Skip to main content

Link your AWS account

By linking your AWS account/s, you will unlock additional functionalities such as proactive resource quota monitoring and more.

To link your AWS account(s) to the Cloud Management Platform, you will need to create an AWS IAM Role and attach IAM Policies to it. The policies you need to attach will depend on the feature(s) you'd like to enable.

This article will go over creating an IAM role with the required policies 1) automatically via CloudFormation and 2) manually.

note

Required Permission: Manage Settings

Within the CMP, select the gear icon in the right-hand corner of the top menu bar, then select Amazon Web Services from the drop-down menu that appears. The CMP will take you to the Link Amazon Web Services page:

From the Link Amazon Web Services page, select the LINK ACCOUNT button in the top right-hand corner. The CMP will take you to a page that allows you to complete the process:

To continue, follow the instructions in the following subsections to complete the linking process.

Select the Create a role automatically radio button, then check the boxes next to the features you'd like to enable for this AWS account.

To explore what AWS policies each feature requires, click the V button to the left of the feature name to expand the list of policies.

There are two options for creating the role with this method:

  1. Creating a stack in CloudFormation
  2. Copy + Pasting a command in CloudShell

Option 1: Create stack in CloudFormation

After selecting the features, select LINK ACCOUNT. The CMP will open a modal dialog asking you to confirm you want to proceed:

After selecting LINK ACCOUNT from the modal dialog, the CMP will open a preconfigured stack template with the necessary roles and permissions in a new AWS CloudFormation tab.

caution

You must create the CloudFormation stack in the us-east-1 region.

danger

In your AWS account, review the details, then under Capabilities, mark the 'I acknowledge that AWS CloudFormation might create IAM resources with custom names' checkbox.

Failure to do this wall cause a failure when creating the stack.

Finally, select the Create stack button.

Within about 30 seconds of creating the stack, the CMP Settings page will update, showing your linked AWS account with a Healthy status next to it if the link attempt was successful.

Option 2: Create role via CLI

If you prefer to run the commands yourself in AWS CloudShell, select the PREFER CLI? button instead. A pop-up will appear with the commands you should run to generate the role with the requisite policies for the features you selected.

caution

If you choose to edit the CLI command before execution, you must leave the region set to us-east-1.

After running the command, it may take up to 30 seconds for the account to link to the CMP.

Within about 30 seconds of creating the stack, the CMP Settings page will update, showing your linked AWS account with a Healthy status next to it if the link attempt was successful.

Select the Create a role manually radio button, then make a note of the listed "AWS Account" and "External ID", as you'll need them for a later step.

Creating an AWS IAM Role

In a separate tab, open the AWS Management Console. Then, go to Security, Identity, & Compliance > IAM, or type IAM in the Find Services search bar and select Roles on the left-hand side of the page.

Next, select Create Role.

Enter the AWS Account ID and External ID you've noted in the previous step. You might need to check the Options checkbox for the External ID field to show up.

Select the Next: Permissions button to load a page where you can select built-in policies or create new ones.

Currently, there are three features you can enable for a linked AWS account: Core, Quotas, and SpotScaling

Core permissions are for a minimum set of read-only permissions we need as a foundation for many CMP features. As such, it is checked by default.

For Core, you need to add three built-in policies to your role:

  • SecurityAudit
  • Billing
  • AWSSavingsPlansReadOnlyAccess

To add permissions for other features, you'll need to create a new policy. If you wish to enable this feature, select Create policy.

Creating new policies

Spot Scaling

A new tab will open for you to create the policy. Switch to the "JSON" tab and copy-paste the following list of required permissions as a JSON file:

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*",
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:ModifyLaunchTemplate",
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:CreateLaunchTemplateVersion",
"ec2:CancelSpotInstanceRequests",
"autoscaling:CreateOrUpdateTags",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:Describe*",
"autoscaling:AttachInstances",
"autoscaling:BatchDeleteScheduledAction",
"autoscaling:BatchPutScheduledUpdateGroupAction",
"cloudformation:ListStacks",
"cloudformation:Describe*",
"iam:PassRole",
"events:PutRule",
"events:PutTargets",
"events:PutEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}

After the JSON for the new policy you want to create is pasted, click "Next: Tags". If you aren't adding tags to this role, then you may proceed by clicking on "Next: Review".

Finally, give your policy an identifiable name, like "spotscaling_policy", and a description if necessary. Then click on "Create Policy".

Quota Monitoring

A new tab will open for you to create the policy. Switch to the "JSON" tab and copy-paste the following list of required permissions as a JSON file:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"support:DescribeTrustedAdvisorCheckSummaries",
"support:DescribeTrustedAdvisorCheckRefreshStatuses",
"support:DescribeTrustedAdvisorChecks",
"support:DescribeSeverityLevels",
"support:RefreshTrustedAdvisorCheck",
"support:DescribeSupportLevel",
"support:DescribeCommunications",
"support:DescribeServices",
"support:DescribeIssueTypes",
"support:DescribeTrustedAdvisorCheckResult",
"trustedadvisor:DescribeNotificationPreferences",
"trustedadvisor:DescribeCheckRefreshStatuses",
"trustedadvisor:DescribeCheckItems",
"trustedadvisor:DescribeAccount",
"trustedadvisor:DescribeAccountAccess",
"trustedadvisor:DescribeChecks",
"trustedadvisor:DescribeCheckSummaries"
],
"Resource": "*"
}
]
}

After the JSON for the new policy you want to create is pasted, click "Next: Tags". If you aren't adding tags to this role, then you may proceed by clicking on "Next: Review"

Give your policy an identifiable name, like "doit_intl_quotas" in the case of the Quota Monitoring feature, and a description if necessary. Then click on "Create Policy".

If the policy was successfully created, you'll be taken to the IAM Policies page and see a success message at the top like the following:

Select all policies and confirm role

Once any custom policies (if necessary) have been created, revert back to your original tab where the workflow first began, and click the Refresh icon towards the top-right of the policies box. Any newly-created policies will now appear in the search list.

Select all created policies for the features you want to enable in addition to the three built-in policies required for Core features, then click "Next: Tags".

If you aren't adding tags to this role, then you may proceed by clicking on "Next: Review" from the "Add Tags" page.

Give the Role an identifiable name (ex. 'doit-intl-cmp-role'), review the selected policies, and click on "Create role".

If the role was created successfully, you'll be taken back to the main Roles page and see your Role in the list.

After you have created the role, click on the role name to bring you to its summary page. Copy the value next to "Role ARN"

Finally, copy and paste the Role ARN to the Cloud Management Platform and click 'Add'.

If the status of your AWS account within the Cloud Management Platform appears as 'Healthy', it means the role was added successfully.

Editing Linked Accounts

Unlinking an account

If you want to unlink an account, click on the "Unlink" button in the row corresponding to the account.

Modifying feature access

Adding a feature

If, after linking your AWS account, you'd like to update your role with additional permissions for a new feature, click on the "Edit" button in the row corresponding to the account.

Then, check the box of any new feature(s) you'd like to add permissions for.

There are two options for updating your role:

  1. Creating a stack in CloudFormation
  2. Copy + Pasting a command in CloudShell

Both methods are detailed above (and hyperlinked) in the section on linking your AWS account automatically.

The flows are essentially the same as described above, except instead of creating a new role you are simply updating a role you've already created.

Removing a feature

To remove a feature that a linked account has access to, go to the IAM page in the AWS console. Then, detach the policy or policies associated with the feature in that linked account's role.

Video