On-boarding

On-boarding (Add your Cloud Accounts to CoreStack) 

It only takes 5 mins to on-board your cloud account into CoreStack, provided the pre-requisites taken care ofPlease review the Pre-Onboarding section above to ensure you have the necessary preparation done in your cloud accounts. 

You can follow the simple guided workflow for the onboarding process for both AWS Accounts and Azure Subscriptions. Please ensure to keep handy the relevant info such as the IAM Role, App ID, Secret Key etc. when you onboard the accounts. 

To start on-boarding your cloud account:

Step-1: Choose Single Vs Bulk Upload 

  1. Open the Account Governance Dashboard, click on “Add New” and get started. 
  2. Choose “Single Account” for normal on-boarding of a single cloud account. This process is simple and will be done using a guided workflow in the UI. 
  3. You can choose “Multiple Accounts” if you would like to use an XL or CSV file upload to onboard multiple accounts in one go. 

Step-2: Select which Cloud 

  1. Choose a Cloud to get started (AWS, Azure) 
  2. Click on Get Started to proceed to the next step. 

Step-3: Account & Access Type selections 

  1. Choose the Access Type: “Assessment” or “Assessment + Governance” 
    1. With Assessment, you will be providing read-only access to CoreStack and you will get an assessment of your cloud account across the 5 OSCAR Governance Pillars. You will also view the recommendations, assessment report and analytical reports. 
    2. With Assessment + Governance, you will be providing read-write access to CoreStack to enable the system to configure monitoring alerts, activity notifications, define policies in your account, apply tags, apply resource locks etc. If you need to go beyond just the assessment of violations and take remediation actions and perform automations using CoreStack, you must choose this option. 
  2. Choose Account Type 
    1. For AWS: Choose between Master Account or Linked Account. This is based on whether the account being onboarded is a Master / Payer / Management / Parent account or it is a Linked / Member / Child account. 
    2. For Azure: This selection is not applicable 
  3. Choose Account Environment 
    1. For AWS: Choose between “AWS Standard” which is the most common selection if you have a normal account. If you have a GovCloud account, choose “AWS Gov Cloud” 
    2. For Azure: Choose between “Azure Global” which is the most common selection if you have a normal Azure subscription. If you have a China based subscription, you can choose “Azure China” or if you have a Government account, choose “Azure Government”. 
  4. Choose Authentication Protocol 
    1. For AWS: Choose “Assume Role” only which is the protocol recommended by AWS. The Access Key protocol will soon be deprecated. The access key option is provided only to enable edit of existing accounts. 
    2. For Azure: This selection is not applicable 
  5. Choose Currency 
    1. For AWS: This is defaulted to USD. The selection is not required since AWS always provides billing data in USD by default. 
    2. For Azure: You can choose from the available list of supported currencies, including USD, EUR, INR, DKK,CAD etc. Azure provides billing data in various currencies and hence this selection is critical. Please note that this selection cannot be modified. To change the currency, you will have to delete the cloud account and re-onboard it if required. 

Step-4: Authentication to your account 

  1. For AWS: Provide the following values 
    1. ARN: Enter the ARN of the IAM Role associated with AWS account. Refer the Pre-Requisites section to know how to fetch this value. 
    2. External ID: Enter the External Id configured in IAM Role. This is unique for your organisation and you would have received this value from CoreStack Support team. Refer the Pre-Requisites section to know how to fetch this value. 
    3. MFA Enabled: Select True or False based on whether your account is restricted with Multi Factor Authentication. 
    4. Cost Report: Choose “Standard” or “Athena” based on how your cost reports are configured. The default option is Standard where your cost reports are placed as a CSV file in an S3 bucket. 
  2. For Azure: Provide the following values. You must have captured these details as part of your pre-onboarding steps. 
    1. Tenant ID 
    2. Application ID 
    3. Application Secret 

Step-5: Validate 

This step is to validate if the authentication provided for the cloud account. The AWS Role or Azure App credentials are checked and if they are valid, some key information required for the account are requested. 

  1. For AWS: The following details are captured 
    1. Name: This is a friendly name for your onboarded account to help you identify this. It is recommended to have a Naming Convention that includes Cloud-Environment-Workload/Team relevant to the account. By default, it will have a name with AWS_Account-id (e.g. AWS_5423472340) 
    2. Master Account: This field is required for Linked / Member accounts. You can choose from a dropdown of available list of AWS Master / Management accounts. Please note that Master Accounts must be onboarded ahead of Linked/Member accounts to be available for listing here. 
    3. Preferred Regions: You can choose multiple regions from the list of all AWS Regions. This is required to restrict access and assessment configurations to the specific regions. Any activities in other regions will be considered as a violation. 
    4. ScopeChoose either “Tenant” or “Private”. Tenant implies that the cloud account will be accessible by everyone in the specific CoreStack Tenant who have similar roles. Private implies that the account can be accessed only by the user who onboarded it. 
  2. For Azure: The following details are captured 
  3. Name: This is a friendly name for your onboarded subscription to help you identify this. It is recommended to have a Naming Convention that includes Cloud-Environment-Workload/Team relevant to the account. By default, it will have a name with the Azure Subscription Name. 
  4. Subscription: Choose the subscription from the dropdown. There could be one or more subscriptions based on the Azure Tenant and the access available for the Application. 
  5. Subscription Type: Choose the subscription type from the dropdown. It could be one of Azure CSP-Direct, Pay As You Go, Enterprise, Azure Plan Cost. Pay As You Go is the most commonly used type. Check your Subscription in Azure Portal if you are not sure. 
  6. Scope: Choose either “Tenant” or “Private”. Tenant implies that the cloud account will be accessible by everyone in the specific CoreStack Tenant who have similar roles. Private implies that the account can be accessed only by the user who onboarded it. 

Note: The check for whether the required access permissions are available for the on-boarded account will be performed after onboarding. You will be able to see this status as part of “View Settings” for the account and can also correct the permissions from your cloud portal if required.