Anomaly Detection
Link your AWS Account
Unlock additional Cloud Management Platform features by linking your AWS account
By linking your AWS account/s, you will unlock additional functionalities such as proactive resource quota monitoring and more.
To link your AWS account(s) to the Cloud Management Platform, you will need to create an AWS IAM Role and attach IAM Policies to it. The policies you need to attach will depend on the feature(s) you'd like to enable.
This article will go over creating an IAM role with the required policies 1) automatically via CloudFormation and 2) manually.
Looking for instructions on how to set up CloudHealth IAM role?

Link an account

Required Permission: Manage Settings
Within the CMP, select the gear icon in the right-hand corner of the top menu bar, then select Amazon Web Services from the drop-down menu that appears. The CMP will take you to the Link Amazon Web Services page:
A screenshot showing the location of the Link Amazon Web Services button
From the Link Amazon Web Services page, select the LINK ACCOUNT button in the top right-hand corner. The CMP will take you to a page that allows you to complete the process:
A screenshot showing the location of the Link Amazon Web Services button
To continue, follow the instructions in the following subsections to complete the linking process.
Select the Create a role automatically radio button, then check the boxes next to the features you'd like to enable for this AWS account.
To explore what AWS policies each feature requires, click the V button to the left of the feature name to expand the list of policies.
A screenshot showing an expanded feature section
There are two options for creating the role with this method:
  1. 1.
    Creating a stack in CloudFormation
  2. 2.
    Copy + Pasting a command in CloudShell

Option 1: Create stack in CloudFormation

After selecting the features, select LINK ACCOUNT. The CMP will open a modal dialog asking you to confirm you want to proceed:
A screenshot of the AWS CloudFormation modal dialog
After selecting LINK ACCOUNT from the modal dialog, the CMP will open a preconfigured stack template with the necessary roles and permissions in a new AWS CloudFormation tab.
In your AWS account, review the details, then under Capabilities, mark the 'I acknowledge that AWS CloudFormation might create IAM resources with custom names' checkbox.
Finally, select the Create stack button.
Within about 30 seconds of creating the stack, the CMP Settings page will update, showing your linked AWS account with a Healthy status next to it if the link attempt was successful.

Option 2: Create role via CLI

If you prefer to run the commands yourself in AWS CloudShell, select the PREFER CLI? button instead. A pop-up will appear with the commands you should run to generate the role with the requisite policies for the features you selected. After running the command, it may take up to 30 seconds for the account to link to the CMP.
A screenshot CLI Instructions modal dialog
Within about 30 seconds of creating the stack, the CMP Settings page will update, showing your linked AWS account with a Healthy status next to it if the link attempt was successful.
Select the Create a role manually radio button, then make a note of the listed "AWS Account" and "External ID", as you'll need them for a later step.
A screenshot of the manual role creation form

Creating an AWS IAM Role

In a separate tab, open the AWS Management Console. Then, go to Security, Identity, & Compliance > IAM, or type IAM in the Find Services search bar and select Roles on the left-hand side of the page.
Next, select Create Role.
A screenshot showing the location of the Roles menu item
Enter the AWS Account ID and External ID you've noted in the previous step. You might need to check the Options checkbox for the External ID field to show up.
A screenshot of AWS IAM
Select the Next: Permissions button to load a page where you can select built-in policies or create new ones.
Currently, there are three features you can enable for a linked AWS account: Core, Quotas, and SpotScaling
Core permissions are for a minimum set of read-only permissions we need as a foundation for many CMP features. As such, it is checked by default.
For Core, you need to add three built-in policies to your role:
  • SecurityAudit
  • Billing
  • AWSSavingsPlansReadOnlyAccess
To add permissions for other features, you'll need to create a new policy. If you wish to enable this feature, select Create policy.
A screenshot showing the location of the Create policy button

Creating new policies

Spot Scaling
A new tab will open for you to create the policy. Switch to the "JSON" tab and copy-paste the following list of required permissions as a JSON file:
1
{
2
"Version": "2012-10-17",
3
"Statement": [
4
{
5
"Action": [
6
"ec2:Describe*",
7
"ec2:CreateLaunchTemplate",
8
"ec2:CreateLaunchTemplateVersion",
9
"ec2:ModifyLaunchTemplate",
10
"ec2:RunInstances",
11
"ec2:TerminateInstances",
12
"ec2:CreateTags",
13
"ec2:DeleteTags",
14
"ec2:CreateLaunchTemplateVersion",
15
"ec2:CancelSpotInstanceRequests",
16
"autoscaling:CreateOrUpdateTags",
17
"autoscaling:UpdateAutoScalingGroup",
18
"autoscaling:Describe*",
19
"autoscaling:AttachInstances",
20
"autoscaling:BatchDeleteScheduledAction",
21
"autoscaling:BatchPutScheduledUpdateGroupAction",
22
"cloudformation:ListStacks",
23
"cloudformation:Describe*",
24
"iam:PassRole",
25
"events:PutRule",
26
"events:PutTargets",
27
"events:PutEvents"
28
],
29
"Resource": "*",
30
"Effect": "Allow"
31
}
32
]
33
}
Copied!
A screenshot of the AWS Create policy page
After the JSON for the new policy you want to create is pasted, click "Next: Tags". If you aren't adding tags to this role, then you may proceed by clicking on "Next: Review".
Finally, give your policy an identifiable name, like "spotscaling_policy", and a description if necessary. Then click on "Create Policy".
A screenshot of the policy name
A new tab will open for you to create the policy. Switch to the "JSON" tab and copy-paste the following list of required permissions as a JSON file:
1
{
2
"Version": "2012-10-17",
3
"Statement": [
4
{
5
"Effect": "Allow",
6
"Action": [
7
"support:DescribeTrustedAdvisorCheckSummaries",
8
"support:DescribeTrustedAdvisorCheckRefreshStatuses",
9
"support:DescribeTrustedAdvisorChecks",
10
"support:DescribeSeverityLevels",
11
"support:RefreshTrustedAdvisorCheck",
12
"support:DescribeSupportLevel",
13
"support:DescribeCommunications",
14
"support:DescribeServices",
15
"support:DescribeIssueTypes",
16
"support:DescribeTrustedAdvisorCheckResult",
17
"trustedadvisor:DescribeNotificationPreferences",
18
"trustedadvisor:DescribeCheckRefreshStatuses",
19
"trustedadvisor:DescribeCheckItems",
20
"trustedadvisor:DescribeAccount",
21
"trustedadvisor:DescribeAccountAccess",
22
"trustedadvisor:DescribeChecks",
23
"trustedadvisor:DescribeCheckSummaries"
24
],
25
"Resource": "*"
26
}
27
]
28
}
Copied!
After the JSON for the new policy you want to create is pasted, click "Next: Tags". If you aren't adding tags to this role, then you may proceed by clicking on "Next: Review"
A screenshot of the first step in the Create policy flow
Give your policy an identifiable name, like "doit_intl_quotas" in the case of the Quota Monitoring feature, and a description if necessary. Then click on "Create Policy".
A screenshot of the third step in the AWS Create policy flow
If the policy was successfully created, you'll be taken to the IAM Policies page and see a success message at the top like the following:
"doit_intl_quotas has been created"

Select all policies and confirm role

Once any custom policies (if necessary) have been created, revert back to your original tab where the workflow first began, and click the Refresh icon towards the top-right of the policies box. Any newly-created policies will now appear in the search list.
Select all created policies for the features you want to enable in addition to the three built-in policies required for Core features, then click "Next: Tags".
If you aren't adding tags to this role, then you may proceed by clicking on "Next: Review" from the "Add Tags" page.
A screenshot of the second step in the AWS Create role flow
Give the Role an identifiable name (ex. 'doit-intl-cmp-role'), review the selected policies, and click on "Create role".
A screenshot of the fourth step in the AWS Create role flow
If the role was created successfully, you'll be taken back to the main Roles page and see your Role in the list.
After you have created the role, click on the role name to bring you to its summary page. Copy the value next to "Role ARN"
A screenshot of the AWS role summary page
Finally, copy and paste the Role ARN to the Cloud Management Platform and click 'Add'.
A screenshot highlighting the location to paste the Role ARN value
If the status of your AWS account within the Cloud Management Platform appears as 'Healthy', it means the role was added successfully.
A screenshot highlighting the status of the AWS account

Editing Linked Accounts

Unlinking an account

If you want to unlink an account, click on the "Unlink" button in the row corresponding to the account.
A screenshot highlighting the location of the Unlink button

Modifying feature access

Adding a feature

If, after linking your AWS account, you'd like to update your role with additional permissions for a new feature, click on the "Edit" button in the row corresponding to the account.
A screenshot highlighting the location of the Edit button
Then, check the box of any new feature(s) you'd like to add permissions for.
A screenshot showing a list of features
There are two options for updating your role:
Both methods are detailed above (and hyperlinked) in the section on linking your AWS account automatically.
The flows are essentially the same as described above, except instead of creating a new role you are simply updating a role you've already created.

Removing a feature

To remove a feature that a linked account has access to, go to the IAM page in the AWS console. Then, detach the policy or policies associated with the feature in that linked account's role.

Video