Cloud Services

Cost & Asset Management

Onboarding an AWS account in CAM
Published On Aug 26, 2024 - 6:13 PM

Onboarding an AWS account in CAM

This page details the steps needed to onboard an AWS account into CAM
Prerequisites
Before starting the onboarding process, ensure you have:
  • Be a CAM Administrator or have the appropriate permissions to perform all steps.
  • An AWS user account with
    Admin/Co-Admin
     access.
  • The billing account number is where CUR data is generated.
  • The Sub Account number(s) that will provide resource metrics.
  • An S3 bucket for CUR reports and an accessible path.
  • Details for creating the IAM Service Principal: Access Key ID and Secret Access Key.
Account Onboarding Requirements
The documentation shall include the details needed to set up the provider account to make a connection successfully.
Overview
This documentation aims to help ingest AWS data to CAM securely using best practices and without asking for customer credentials. The recommendation is to use STS Assume Role (within Account or Cross Account) and pull Cost, Asset, Metrics, and Recommendation data to support the Inform and Optimize data of the FinOps lifecycle.
Assumptions and Prerequisites
  • An account is onboarded with a service principal who can assume roles (in AWS). This is how users can assume the role in AWS: Assume Role.
  • CAM does not dictate if the assume role setup should be done on the same account or cross account. CAM supports both.
  • CAM requires at least one ExternalId per Tenant. (CAM does not dictate how you are going to implement the sub-account setup. CAM supports both. The ExternalId, APIKey, and password can be set to one for each sub-account, or many sub-accounts could have the same ExternalId, AccessKey, and Password. When making this choice, please know the AWS constraints from the AWS Assume Role link listed above.)
  • You need Admin or Co-Admin access to set up the delegated access and STS Assume Role and run the scripts for implementation.
Data Classification and Controls
This section outlines the data classification and controls required for GDPR compliance. It details tenants' consumed services cost data using CAM and ModernOps Security. The table below specifies the necessary accounts, components, access levels, and permissions required to ensure proper data handling and security.
Account
Component Needed
Account Level Access Permissions Required
Usage
Service Account
  • Role
     assuming a
    Role
     defined in the
    Billing
    Account
     and/or
    Sub Account(s)
  • IAM Service Principle
  • sts:AssumeRole
Enables the
IAM Service Principle
to assume the Roles to read the
CUR Report
 and
Resource and Resource metrics
 from Billing Accounts and Sub Accounts
Billing Account
  • AWS Cost and Usage Reports (
    CUR Report
    ) enabled
  • S3 bucket
     and path for
    CUR
    Report
     data
  • Role
     with permissions and a trust policy with
    IAM Service Principle
     to read
    CUR Report
  • AmazonS3ReadOnlyAccess
  • ReadOnlyAccess
To read CUR Report and Resource and Resource Metrics
Sub Account (Asset)
  • Role
     with permissions and a trust policy with
    IAM Service Principle
     to read
    Resource and Resource Metrics
  • Cloud Watch
     service needs to be enabled
  • AmazonS3ReadOnlyAccess
  • ReadOnlyAccess
To read Resource and Resource Metrics
Configuration
Set Up a Service Account
The Service Account, typically a Kyndryl account, should be separate from Billing or Sub Accounts. Follow these steps to set up the Service Account:
  1. Ensure Permissions:
    • Make sure you have Admin or Co-Admin access to the AWS service account where the billing account resides.
  2. Create the Assume Role:
    • Navigate to IAM in AWS Console:
      • Log in to your AWS Management Console.
      • Navigate to the IAM (Identity and Access Management) section.
    • Create a New Role:
      • Click on "
        Roles
        " in the IAM dashboard.
      • Click "
        Create role.
        "
    • Select Trusted Entity:
      • Choose "Another AWS account" as the type of trusted entity.
      • Enter the Account ID of the CAM service account that will assume this role.
    • Set Permissions:
      • Attach the necessary permissions policies to the role. For example:
        • AmazonS3ReadOnlyAccess to read S3 buckets.
        • ReadOnlyAccess
           to view billing data.
        • Optionally, add custom policies as needed to meet specific requirements.
    • Add Trust Relationship:
      • Define the trust relationship to allow the CAM service account to assume this role.
      • Example JSON for trust policy: 
        {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
    "AWS": "arn:aws:iam::<CAM Account ID>:root"
},
"Action": "sts:AssumeRole"
}
]
}
      • Replace
        <CAM Account ID>
         with the actual account ID of the CAM service account.
    • Review and Create Role:
      • Review the settings and trust relationships.
      • Click "
        Create role
        ."
  3. Capture Role ARN:
    • After creating the role, capture the Amazon Resource Name (ARN) of the role. This ARN will be used to configure the trust policy and for onboarding the billing account into CAM.
Example of Detailed Steps
  1. Navigate to IAM and Create Role:
    • Log in to AWS Management Console.
    • Go to
      IAM
       >
      Roles
      >
      Create role.
    • Select "
      Another AWS account
      " and input CAM's Account ID.
  2. Set Permissions:
    • Attach
      AmazonS3ReadOnlyAccess
       and
      ReadOnlyAccess
      .
    • Add any additional policies needed.
  3. Create Trust Policy:
    • Go to the newly created role.
    • Select the "
      Trust relationships
      " tab.
    • Click "
      Edit trust relationship
      ."
    • Add the following policy (replace
      <CAM Account ID>
      ): 
      {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
 "AWS": "arn:aws:iam::<CAM Account ID>:root"
},
"Action": "sts:AssumeRole"
}
]
}
  4. Review and Finalize:
Set Up Billing Account
Inputs required for this step
Input
Usage
Billing Account Number
The billing account where the
CUR data
 is generated
Role Name
The name of the Role that will be created in the
Billing Account
The role can be defined by Service Account owner i.e
CAM_KYNDRYL_ROLE
 An ARN can formulated as follows:
arn:aws:iam::
Billing Account Number
:
role/
Role Name
 In an example if the
Billing Account Number
 is 366287565622 The ARN is
arn:aws:iam::
366287565622
/role/
CAM_KYNDRYL_ROLE
Outputs generated from this step
Input
Usage
AWS Role
The role to asign the
IAM Service Principle
 in the next step
Role ARN
  • Needed to generate trust policy for Billing Account Role
  • Need by CAM for Onboarding account
  1. Log in to AWS Management Console:
    • Navigate to the AWS Management Console.
    • Ensure you have the necessary permissions to enable Cost and Usage Reports.
  1. Access the Billing Dashboard:
    • In the AWS Management Console, go to the Billing and Cost Management Dashboard.
    • Select "
      Cost & Usage Reports"
      from the left-hand navigation pane.
  2. Create a New Report:
    • Click "
      Create report
      ."
    • Enter a report name that is meaningful and easy to identify.
    • For the Report Content, ensure that "Include resource IDs" is selected. This option provides detailed information on the usage data.
  3. Configure Report Data:
    • Define the time granularity for the report (daily, hourly).
    • Set the report versioning to "Overwrite existing report" to keep the latest data.
    • Choose "
      GZIP
      " compression for efficient storage.
  4. Set Delivery Options:
    • Choose an S3 bucket where the CUR will be delivered. You can create a new S3 bucket if one does not exist.
    • Set the prefix for the report path within the S3 bucket to organize the reports effectively.
    • Ensure the S3 bucket permissions allow access from the IAM role used by CAM.
  5. Review and Complete:
    • Review the settings and configurations.
    • Click "
      Review and complete
      " to finish the setup.
    • AWS will start generating the Cost and Usage Reports based on the specified configuration.
Example Configuration JSON for CUR Setup
If configuring via the AWS CLI or programmatically, you might use JSON for the configuration:
{
"ReportName": "KyndrylCAM_CostUsageReport",
"TimeUnit": "DAILY",
"Format": "textORcsv",
"Compression": "GZIP",
"AdditionalSchemaElements": [
  "RESOURCES".  
],
"S3Bucket": "my-cur-bucket",
"S3Prefix": "cost-usage-reports/",
"S3Region": "us-east-1",
"ReportVersioning": "OVERWRITE_REPORT"
}
  1. Set Up IAM Role for Access:
    • Ensure the IAM role used by CAM has the necessary permissions to read from the S3 bucket where the CUR is stored.
    • Attach the following policy to the IAM role: 
      {  
"Version": "2012-10-17",
"Statement": [
  {
    "Effect": "Allow",
    "Action": [
        "s3:GetObject",
        "s3:ListBucket"
    ],
     "Resource": [
        "arn:aws:s3:::my-cur-bucket",
        "arn:aws:s3:::my-cur-bucket/*"  
     ]  
  }  
]
}
  2. Integrate with Kyndryl CAM
    :
Inputs required for this step
Input
Field Usage
Billing Account Number
S3 Path
Cost and Usage Report Path
S3 Bucket name
S3 Bucket
Role ARN
Delegated Access
IAM Service Principle
  • AWS Access Key Id
  • AWS Secret Access Key
Access Key ID
Secret Access Key
1.
Access IAM in Kyndryl Console
  • Log in to the Kyndryl CAM Console.
  • Open the menu and select IAM under the Admin tab.
  • Click on the "
    Add New
    " button and select "
    Add Connection
    " from the dropdown menu.
2.
Configure Connection
  • Enter the required connection name.
  • Select "
    Cloud Provider
    " from the "
    Select Technology Category
    " dropdown.
  • Select "
    AWS
    " from the "
    Select Connection Type
    " dropdown.
3.
Enable Billing Data Connection
  • Switch on the toggle button labeled "Select here if you use this connection for Billing Data."
  • Fill in the connection configuration details:
    • Cost and Usage Report Path:
       Enter the path for the Cost and Usage Report.
    • Account Number:
       Enter the AWS Account Number.
    • S3 Storage:
       Enter the S3 Bucket name.
      • In the Credential Details section, enter the following:
  • Access Key:
     Enter the Access Key ID. Enter the Secret Access Key.
    • Secret Key:
  • Click on "
    Test Connection
    " to ensure the credentials are valid.
4.
Finalize Connection
  • Click on the "
    Add
    " button.
  • The onboarded provider account will be listed on the connection page.
3.
Add Asset Account
1.
Access IAM in Kyndryl Console
  • Log in to the Kyndryl CAM Console.
  • Open the menu and select IAM under the Admin tab.
  • Click on the "
    Add New
    " button and select "
    Add Connection
    " from the dropdown menu.
2.
Configure Connection
  • Enter the required connection name.
  • Select "
    Cloud Provider
    " from the "
    Select Technology Category
    " dropdown.
  • Select "
    AWS
    " from the "
    Select Connection Type
    " dropdown.
3.
Configure Asset Account (Do Not Enable Billing Data Connection)
  • Do
    not
     switch on the toggle button for "Select here if you use this connection for Billing Data."
  • Fill in the connection configuration details:
    • Account Number:
       Enter the AWS Account Number.
    • S3 Storage:
       Enter the S3 Bucket name.
  • In the Credential Details section, enter the following:
    • Access Key:
       Enter the Access Key ID.
    • Secret Key:
       Enter the Secret Access Key.
  • Click on "
    Test Connection
    " to ensure the credentials are valid.
4.
Finalize Connection
  • Click on the "
    Add
    " button.
  • The onboarded provider account will be listed on the connection page.
Do you have two minutes for a quick survey?
Take Survey