AWS Quickstart Guide

Follow

Looking for a comprehensive guide for AWS deployment? See the AWS Deployment Guide (requires login; learn more here).

This guide is designed to walk you through the quickest way to configure cloudtamer.io, so you can start seeing the benefits of cloud governance for yourself. For the sake of brevity, we are assuming you have already installed cloudtamer.io in your environment. 

Our application supports a wide range of configurations and customizations, but this guide focuses on the most common setup. If you find yourself with unique requirements, we will point you to other relevant documentation at critical points where alternatives exist along the way.

This guide will show you how to: 

  1. Set up your management account to share billing information with cloudtamer.io 
  2. Establish permission parameters with IAM policies
  3. Create users and groups
  4. Define permissions for users
  5. Build out the basic structural hierarchy of your organization with OUs
  6. Set limits on what users are allowed to do in their accounts
  7. Create a funding source and allocate down funds
  8. Create projects on OUs
  9. Set budget enforcement actions on a project
  10. Attach AWS accounts to projects
  11. Set limits on cloud access with cloud access roles

After you have completed the steps in this guide, users will be able to log in and begin using cloudtamer.io.

1. Setup AWS to Share Billing Data With cloudtamer.io

In order for cloudtamer.io to interpret and manage your AWS accounts, you must first enable access in AWS and add your AWS management account as the “Billing Source” in the cloudtamer.io application. The process goes as follows:

  1. Create an S3 billing bucket in AWS
  2. Enable monthly reports in AWS
  3. Enable cost and usage reports in AWS
  4. Enable AWS to identify and authorize cloudtamer.io access by adding our IAM role 
  5. Add a “Billing Source” (your AWS management account) to cloudtamer.io

In the steps below, replace any instance of {ACCOUNTNUMBER} with your AWS management account number.

Create an S3 billing bucket in AWS

The S3 billing bucket is what will store the billing data that cloudtamer.io will use. If you already have the monthly billing reports and the cost and usage reports set up, please skip to step: Add the cloudtamer.io IAM Role.

  • Login to the AWS management account.
  • Navigate to the CloudFormation service.
  • Click “Create Stack.”
  • Upload this template: billing-bucket.json.
  • Name the stack: cloudtamer-billing-bucket.
  • Walk through the remainder of the prompts.

To download the .json file, go to the AWS Management Account Setup Guide (requires login; learn more here), scroll to the bottom of the article and download the attached file named "billing-bucket.json."

Enable monthly reports

Enabling monthly reports allows AWS to send its monthly billing data to the S3 bucket we just created. 

  • In your AWS management account, click your username at the top right.
  • Click “My Billing Dashboard.”
  • Click “Billing preferences.”
  • Scroll to the bottom of the page and expand “Detailed Billing Reports [Legacy].”
  • Please a check on “Turn on the legacy Detailed Billing Reports feature to receive ongoing reports of your AWS charges.”
  • Set the bucket name: cloudtamer-{ACCOUNTNUMBER}-hourly. If you are asked to verify the bucket policy, check the box and click “Save.”
  • Select all the reports.
  • Click “Save preferences.”

Enable cost and usage reports

Enabling cost and usage reports allows AWS to send its cost and usage billing data to the S3 bucket we created. 

  • In your AWS management account, click your username at the top right.
  • Click “My Billing Dashboard.”
  • Click “Cost & Usage Reports.”
  • Click “Create report.”
  • Enter in the following fields:
    • Report name: cloudtamer-{ACCOUNTNUMBER}-hourly
    • Check the box: Include resource IDs.
    • Check the box: Automatically refresh your cost & usage report when charges are detected for previous months with closed bills.
    • Click “Next.”
  • Enter in the following fields:
    • S3 Bucket: cloudtamer-{ACCOUNTNUMBER}-hourly. If you are asked to verify the bucket policy, check the box and click “Save.”
    • Report prefix: report.
    • Report versioning: Create new report version.
    • Enable report data integration for: “Amazon Redshift” and “Amazon QuickSight.”
    • Click “Next.”
  • Click “Review and Complete.”

Add the "cloudtamer-service-role" IAM role

The IAM role allows cloudtamer.io to access the data in the S3 bucket and create accounts in AWS. In the steps below, we recommend you use the default “full access” .json file as a best practice, but there are a list of options for alternatives at the end of this section.

  • In your AWS management account, navigate to the CloudFormation service.
  • Click “Create Stack.”
  • Upload this template: billing-role-full-access.json.
  • Name the stack: cloudtamer-service-role.
  • Replace the AWS Account with the AWS account number where cloudtamer.io is installed.
  • Walk through the remainder of the prompts.

To download the .json file, go to the AWS Management Account Setup Guide (requires login; learn more here), scroll to the bottom of the article and download the attached file named "billing-role-full-access.json."

Add a billing source to cloudtamer.io

This step links cloudtamer.io to your AWS management account so cloudtamer.io can begin reading billing data and operating in AWS. In the steps below replace {ACCOUNTNUMBER} with your AWS management account number. We are assuming you have the “full-access” configuration here.

  • Login to cloudtamer.io.
  • Click “Accounts” on the left menu.
  • Click “Billing Source.”
  • Click the + button at the top of the page.
  • For Account Type, select: “AWS Commercial.”
  • Fill in the fields:
    • Billing Source Name: AWS Management.
    • AWS Account Number: {ACCOUNTNUMBER}.
    • Billing S3 Bucket Region: us-east-1.
    • Billing S3 Bucket Access Role: (leave this field blank) 
    • AWS Account Number Containing S3 Buckets: {ACCOUNTNUMBER}.
    • Monthly Report S3 Bucket: cloudtamer-{ACCOUNTNUMBER}-hourly.
    • Cost & Usage Report S3 Bucket: {ACCOUNTNUMBER}.
    • Cost & Usage Report Prefix: report.
    • Cost & Usage Report Name: cloudtamer-{ACCOUNTNUMBER}-hourly.
    • Billing Start Date: (set the month (MM) and year (YYYY) when cloudtamer.io will start calculating spend) 
    • Check the box: “This Billing Source supports Account Creation.”
    • Leave “Skip Billing Source validation” unchecked.
    • Click “Create Billing Source.”

2. Import IAM Policies to cloudtamer.io

IAM policies are the permission building blocks you will use to create cloud rules and cloud access roles. cloudtamer.io makes use of native IAM policies within AWS and also allows you to create and manage your own custom policies. In this step we will walk you through importing the policies AWS provides and the process to create your own.

Import AWS managed policies

  • Within cloudtamer.io, go to “Settings.”
  • Click “System Settings.”
  • Click “Managed Policies.”
  • Click button “Load managed AWS IAM policies.”

And that’s it. Once the import completes, you will have access to AWS library of pre-established IAM Policies.

Create your own AWS IAM policy (optional, as needed)

  • Select “Cloud Management” -> “AWS IAM Policies.”
  • Click +.
  • In the “AWS IAM Policy Name” field, enter a name to identity the AWS IAM policy throughout the application. This field must be unique among AWS IAM policies. We recommend prefixing with your company’s name as a best practice for easy organization.
  • Enter an optional description.
  • In the “AWS IAM Policy” field, enter or paste a valid AWS IAM policy.
  • Click “Format” to align the braces.
  • In the “Owners” drop-down menu, select which users and user groups will have access to modify the policy once it’s created.
  • Click “Create IAM Policy.”

3. Create Users and Groups

We recommend tying to an Identity Management System (IDMS) if you have a large number of user accounts to create, but you can add users one by one as well. Attaching an IDMS to cloudtamer.io is a bit of a process with different requirements depending on what type of IDMS you use. If you are ready to attach your IDMS, hop over to the user guide now and follow the instructions there.

https://support.cloudtamer.io/hc/en-us/articles/360015509531

You’ll want at least one user added in addition to your root account to be able to log in and start using the application, so that’s what we’ll do here.

Add a user

  • Select “Users” -> “All Users.”
  • Click + -> “Create New User.”
  • In the “First Name” field, enter the user’s first name.
  • In the “Last Name” field, enter the user’s last name.
  • In the “Email” field, enter the user’s email. Email addresses do not need to be unique.
  • In the “Username” field, enter the user’s email. Usernames must be unique within the same IDMS. 
  • In the optional “Phone Number” field, you may enter the user’s phone number.
  • In the “Identity Management System” drop-down menu, select “Internal Directory.”
  • In the optional “Enforce MFA” drop-down menu, select an MFA you want the user to be forced to register with on first login. 
  • Click “Create User.”
  • You’ll receive a password for the user after you click the create button. Copy the password and give it to the user in a secure manner. The user will be prompted to change the password on first login.

Add a user group

Creating groups makes it easy to manage teams and users with similar types of access. Rather than managing Users one by one, you can group them and grant access, create permissions, and manage them all from one location.  

  • Select “Users” -> “User Groups.”
  • Click +.
  • In the “Group Name” field, enter a name to identify the group in cloudtamer.io. The group name must be unique.
  • In the optional “Description” field, enter a description.
  • In the optional “Members of the group” drop-down menu, select any users you want to be members of this group.
  • Click “Create User Group.”

4. Defining Permissions for Users

Permission roles define what a user is allowed to do within the cloudtamer.io application. Permission schemes are how those roles apply to objects (OUs, projects, funding sources) within cloudtamer.io. Here we will be naming permission roles and mapping them to default permission schemes within cloudtamer.io.

Add a permission role

  • Select Settings > Permissions.
  • Click the Roles tab.
  • Click +.
  • In the Role Name field, enter a unique name.
  • Click Create Role.

Assign a permission role to a permissions scheme

  • Select Settings > Permissions.
  • Select a permission scheme to edit by clicking the ellipsis menu on the right side of the permissions scheme card and select Edit.
  • In the drop-down menus, select any roles you would like assigned to the permissions.
  • Click Update Permission Scheme.
  • Repeat this process for every object you want to configure permissions for.

5. Build Organizational Hierarchy with OUs

We separate funding and organize hierarchy within cloudtamer.io using organizational units or OUs. You can apply funding, cloud rules, and permission schemes to OUs. We recommend structuring your organization’s hierarchy around where funds originate.

As a best practice, funding origination points should be created as top-level OUs. In the steps below, you will define an “owner” of the top-level OU. Owners have full access to the OU if you are using the “Default OU Permissions Scheme.”

Add a top-level OU

  • Click “OUs” -> “All OUs.”
  • Click the + icon.
  • Enter an “OU Name” to identify the OU throughout the application. The name must be unique among OUs.
  • In the “Parent OU” field, select “None” to designate this as a top-level OU.
  • In the “Permissions Scheme” drop-down menu, select the “Default OU Permissions Scheme.”
  • In the “Owners” drop-down menus, select at least a user or a group that will have permission to manage the OU.
  • Enter an optional description.
  • Click “Create OU.”

Add a child OU

Child OUs are defined as any OU that falls below a top-level OU. Child OUs can hold projects and be used to define funding paths. 

To create a child OU:

  • Click on the ellipsis menu on the OU card or the OU detail screen for the top-level OU we just created.
  • Select “Add New Child OU.” 

The process to add a child OU is the same as adding a top-level OU, but the “Parent OU” field will already be filled in.

6. Set Limits on User Access

Cloud rules limit the services that are accessible by users. These limits ensure your users remain compliant with whichever universal rules you have in place. Cloud Rules will be unique to your organization. They will apply to all users at the level they are placed in the OU hierarchy along with any descendant objects. 

Before creating cloud rules, consider what universal limits you want to place on users, for example “users may not provision resources outside the United States.”

Create a cloud rule

  • Select “Cloud Management” -> “Cloud Rules.”
  • Click +.
  • In the “Cloud Rule Name” field, enter a name to identify the cloud rule throughout the application. This field must be unique among cloud rules.
  • In the optional “AWS IAM Policies” drop-down menu, select any IAM policies you want to apply to all cloud access roles when this cloud rule is applied.
  • In the optional “AWS CloudFormation Templates” drop-down menu, select any CloudFormation template you want to apply to AWS accounts when this cloud rule is applied.
    • CloudFormation templates are ordered so you can drag and drop them in the order you want them to apply.
  • In the “Owners” drop-down menus, select any users and user groups that will have access to modify this cloud rule once it is created.
  • Click “Create Cloud Rule”. 

Assign a cloud rule to an OU

  • Click “OUs” -> “All OUs.”
  • On the OU card where you want to apply the Cloud Rule, click on the OU name.
  • Click the “Cloud Management” tab.
  • Click “Add Existing Cloud Rule.”
  • In the dropdown, select the Cloud Rule created by the steps above.
  • Click “Confirm” selection.
    • Before you click “Confirm,” be aware that when you add a Cloud Rule to an OU, it is inherited immediately and all items in the Cloud Rule will be applied to all projects attached to the OU and below the OU.

7. Create Funding Source and Allocate Down Funds

To see how funds are utilized, create a funding source and tell the application how to disburse funds. Funding sources represent a single deposit of funds and must be associated with a top-level OU.

After creating a funding source, funds can be disseminated down to destination OUs. The destination OU can be any child OU below the source OU in the OU structure, it does not have to be a direct child OU, and it could feed to any number of OUs below. 

Add a funding source

  • Click “Financials” -> “All Funding Sources.”
  • Click +.
  • Enter a “Funding Source Name.” This will be used to identify the funding source throughout the application. The name must be unique among funding sources.
  • In the “Amount” field, enter a dollar amount. Up to 2 decimals places are allowed. This can be increased or decreased later.
  • The “Start Date” will always be the first day of the selected month.
    • Once set, this date can only be moved into the past unless there are no projects using the funding source, in which case the date can be moved into the future.
  • In the “End Date” field, select which month is the last month in which the funding source can be used.
    • Once set, this date can only be moved into the future unless there are no projects using the funding source, in which case the date can be moved into the past.
  • In the “Top-Level OU” field, select an OU.
  • In the “Permission Scheme” drop-down menu, select the “Default Funding Source Permissions Scheme” or another custom scheme.
  • In the “Owners” drop down menus, select at least a user or a group that will be able to make changes to the funding source.
  • Enter an optional description.
  • Click “Create Funding Source.”

Allocate funds to a child OU

  • Click “Financials” -> “Allocate Funds.”
  • In the “Source OU” field, select the OU where there are funds available. This will be the source of the funds, typically a top-level OU.
  • In the “Destination OU” field, select the OU where the funds will be transferred. This will be the destination of the funds.
  • Next to each “Funding Source,” enter a dollar amount to allocate into the textbox. You can allocate from multiple funding sources in the same operation.
  • Enter any optional “Allocation Comments.”
  • Click “Apply,”

8. Create Projects and Assign Users and Groups

Projects provide the most granular level of organization in cloudtamer.io. Permissions are organized at the project level so, although we support multi-account projects, we recommend a 1:1 ratio between projects and individual cloud accounts for maximum flexibility and control. 

Add a new project

  • Click “Projects” -> “All Projects.”
  • Click +.
  • Enter a “Project Name” to identify the Project throughout the application. This name must be unique among projects.
  • In the “OU” field, select an OU.
  • In the “Permission Scheme” drop-down menu, select the “Default OU Permissions Scheme” or another custom scheme.
  • In the “Owners” drop-down menus, select at least a user or a group.
  • Enter an optional description.
  • In the “Project Spend Plan” section, click “Add Funding Source.”
  • In the “Select a funding source” drop-down menu, select the funding source that the project will use.
  • In the “Months Applied” field, select the start and end months during which the project can use the funding source. Funding sources can only be set on month boundaries since cloud accounts generally finalize spend once a month.
  • In the “Planned Amount” field, enter the dollar amount available to the project.
  • Click “Create Project.”

9. Set Budget Enforcement Actions on Project

Budget enforcement actions are one of the most empowering features of cloudtamer.io. Enforcement actions are what make it possible to control how much money each of your cloud accounts spend. You can set enforcement actions at the funding source level, but we recommend setting them at the project level for more control. You can set triggers to terminate spending when significant events occur and customize who is notified when these events are triggered.

Create a budget enforcement action

  • Go into a project and select the “Enforcements” tab.
  • Click “Add New.”
  • Under “Triggers”: set timespan, greater than or remaining, and then a dollar amount. 
  • Under “Events”: select an optional cloud rule to apply, then set overburn option (places icon flag on your project that states ‘overburning’ but does not take any action) and/or terminate option (kills services that are accruing cost - not recommended for production). All of these settings are optional.
  • Under “Notifications”: select users or groups that will be notified when actions are triggered.
  • Click “Save.”

10. Attach AWS Accounts to cloudtamer.io Projects

Now we can link the projects you’ve created to existing individual AWS accounts. 

Attach an AWS commercial account to a project

  • Go into a project and select the “Accounts” tab.
  • Click the ellipsis menu and select “Add External.”
  • In the “Account Type” field, select “AWS Commercial.”
  • In the “Account Number” field, enter the AWS account number of the account you want to attach to the project. Cloud accounts can be added to one and only one project.
  • Once you click on the “Account Name” field, you’ll receive a prompt to download the CloudFormation template. This template must be applied manually via CloudFormation in the AWS account prior to completing the remaining steps. This CloudFormation template creates an AWS IAM role with a trust policy that allows the AWS account where cloudtamer.io is running to call sts:AssumeRole on a named cloudtamer-service-role. If this CloudFormation or IAM role is removed from the AWS account, cloudtamer.io will not be able to manage the account anymore.
  • In the “Account Name” field, enter a name to identity the AWS account inside the application.
  • In the “Billing Source” field, select the management AWS account that manages the AWS account you want to add. This is how cloudtamer.io knows where to find the billing data for the AWS account.
  • Leave the “Linked Role” field as OrganizationAccountAccessRole unless you changed the organization role during initial AWS account creation.
  • Leave the “Skip Account Access Checking” box unchecked.
  • Click “Connect.”

11. Create Cloud Access Roles for Users

We’re in the home stretch. The last step before users can log in and begin using cloudtamer.io is to create cloud access roles for users. These allow users to access the AWS console or provision AWS API access keys.

Create a cloud access role in a project

  • Go into a project and select the “Cloud Management” tab.
  • Click the “Cloud Access Roles” tab.
  • Click “Add.”
  • In the “Cloud Access Role Name” field, enter a name to identify it on the project.
  • In the “Users” and “User Groups” drop-down menus, select the users and groups that will have access to use this role to login to the AWS console or generate temporary access keys (if enabled in global settings).
  • In the “AWS IAM Role” field, enter the name of the AWS IAM role that will be created in the AWS accounts attached to the project. This is the name of the role that will display in the top right of the AWS console. It will display as: rolename/username.
  • In the “AWS IAM Policies” drop-down menu, select any AWS IAM policies you would like to associate to this role.
  • Click “Create Cloud Access Role.”

Now that you’ve finished this quick configuration, users can log in and start using cloudtamer.io.

Was this article helpful?
0 out of 0 found this helpful