How to onboard an AWS Account to Yotascale
Prerequisites:
User must have AWS admin rights in each account to be added to Yotascale
Steps to complete:
Step 1: Enable Cost Reports (5 minutes - AWS Console)
Step 2: Configure Access Rights - IAM Policy Configuration (10 minutes - AWS Console)
Step 4: Onboarding the Consolidated Billing Account to Yotascale Software (10 minutes - Yotascale software & AWS Console)
Step 5: Onboarding Linked Accounts to Yotascale Software (10 minutes each - Yotascale software & AWS Console)
Step 1: Enable Cost Reports
Note: You may skip this step if you already have your AWS Cost & Usage Report (CUR) configured to go to an S3 bucket and have enabled billing tags.
1. Enable Cost Allocation Tags
Sign in to the AWS Management Console and navigate to the AWS Billing Dashboard.
Navigate to Cost allocation tags.
Select Activate on AWS-Generated Cost Allocation Tags.
Select any tags you want to activate for your report in User-Defined Cost Allocation Tags.
Select Activate.
2. Enable Cost & Usage Reports
You can view the guide from AWS here. Specific recommendations follow.
Sign in to the AWS Management Console and navigate to the AWS Billing Dashboard.
In the navigation pane, select Cost & Usage Reports.
Select Create Report.
Enter a name for your report.
Select the checkbox to Include resource IDs.
Select Next.
Select an S3 Bucket.
Report path prefix is not required but is supported. Review the AWS guide for more information here.
Select Hourly time granularity.
The rest of the defaults are set, select Next.
Review your settings, select Review and Complete. It can take up to 24 hours for AWS to start delivering your billing data to S3. Files are updated at least once a day.
Step 2: Configure Access Rights
The Yotascale software supports role-based authentication into AWS. Role-based authentication is the suggested method of authentication by AWS and is described below. The preferred way to create these access rights is to run a CloudFormation stack that creates the role, associated policies, and provisions these rights. Alternatively, one can use the AWS IAM console and create the policies manually based on the policies at the end of this manual.
Option 1: AWS CloudFormation Setup - Consolidated Billing Account (recommended)
Log in to the Yotascale console, you should have received an email to set your Yotascale password. Reach out to support@yotascale.com if you haven't received the email.
Once logged in, click on your initials in the upper right-hand corner of the screen and then select “Manage Connections” to get started adding your AWS Consolidated Billing account to Yotascale.
Click the “Add Account” button, after which a pop-up window for AWS information will appear.
You may use the External ID presented here as an input parameter for the CloudFormation template or you can enter your own custom External ID in the next step.
Launch the CloudFormation stack in the Consolidated Billing account by clicking this link.
Template URL: https://yotascale-onboarding.s3.amazonaws.com/YotascaleManagement.yaml
It's also available for download and review here.
Additional parameters are required for the CloudFormation stack when configuring the Consolidated Billing account:
Enter the External ID copied from the Yotascale console or enter your own custom ID.
Enter the name of the billing bucket where the CUR files are stored
Set the flag for the Tag write policy in order for Yotascale to create, update, delete tag keys and tag key values.
Set the flag for the RI purchase policy in order for Yotascale to execute the RI purchase based on the recommendation provided.
Deploy the stack and then review the CloudFormation output
Copy the ‘AssumeRoleArn’ key’s value from the CloudFormation output
Copy the ‘ExternalId’ key’s value from the Cloudformation output.
Return to the Yotascale console, and under managed connection click the ‘Add Account’ button if the pop-up window is not still open.
Paste the copied External ID
Enter an Account name to be associated.
Paste the copied Role ARN
Select if you are connecting to the Payer or linked account.
Click Finish.
Add as many of your Linked Accounts as possible to Yotascale to receive utilization-based optimization recommendations and to enable tagging resources at the Linked Account level.
Follow the same steps as above to add linked accounts.
You can add Linked accounts by launching the linked account specific CloudFormation template at each Linked Account in AWS.
The same External ID can be used as previously on a new ID can be created or used for each linked account.
Option 2:AWS IAM policy Configuration Setup
Navigate to the AWS IAM console.
Create an IAM Policy in each account you will be onboarding to the Yotascale software for monitoring. The Yotascale software uses READ-ONLY access for all but two use cases: Tagging and RI purchasing. These can be deactivated and core Yotascale software functionality will remain.
Consolidated Billing Policy
Allows access to Billing files, Organization metadata, RI purchasing, Resource tagging & metadata, and CloudWatch metricsLinked Account Policy
Allows access to RI purchasing, Resource tagging & metadata, and CloudWatch metrics
Manually Onboarding AWS Accounts in the Yotascale Software
Providing Yotascale Software Access with an IAM Role
This is done for every account you want to provide access to the Yotascale software.
Log in to the Yotascale software and click on your initials in the upper right-hand corner.
Select Manage Connections
Select IAM Role Auth.
Note the Yotascale Account ID: 819983868943
Note the External ID. This is a random alphanumeric ID that we will associate to the AWS Role when we create it.
Navigate to the AWS IAM Console
Create an IAM Role in AWS
Select Another AWS account
Enter the Yotascale Account ID: 819983868943
Enable the "Require external ID..." option.
Enter the External ID generated by the Yotascale console.
Select Next: Permissions.
Select the previously created policy.
Select Next: Tags.
Assign a Role name and description.
Confirm the configuration and select Create role.
Note: Creating a Role to Delegate Permissions to an IAM User AWS documentation.
Return to the Yotascale software console.
If you are adding the Consolidated Billing account, select Cost and Usage Report, and then choose the Report Name from the drop-down. For Linked Accounts, select Detailed Billing Report.
Select Next.
The Yotascale software validates the policy permissions have been granted. You should get Allowed for all permissions but it is okay to get ‘Undetermined’ against Add/Delete tags if you don't have those resources in use in AWS. Select Finish when you are done reviewing the permissions status.
Once the account is added, it will appear in the account list as shown in the figure below. This means the account was added successfully.
Note: The Yotascale software initially pulls in as much as 6 months of historic data. This ingest can take up to 48 hours to transfer, analyze, and display your data.
Appendix A: AWS Policies for Yotascale Software Access
There are two policies listed below. One for the Consolidated BIlling Account (mandatory) and another that is to be used for any Linked Accounts you are adding. Adding Linked Accounts is highly recommended as it provides inventory and utilization data that allows the Yotascale software to find the optimal recommendations and configurations for your cloud deployment. Ensure that the following policy is attached to the IAM Role that you would like to use with the Yotascale software. Don’t forget to replace "YOUR-CUR-BILLING-BUCKET" with your actual CUR billing bucket’s name for the Consolidated Billing Account Policy discussed in the Prerequisites.
Consolidated Billing Account Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1454926263000",
"Effect": "Allow",
"Action": [
"autoscaling:Describe*",
"budgets:ViewBudget",
"ce:DescribeReport",
"cloudtrail:Describe*",
"cloudtrail:List*",
"cloudwatch:Describe*",
"cloudwatch:GetMetricStatistics",
"cloudwatch:GetMetricData",
"cloudwatch:ListMetrics",
"dynamodb:Describe*",
"dynamodb:List*",
"ec2:Describe*",
"ecr:Describe*",
"ecr:List*",
"ecs:Describe*",
"ecs:List*",
"eks:Describe*",
"eks:List*",
"elasticache:Describe*",
"elasticloadbalancing:Describe*",
"elasticmapreduce:Describe*",
"elasticmapreduce:List*",
"glacier:Describe*",
"glacier:List*",
"kinesis:Describe*",
"kinesis:List*",
"lambda:List*",
"logs:DescribeLogGroups",
"logs:DescribeQueries",
"logs:GetLogGroupFields",
"logs:GetQueryResults",
"logs:StartQuery",
"logs:StopQuery",
"rds:Describe*",
"rds:ListTagsForResource",
"redshift:Describe*",
"route53:Get*",
"route53:List*",
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:GetBucketTagging",
"sns:Get*",
"sns:List*",
"sqs:Get*",
"sqs:List*",
"trustedadvisor:Describe*",
"workspaces:Describe*",
"savingsplans:DescribeSavingsPlans",
"support:DescribeTrustedAdvisorChecks",
"support:DescribeTrustedAdvisorCheckResult"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1454926263005",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:GetAccelerateConfiguration"
],
"Resource": [
"arn:aws:s3:::YOUR-CUR-BILLING-BUCKET/*",
"arn:aws:s3:::YOUR-CUR-BILLING-BUCKET"
]
},
{
"Sid": "Stmt1454926263003",
"Effect": "Allow",
"Action": [
"organizations:List*",
"organizations:Describe*",
"ce:Get*",
"cur:Describe*"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1454926263002",
"Effect": "Allow",
"Action": [
"ec2:*Tags*",
"autoscaling:*Tags*",
"rds:*Tags*",
"redshift:*Tags*",
"s3:*Tagging*",
"elasticache:*Tags*",
"elasticloadbalancing:*Tags*",
"cloudtrail:*Tags*",
"elasticmapreduce:*Tags*",
"glacier:*Tags*",
"kinesis:*Tags*",
"route53:*Tags*",
"workspaces:*Tags*",
"dynamodb:TagResource",
"dynamodb:UntagResource",
"lambda:TagResource",
"lambda:UntagResource"
],
"Resource": [
"*"
]
}
]
}
Linked Account Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1454926263000",
"Effect": "Allow",
"Action": [
"autoscaling:Describe*",
"budgets:ViewBudget",
"ce:DescribeReport",
"cloudtrail:Describe*",
"cloudtrail:List*",
"cloudwatch:Describe*",
"cloudwatch:GetMetricStatistics",
"cloudwatch:GetMetricData",
"cloudwatch:ListMetrics",
"dynamodb:Describe*",
"dynamodb:List*",
"ec2:Describe*",
"ecr:Describe*",
"ecr:List*",
"ecs:Describe*",
"ecs:List*",
"eks:Describe*",
"eks:List*",
"elasticache:Describe*",
"elasticloadbalancing:Describe*",
"elasticmapreduce:Describe*",
"elasticmapreduce:List*",
"glacier:Describe*",
"glacier:List*",
"kinesis:Describe*",
"kinesis:List*",
"lambda:List*",
"logs:DescribeLogGroups",
"logs:DescribeQueries",
"logs:GetLogGroupFields",
"logs:GetQueryResults",
"logs:StartQuery",
"logs:StopQuery",
"rds:Describe*",
"rds:ListTagsForResource",
"redshift:Describe*",
"route53:Get*",
"route53:List*",
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:GetBucketTagging",
"sns:Get*",
"sns:List*",
"sqs:Get*",
"sqs:List*",
"trustedadvisor:Describe*",
"workspaces:Describe*",
"savingsplans:DescribeSavingsPlans",
"support:DescribeTrustedAdvisorChecks",
"support:DescribeTrustedAdvisorCheckResult"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1454926263002",
"Effect": "Allow",
"Action": [
"ec2:*Tags*",
"autoscaling:*Tags*",
"rds:*Tags*",
"redshift:*Tags*",
"s3:*Tagging*",
"elasticache:*Tags*",
"elasticloadbalancing:*Tags*",
"cloudtrail:*Tags*",
"elasticmapreduce:*Tags*",
"glacier:*Tags*",
"kinesis:*Tags*",
"route53:*Tags*",
"workspaces:*Tags*",
"dynamodb:TagResource",
"dynamodb:UntagResource",
"lambda:TagResource",
"lambda:UntagResource"
],
"Resource": [
"*"
]
}
]
}
Note: For updating policies attached with the onboarding role without repeating this entire onboarding process, please refer to the following doc:
How to Update Onboarding Role's Policies via AWS CLI