Manage multi-cloud IAM users, policies, and budgets from a consolidated dashboard
Manage your spending with provider budgetary controls, budget thresholds, and configurable cost reduction actions
Provide access to portals for users and teams
Use APIs programmatically to govern access to delivery, DevOps, and automation systems

Terminology in Amazon Web Services

Organizational Unit (OU):
A overarching category that is used to categorize accounts. You must set up OUs in AWS as explained here. You can use OUs to organize your deployment by region, by department, or any other divisions. OUs can include IAM and Service Control Policies  that are also applied to any accounts assigned to that OU. You can simply use the Root OU for all accounts, but this is not recommended because the Root OU generally has no restrictions on who can order what.
Account:
An account is a discrete project or organization within your system. An account inherits IAM and Service Control Policies from the OU it is assigned to, and can have more polices and a budget of its own. Accounts can be created in Kyndryl Modern Operations Applications.
IAM User:
A customer accesses AWS through an IAM user that assigns the policies and budget from the account that is assigned to that person.

Roles and what they can access

IAM/Policy Administrator, Site Reliability Engineer:
These roles can set up accounts, policies, and budgets; create IAM users; and enable centralized management. The role can access these functions:
Setting up a provider
Creating a user account
Requesting IAM user
Managing accounts and policies
Approving requests
Managing personal projects
Compliance manager
: This role approves requests from users. The rule can access these functions:
Managing account and policies
Approving requests
Managing personal projects
Buyer, Requestor:
This role can only manage projects and users:
Managing personal projects

Approving requests

Filters
section: Filters the displayed information by any combination of
Provider
,
Owner
, and
Project
.
Hyperscaler budget allocation to projects:
Graph that shows budget broken down by owner over a selected interval.
Total spend vs. budget:
Graph that shows your total spend broken down by application.
Recent activity:
Shows recent system changes.
Accounts & Users:
Provides a list of accounts and the IAM Users and Budgets associated with those accounts.

On the
Hyperscaler Account Governance
page, click the
View & Approve Requests
tab. The tab displays how many pending requests are currently active.
On the
View & Approve Requests
tab, there is a
Pending Approval
column that shows active requests included the pertinent details, and an
Approved
column that shows both approved and denied requests. You can click
Deny
or
Approve
for each active request. You cannot make changes to closed requests.

Managing accounts and policies

Manage and configure providers:
All available providers are listed. Any that have not been configured will have the
Configure
option available. For more information, see Setting up a provider. Otherwise, you can click
Manage
to change the account.
Monitor providers:
For each configured provider, the total number of Organizational Units, Accounts, IAM Users, Policies, and Budgets is displayed, along with the OUs that can be used for account creation and recent activity in the system.

Managing your personal projects

Dashboard:
The compliance manager's dashboard that displays all accounts that the logged in user manages, regardless of provider.
< Provider Name >:
The dashboard for the specific provider that shows accounts owned by the logged in user.

Hyperscaler budget allocation to projects:
Graph that shows budget allocations broken down by project. This graph shows data for the current and previous quarter.
Total spend vs. budget:
Graph that shows the spending as compared to the budget broken down by user. You can adjust the
Duration
in the upper right of the graph.
Recent activity:
Shows recent system changes in the project.
Accounts & Users:
Provides access to a list of accounts and the IAM Users and Budgets associated with those accounts.
Budgets:
Shows the current budget status of all projects that you own.

Production Cost vs. Budgeted Spend Overview:
Compares the amount spent on the project to the budgeted amount. This graph shows data for the current and previous quarter.
Recent activity:
Shows recent system changes in the project.
Accounts & Users:
Provides access to a list of accounts and the IAM Users and Budgets associated with those accounts.
Budgets:
Shows the current budget status of all projects associated with you.

Setting up a provider

Amazon Web Services:
AWS. You will also need to create an IAM admin user with an
AdministratorAccess
IAM policy attached. For more information, see Creating your first IAM admin user and user group. In addition, the
OrganizationAccountAccessRole
must be enabled on all member accounts for them to be managed from Kyndryl Modern Operations Applications. This role is present by default unless you explicitly modify it. For more information, see What is AWS Organizations.

Navigate to the
Configure Management Access
page. To learn more about navigating to the different services from each tenant, refer to Landing page navigation or Kyndryl Bridge Landing page navigation.
Enter the
access key
and
secret key
for the provider account and click
Test & Save Connection
.The credential will be tested to see if it already exists in the system.
When the account is validated, click
Continue
.
In the
Request Development Account
window, the information retrieved from the provider is displayed, including the available OUs. Select the OUs that you want your requesters to be able to request new accounts in and then click
Apply
. The management OU (the one with the
AdministratorAccess
role) is labeled and should not be selected because it would give your requesters too much access to the system.

Creating a user account

Navigate to the
Catalog
. To learn more about navigating to the different services from each tenant, refer to Landing page navigation or Kyndryl Bridge Landing page navigation.
In the
Navigation
pane, click
Security & Identity
.
On the
Security & Identity
page, click
Account-Development Account
for the provider. You will have three type options by default. Other options can be added in addition to these.
Advanced:
An account with few preconfigured privileges to be used for customized access.   
Development:
An account with privileges and policies designed for development tasks.   
Privileged:
  An account with high level privileges.

Select an Organization Unit:
Select the organization unit that you want to use.
AWS account name:
Enter the name of the AWS account that you want to use.
Email address of the account’s owner:
Enter the email address of the person you want to be the owner of this account. If this is not you, select
No
in the toggle next to this field. This email will be validated when you click
Next
.
Tags:
This section can be used to create key-value pairs that you can add to your AWS resources so that you can identify and track them more efficiently. A standardized set of pairs will be automatically created based on the information that you have entered. You can create up to 50 additional tags. To create a tag, click
Add Tag
and fill out the following fields. To delete one, click the
Trash Can
icon next to it.
Key:
The category of the tag. You can have multiple values for each key.   
Value:
The specific value of the tag.   
Description:
An optional description of the tag.

Policy Name:
Enter a descriptive name for your policy.
Description:
Optionally, add a detailed description of the function of the policy.
Policy as Code:
Paste the contents of your policy JSON into this field. 

AWS Budgets

Assign a budget by entering the following parameters:
Budget name:
Enter a name for your budget.   
Budget scope:
These selections are preset based on common practices. You cannot currently modify them.   
In the
Set budget amount
section, enter the following parameters:
Enter your budgeted amount:
Enter the amount for your budget.       
Period:
Select the time period that the budget covers.       
Budget renewal type:
Select either
Recurring budget
or
Expiring budget
. For a recurring budget, you must enter the
Start Month
and
Start Year
. For an expiring budget, you must also enter the
End Month
and
End Year
.       
Budget method:
Leave as
Fixed
, which is currently the only option.
You can set alert thresholds that automatically send you an alert and perform actions when the threshold is met. You can set multiple thresholds. Click
Add alert threshold
and provide these parameters for each alert:
Threshold:
The point at which the alert is triggered.   
Select the type of threshold. Your options are
% of budgeted amount
and
Absolute value
.
Trigger:
Determine whether the value is
Actual
(the amount is reached) or
Forecasted
(the amount is projected to be reached within a specific time frame).
Email recipients:
Enter the email addresses for everyone you want alerts sent to when the threshold is reached.
Add action:
Click this to create an action that will occur when the threshold is reached, then select from the following options. You can add multiple actions to the threshold.
IAM Policy:
Attach one or more policies to IAM identities by selecting the policy or policies you want to apply from the second (
Select an existing IAM Policy you want to apply
) table. The most common policies are already attached for your convenience. You can click the tabs to sort among the policies and can click
Attach All
to attach all the currently listed policies. In addition, set the users, groups, and roles that you want the IAM policy to apply to from these fields. You can make multiple selections from all three categories. Policies are listed as being
Strongly Recommended Guardrails
,
Mandatory Guardrails
, and
Elective Guardrails
based on how they are categorized by the provider, as well as
Deny All
and
Custom Policies
.
Service Control Policy:
Select this to apply a service control policy when the threshold is reached. The most common policies are already attached for your convenience. To add one, select the policy or policies you want to apply from the second (
Select an existing Service Control Policy you want to apply
) table. You can click the tabs to sort among the policies and can click
Attach All
to attach all the currently listed policies. Policies are listed as being
Strongly Recommended Guardrails
,
Mandatory Guardrails
, and
Elective Guardrails
based on how they are categorized by the provider, as well as
Deny All
and
Custom Policies
.
Automate instances to stop for EC2 or RDS:
You can choose to
Stop All EC2
(Virtual Machines),
Stop All RDS
(RDS databases), or both to stop the expenses associated with those items.

Requesting an IAM user

Navigate to the
Catalog
. To learn more about navigating to the different services from each tenant, refer to Landing page navigation or Kyndryl Bridge Landing page navigation.
In the Navigation pane, click
Security & Identity
.
On the
Security & Identity
page, click
IAM User-Development User
for the provider. You will have three type options by default. Other options can be added in addition to these.
Advanced:
A user with few preconfigured privileges to be used for customized access.   
Development:
A user with privileges and policies designed for development tasks.   
Privileged:
  A user with high level privileges.

On the
Set user details & access type
tab, click either
Raising a request for yourself
or
Raising a request on another account owner’s behalf
. If you select the second option, enter the email address of that person. Otherwise your email will appear in the field automatically.
Click
Select OU
.
In
Select the Organization Unit
, choose the unit that you want to use.
In
Select an Account
, select the account from the unit that you want to use.
As a security feature, you can only request that an IAM User be created for accounts that you are listed as the owner of.  If the account does not have an owner, you can add an email address for a new owner in the
Email address of the account’s owner
field. This new owner will be assigned when the request is approved.
In the
Set new IAM User details
section, enter the following parameters:
User name:
Provide a name for the new user.
Select AWS credential type:
Select one or both of these options:
Access key - Programmatic access:
Enables an access key ID and secret access key so that the user has access to the AWS API, CLI, SDK, and other development tools.
Password - AWS Management Console access:
Enables a password that allows the user to access the AWS Management Console. If you select this option, you must provide a
Custom password
that contains at least 32 characters and at least one upper case character, one special character, and a digit. This is an initial password that the user will be required to change when first logging in to the provider.
Click
Next
at the top of the page.
On the
Set permissions
tab, select from these options and then click
Next
:
Copy permissions from existing user:
Select the user that you want to copy the permissions from.
Attach existing policies directly:
Policies that are inherited from the account are automatically attached. Select one or more policies that you want to add from the
Attach policies
section and click the
Attach
icon next to the ones that you want to add. The
IAMUserChangePassword
policy is attached by default. This policy allows the user to change their password on initial login and should not be removed. You can also click
Attach All
. To create a policy, click
Create Policy
, complete the following fields and then click
Create
:
Policy Name:
Enter a descriptive name for your policy.
Description:
Optionally, add a detailed description of the function of the policy.
Policy as Code:
Paste the contents of your policy JSON into this field.
On the
View & Add additional IAM User Tags
tab, you can optionally add tags to your user that help identify, organized, and secure your AWS resources. A set of standard tags based on the account are added automatically and cannot be altered. You can create up to 50 tags. To create a tag, click
Add Tag
and fill in the following parameters.  You can click
Delete
to remove erroneous tags. When you are done, click
Next
.
Key:
The key (group attribute) for the tag.
Value:
The specific attribute for the tag.
Description:
An optional explanation of the tag.
On the
Budget
tab, select from among these options, enter the appropriate information about the budget you want to use, and click
Next
:
Select one or both of the following options:
Control using Service Control Policy (SCP) at the Organization level:
Select this option if you want to use the Budget definition for other accounts and IAM users.
Control using IAM Policy, for the requested IAM User:
Select if you want to create a budget that only applies to the user you are creating.
Budget name:
Enter a name for your budget.
Budget scope:
These selections are preset based on common practices. You cannot currently modify them.
In the
Set budget amount
section, enter the following parameters:
Enter your budgeted amount:
Enter the amount for your budget.
Period:
Select the time period that the budget covers.
Budget renewal type:
Select either
Recurring budget
or
Expiring budget
. For a recurring budget, you must enter the
Start Month
and
Start Year
. For an expiring budget, you must also enter the
End Month
and
End Year
.   
Budget method:
Leave as
Fixed
, which is currently the only option.
You can set alert thresholds that automatically send you an alert and perform actions when the threshold is met. A standard set of alerts will automatically be generated for you. You can alter these alerts if desired. You can also create your own alerts by clicking
Add alert threshold
and providing these parameters for each alert:
Threshold:
The point at which the alert is triggered.
Select the type of threshold. Your options are
% of budgeted amount
and
Absolute value
.
Trigger:
Determine whether the value is
Actual
(the amount is reached) or
Forecasted
(the amount is projected to be reached within a specific time frame).
Email recipients
: Enter email addresses for everyone you want alerts sent to when the threshold is reached.
Add action:
Click this to create an action that will occur when the threshold is reached, then select from the following options. You can add multiple actions to the threshold.
IAM Policy:
Attach one or more policies to IAM identities by selecting the policy or policies you want to apply from the second (
Select an existing IAM Policy you want to apply
) table. The policy automatically affects the user that you are requesting. The most common policies are already attached for your convenience. You can click the tabs to sort among the policies and can click
Attach All
to attach all the currently listed policies. In addition, set the users, groups, and roles that you want the IAM policy to apply to from these fields. You can make multiple selections from all three categories. The user that is being created will be automatically assigned and cannot be removed.
Service Control Policy:
Select this to apply a service control policy when the threshold is reached. The most common policies are already attached for your convenience. To add one, select the policy or policies you want to apply from the second (
Select an existing Service Control Policy you want to apply
) table. You can click the tabs to sort among the policies and can click
Attach All
to attach all the currently listed policies.
Automate instances to stop for EC2 or RDS: You can choose to
Stop All EC2
(Virtual Machines),
Stop All RDS
(RDS databases), or both to halt the expenses associated with those items.
On the
Review
tab, make sure all the parameters are correct. You can go back to the tab and correct any that are in error using the
Edit
option for that section. When you are satisfied, click
Submit request
.

Retrieving user credentials

Log in to Kyndryl Modern Operations Applications.
Navigate to the
Amazon Web Services
page. To learn more about navigating to the different services from each tenant, refer to Landing page navigation or Kyndryl Bridge Landing page navigation.
On the
AWS Landing Zone
page, scroll to the
IAM Users
section.
Select the user that you want to retrieve credentials for, and click
Retrieve User Credentials
.
On the
Retrieve Credentials
page, the credentials for the user are displayed. They can be copied by clicking the
Copy
icon next to them.