AWS Onboarding Prerequisites

Prerequisites

Before onboarding an AWS account into CoreStack for Governance, the following permissions must be provided in your AWS account.

ec2 – Full Access

ecs – Full Access

cloudtrail – Full Access

s3

Get – Full Access

List – Full Access

Create – Bucket

Head – Bucket

Put 

  • Object
  • BucketTagging
  • BucketPolicy
  • ObjectTagging
  • EncryptionConfiguration
  • BucketAcl

Delete

  • Object
  • Bucket

Cloudwatch

Describe – Full Access

Get – Full Access

List – Full Access

Put – MetricAlarm

Delete – Alarms

IAM

Get 

  • Role
  • RolePolicy
  • AccessKeyLastUsed
  • CredentialReport

Update 

  • AssumeRolePolicy
  • RoleDescription
  • Role

Pass – Role

List

  • Roles
  • RolePolicies
  • GroupsForUser
  • AttachedUserPolicies
  • Users
  • AccessKeys

Create

  • Role
  • User
  • AccessKey
  • LoginProfile

Delete

  • Role
  • AccessKey
  • RolePolicy
  • User
  • LoginProfile

Put – RolePolicy

Generate – CredentialReport

Attach – UserPolicy

Remove – UserFromGroup

Add – UserToGroup

Detach – UserPolicy

To generate Cost Usage Report in CoreStack for your AWS account, the following permissions must be provided in the AWS account.

  • Root User should be provided.
  • Reports should have enabled (by navigating to Services -> Billing -> Enable Reports) and Time Unit option should be set as Hourly.
  • Cost allocation tags should be Active.
  • S3 bucket name should be provided.

Activating Cost Allocation Tags

To activate cost allocations tags for CoreStack, perform the following steps in your AWS account.

  1. Select Cost Allocation Tags.
  2. Click Activate button.

Enabling and Configuring Reports

To enable Reports for CoreStack, perform the following steps in your AWS account.

  1. Select Reports.
  2. Click Create report button.
  3. Provide a name for the report in the Step 1: Select Content screen.
  4. Ensure to select Hourly option in the Time Unit field.
  5. Enable Resource IDs checkbox in the Include field.
  6. Ensure to select the checkbox in the Data Refresh Settings field.
  7. Click Next button.
  8. Provide necessary S3 bucket name in the Step 2: Select Delivery Options screen.
  9. Provide necessary prefix in the Report Path Prefix field.
  10. Ensure to select the ZIP option in the Compression dropdown list.
  11. Click Next button.
  12. Review the report details in the Step 3: Review screen.
  13. Click Review and Complete button.

Other Requirements

  1. S3 Bucket for Cost and Usage Reports (CUR) Reports: CoreStack requires the name of the S3 Bucket in which the CUR are placed. It is required for fetching the usage information from your AWS Account and provide Cost Analytics and Governance. It is required only for Master (Payer) Accounts.
  2. CloudTrail in all Regions: While onboarding the account, CoreStack automatically creates cloud trails for all AWS regions that is required to track even any inadvertent usage in all regions. CoreStack does not overwrite or reuse any existing trails. It will create a new trail with webhook configured to push the activities to CoreStack. These trails will be automatically removed if you decide to remove the account from CoreStack later.
    • S3 Bucket in all Regions: As part of the CloudTrail configuration, S3 buckets are also created in all AWS regions for collecting the logs. These buckets will also be automatically removed if you decide to remove the account from CoreStack later.