of your preferred AWS regions. You may select an existing trail to be used or choose the option to create a new trail. Such new trails created may attract additional charges. (Note: If the one created is the first trail, it is free of cost. If it is an additional trail, it may involve charges).
2) S3 Buckets: As part of the Cloud Trail configurations, S3 buckets are also created in the respective AWS regions to collect the logs.a) If you had chosen to use existing trail, there are no new buckets created.b) If you had chosen to create a new trail, the corresponding S3 Bucket will be created and there will be a charge associated.
3) CloudWatch Alarms will be created for selected metrics for various resource types supported by CoreStack. As part of post onboarding, you will see the list of metrics for each resource type for which you can define monitoring thresholds and alerts.
There could be additional charges based on the configuration done for your accounts after onboarding:
Case-1: An existing trail is configured for CoreStack.
Case-2: There are other Trails that were created before / after onboarding your account to CoreStack.
Case-1: Charges for the S3-Bucket where the Cloud Trails logs are stored. This is usually very minimal.
Case-2: Charges for the S3-Bucket where the Cloud Trails logs are stored. Management event charges for the second trail at the rate of $2.00 per 100,000 events.
These services will be used only for Assessment + Governance access type and it is optional for the user to enable them. If enabled, relevant charges will be applicable.
The following steps need to be performed to onboard an AWS account.
1) Click Add New button in the CoreStack dashboard and select Single Account.2) Click Start Now. The onboarding screen appears. 3) Select AWS option in the Public Cloud field. 4) Click Get Started button.5) Select the required option in the Access Type field. The options are: Assessment and Assessment + Governance. 6) Select the Linked Account option in the Account Type field.7) Select the required option in the AWS Environment field. The options are: AWS Standard and AWS Gov Cloud.8) Select the required option in the Authentication Protocol field. The options are: Assume Role and Access Key. 9) Click Next.10) Provide the necessary details (Amazon Resource Name ID (ARN), External ID, & MFA Enabled or Access Key & Secret Key) explained in the Pre-onboarding section based on the option selected in the Authentication Protocol field.
Note: For MFA Enabled field, select True or False based on whether your account is restricted with Multi-Factor Authentication.
11) Click Validate button.12) The Advanced Settings section will be displayed with additional fields (Name, Master Account, Cost Report Access, S3 Bucket URI, Preferred Regions, and Scope).13) Modify the prepopulated name of the account in the Name field, if required.14) Select the associated AWS Master Account in the Master Account dropdown list. This field will be displayed only while onboarding an AWS Linked Account. 15) Select the required option in the Cost Report Access field. The options are: Master Account, Delegated Account, Current Account and None. (Note: The S3 Buckets and Cost & Usage Reports must be configured, as explained in the Pre-onboarding section, in the relevant AWS accounts associated with this selection).a) Master Account: This option will enable the cost reports be gathered in the associated AWS Master Account and utilized by CoreStack. S3 Buckets and Cost & Usage Reports must be configured in the relevant AWS Master Account. The S3 Bucket URI field will not be available for this selection. b) Delegated Account: This option will enable the cost reports be gathered in any one of your AWS Account and utilized by CoreStack. S3 Buckets and Cost & Usage Reports must be configured in the relevant AWS Account. Specify the URL of the S3 Bucket in the S3 Bucket URI field. c) Current Account: This option will enable the cost reports be gathered in the AWS Account that is being onboarded and utilized by CoreStack. S3 Buckets and Cost & Usage Reports must be configured in the AWS Linked Account that is onboarded. Specify the name of the S3 Bucket in the S3 Bucket URI field. d) None: This option can be used if you do not want to use the cost data of your AWS Linked Account. The S3 Bucket URI field will not be available for this selection.
16) Specify the required S3 Bucket details, as explained above, in the S3 Bucket URI field.17) Select the required regions in the Preferred Regions dropdown list. Multiple regions can be selected. 18) Select the required option in the Scope field. The options are: Account, Private, and Tenant. 19) Click I’m Done button.
The AWS Account will be onboarded successfully into CoreStack. Relevant insights and information about the resources available in the account will be populated under each cloud governance pillars in CoreStack.