Skip to main content

Link your AWS account

Link your AWS account to the DoiT Platform to unlock advanced functionalities such as proactive resource quota monitoring and Spot Scaling.

Note

Required Permission: Manage Settings

To link an account:

  1. Log in to the DoiT Console, select the gear icon () from the top navigation bar, and then select Amazon Web Services.

  2. On the Link Amazon Web Services page, select Link account.

    Link Amazon Web Services account

Proceed to create an AWS IAM Role with the required policies.

Create a role automatically

  1. Select Create a role automatically.

  2. Select features to enable on the your AWS account. You can select the expand button to the left of the feature name to review the required AWS policies.

    An expanded feature section

  3. Create a CloudFormation stack for the IAM role by using one of the following options.

    • Using AWS CloudFormation console:

      1. Select Link account to launch the DoiT stack template in the AWS CloudFormation console.

      2. Make sure that you are in the US East (N. Virginia) us-east-1 region.

        Link Amazon Web Services account

      3. Select the checkbox at the bottom of the page to acknowledge that AWS CloudFormation might create IAM resources with custom names.

        Link Amazon Web Services account

      4. Create the stack.

    • Using AWS CloudShell:

      1. Select Prefer CLI.

      2. Copy the command from the pop-up window.

        Caution

        If you edit the CLI command before execution, you must keep the region to us-east-1.

      3. Run the command in AWS CloudShell to create the specified CloudFormation stack.

After creating the stack, it may take up to 30 seconds for the account to link to the DoiT Platform. If the link attempt was successful, your linked AWS account will show a Healthy status.

Create a role manually

  1. Select Create a role manually. Note down the listed Our AWS Account and Your External ID.

    The manual role creation form

  2. Create an AWS IAM Role.

    1. Log in to the AWS Management Console, go to the IAM console, and select Roles in the left-hand side navigation pane.

      See also
    2. Select Create role.

    3. Select AWS account as the trusted entity.

    4. Select Another AWS account and enter the DoiT AWS account ID (the Our AWS Account in the previous step).

    5. Select the checkbox Require external ID and enter your external ID.

    6. Select Next to add permissions.

      Choose policies in accordance with the features to enable:

      See also
    7. Once the policies are created, go back to your original tab. You may need to refresh to see the new policies in the search list.

    8. Select all the new policies for the features you want to enable in addition to the three built-in policies required for Core features.

    9. Select Next, give the Role an identifiable name , review the selected policies, and then select Create role.

  3. After creating the role, select the role name to open its summary page, copy the value of the role's ARN, and paste the Role ARN to the DoiT Console.

  4. Select Add to link your AWS account.

If successfully, the status of your AWS account will show as Healthy in the DoiT Console.

Feature permissions

Below are the required permissions for the features you can enable for a linked account.

Core

Core permissions are a minimum set of read-only permissions for many DoiT Platform features. It consists of the following AWS managed policies:

AWS managed policyDescription
SecurityAuditGrants access to read security configuration metadata.
AWSSavingsPlansReadOnlyAccessProvides read-only access to Savings Plans service.
BillingGrants permissions for billing and cost management.
Spot Scaling
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*",
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:ModifyLaunchTemplate",
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:CreateLaunchTemplateVersion",
"ec2:CancelSpotInstanceRequests",
"autoscaling:CreateOrUpdateTags",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:Describe*",
"autoscaling:AttachInstances",
"autoscaling:BatchDeleteScheduledAction",
"autoscaling:BatchPutScheduledUpdateGroupAction",
"cloudformation:ListStacks",
"cloudformation:Describe*",
"iam:PassRole",
"events:PutRule",
"events:PutTargets",
"events:PutEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
Quota Monitoring
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"support:DescribeTrustedAdvisorCheckSummaries",
"support:DescribeTrustedAdvisorCheckRefreshStatuses",
"support:DescribeTrustedAdvisorChecks",
"support:DescribeSeverityLevels",
"support:RefreshTrustedAdvisorCheck",
"support:DescribeSupportLevel",
"support:DescribeCommunications",
"support:DescribeServices",
"support:DescribeIssueTypes",
"support:DescribeTrustedAdvisorCheckResult",
"trustedadvisor:DescribeNotificationPreferences",
"trustedadvisor:DescribeCheckRefreshStatuses",
"trustedadvisor:DescribeCheckItems",
"trustedadvisor:DescribeAccount",
"trustedadvisor:DescribeAccountAccess",
"trustedadvisor:DescribeChecks",
"trustedadvisor:DescribeCheckSummaries"
],
"Resource": "*"
}
]
}

Edit linked accounts

To unlink an account:

  1. Navigate to the Link Amazon Web Services page.

  2. Locate the account of interest.

  3. Select the three dots menu () at the rightmost end of the account entry.

  4. Select Unlink account.

    The location of the Unlink option

Modify feature access

Add a feature

To add a new feature, you need to update the IAM role of the linked account with additional permissions:

  1. Select the three dots menu () at the rightmost end of the account entry.

  2. Select Edit account.

  3. Select the checkbox of the new feature.

  4. Update the IAM role with the new permissions by using one of the following options.

    • Select Update account to create a CloudFormation stack in the AWS console.

    • Select Prefer CLI to get the command to create the CloudFormation stack via AWS CloudShell.

    See Create a role automatically for more information.

Remove a feature

To remove a feature:

  1. Go to the IAM page in the AWS console.

  2. Detach the policies associated with the feature in the linked account's role.