Cloud Services

Enterprise Marketplace

Hyperscaler account management
Published On Jun 17, 2024 - 7:43 AM

Hyperscaler account management

Provides information about managing hyperscaler accounts in Kyndryl Modern Operations Applications.
Kyndryl Modern Operations Applications allows you to manage your hyperscaler accounts and the users who can access them using a single dashboard that also provides you with information about those accounts. Normally managing your services from a hyperscaler cloud provider involves setting up and using multiple proprietary applications on that provider’s site.
Each additional provider increases the complexity of monitoring accounts. Kyndryl Modern Operations Applications reduces the tools, skills, and workflows needed to manage your services and gives you more control of compliance and consumption with curated policy sets such as HIPAA and GDPR. The dashboard provides these features:
  • Manage multi-cloud IAM users, policies, and budgets from a consolidated dashboard
  • Manage your spending with provider budgetary controls, budget thresholds, and configurable cost reduction actions
  • Provide access to portals for users and teams
  • Use APIs programmatically to govern access to delivery, DevOps, and automation systems
Reports in AWS can only be generated every four hours. Because of this limitation, the data shown on the portal can be up to four hours old, so performed actions will not be immediately visible.
Currently only Amazon Web Services (AWS) is supported.
Navigate to the
Catalog
page. To learn more about navigating to the different services from each tenant, refer to Landing page navigation or Kyndryl Bridge Landing page navigation. In the navigation pane, click
Security & Identity
in the
Categories
section and select
Amazon
in the
Providers
section.

Terminology in Amazon Web Services

To avoid confusion, Kyndryl Modern Operations Applications uses the same terminology as the cloud provider. AWS uses the following terminology:
  • Organizational Unit (OU):
    A overarching category that is used to categorize accounts. You must set up OUs in AWS as explained here. You can use OUs to organize your deployment by region, by department, or any other divisions. OUs can include IAM and Service Control Policies  that are also applied to any accounts assigned to that OU. You can simply use the Root OU for all accounts, but this is not recommended because the Root OU generally has no restrictions on who can order what.
  • Account:
    An account is a discrete project or organization within your system. An account inherits IAM and Service Control Policies from the OU it is assigned to, and can have more polices and a budget of its own. Accounts can be created in Kyndryl Modern Operations Applications.
  • IAM User:
    A customer accesses AWS through an IAM user that assigns the policies and budget from the account that is assigned to that person.

Roles and what they can access

What functions that you can access depends on your role:

Approving requests

The
Hyperscaler Account Governance Dashboard
shows consumption across the entire organization and allows you to view specific provider, account owners, and projects. To learn more about navigating to the different services from each tenant, refer to Landing page navigation or Kyndryl Bridge Landing page navigation. The dashboard provides the following information:
  • Filters
    section: Filters the displayed information by any combination of
    Provider
    ,
    Owner
    , and
    Project
    .
  • Hyperscaler budget allocation to projects:
    Graph that shows budget broken down by owner over a selected interval.
  • Total spend vs. budget:
    Graph that shows your total spend broken down by application.
  • Recent activity:
    Shows recent system changes.
  • Accounts & Users:
    Provides a list of accounts and the IAM Users and Budgets associated with those accounts.
In addition, the compliance manager can view and approve requests. To do so, complete these steps:
  1. On the
    Hyperscaler Account Governance
    page, click the
    View & Approve Requests
    tab. The tab displays how many pending requests are currently active.
  2. On the
    View & Approve Requests
    tab, there is a
    Pending Approval
    column that shows active requests included the pertinent details, and an
    Approved
    column that shows both approved and denied requests. You can click
    Deny
    or
    Approve
    for each active request. You cannot make changes to closed requests.

Managing accounts and policies

The
Hyperscaler Account & Policy Dashboard
provides a single place where you can monitor your accounts and policies. To learn more about navigating to the different services from each tenant, refer to Landing page navigation or Kyndryl Bridge Landing page navigation. It provides the following functions:
  • Manage and configure providers:
    All available providers are listed. Any that have not been configured will have the
    Configure
    option available. For more information, see Setting up a provider. Otherwise, you can click
    Manage
    to change the account.
  • Monitor providers:
    For each configured provider, the total number of Organizational Units, Accounts, IAM Users, Policies, and Budgets is displayed, along with the OUs that can be used for account creation and recent activity in the system.

Managing your personal projects

The requestor’s
Landing Zone
provides dashboards divided by project that provides the following information for each project. To learn more about navigating to the different services from each tenant, refer to Landing page navigation or Kyndryl Bridge Landing page navigation. Select one of these options:
  • Dashboard:
    The compliance manager's dashboard that displays all accounts that the logged in user manages, regardless of provider.
  • < Provider Name >:
    The dashboard for the specific provider that shows accounts owned by the logged in user.
The Dashboard provides these graphs. You can apply filters by
Owner
,
Project
, and
Provider
to view only results that match those filters.
  • Hyperscaler budget allocation to projects:
    Graph that shows budget allocations broken down by project. This graph shows data for the current and previous quarter.
  • Total spend vs. budget:
    Graph that shows the spending as compared to the budget broken down by user. You can adjust the
    Duration
    in the upper right of the graph.
  • Recent activity:
    Shows recent system changes in the project.
  • Accounts & Users:
    Provides access to a list of accounts and the IAM Users and Budgets associated with those accounts.
  • Budgets:
    Shows the current budget status of all projects that you own.
The provider dashboards provide these sections for each project, which are available as tabs across the top:
  • Production Cost vs. Budgeted Spend Overview:
    Compares the amount spent on the project to the budgeted amount. This graph shows data for the current and previous quarter.
  • Recent activity:
    Shows recent system changes in the project.
  • Accounts & Users:
    Provides access to a list of accounts and the IAM Users and Budgets associated with those accounts.
  • Budgets:
    Shows the current budget status of all projects associated with you.
You can also retrieve the credentials of any user that you manage so that you can share those credentials with that user. To do so, in the
Accounts & Users
section, select the user and click
Retrieve User Credentials
. You can then copy the
AWS access key
and
Secret key
for the user by clicking the
Copy
icon next to each.

Setting up a provider

Before you can use a provider in Kyndryl Modern Operations Applications, you need to create an account on that provider’s website:
  • Amazon Web Services:
    AWS. You will also need to create an IAM admin user with an
    AdministratorAccess
    IAM policy attached. For more information, see Creating your first IAM admin user and user group. In addition, the
    OrganizationAccountAccessRole
    must be enabled on all member accounts for them to be managed from Kyndryl Modern Operations Applications. This role is present by default unless you explicitly modify it. For more information, see What is AWS Organizations.
Make sure to copy the access key and secret key for that account. Then complete the following steps to set up the account in Kyndryl Modern Operations Applications:
  1. Navigate to the
    Configure Management Access
    page. To learn more about navigating to the different services from each tenant, refer to Landing page navigation or Kyndryl Bridge Landing page navigation.
  2. Enter the
    access key
    and
    secret key
    for the provider account and click
    Test & Save Connection
    .The credential will be tested to see if it already exists in the system.
  3. When the account is validated, click
    Continue
    .
  4. In the
    Request Development Account
    window, the information retrieved from the provider is displayed, including the available OUs. Select the OUs that you want your requesters to be able to request new accounts in and then click
    Apply
    . The management OU (the one with the
    AdministratorAccess
    role) is labeled and should not be selected because it would give your requesters too much access to the system.
To change the credentials that you sign in to the provider with, click
Manage
for the provider and click the
Edit
icon next to email address of the administrator. You are then taken to the access key and secret key window where you can enter the new information.

Creating a user account

To request a user account, navigate to the
Request Development Account
page by completing these steps and then completing the next four sections.
  1. Navigate to the
    Catalog
    . To learn more about navigating to the different services from each tenant, refer to Landing page navigation or Kyndryl Bridge Landing page navigation.
  2. In the
    Navigation
    pane, click
    Security & Identity
    .
  3. On the
    Security & Identity
    page, click
    Account-Development Account
    for the provider. You will have three type options by default. Other options can be added in addition to these.
    • Advanced:
      An account with few preconfigured privileges to be used for customized access.   
    • Development:
      An account with privileges and policies designed for development tasks.   
    • Privileged:
        An account with high level privileges.
Adding account details
To add account details, complete these steps on the
Account Details
tab and then click
Next
:
  1. Select an Organization Unit:
    Select the organization unit that you want to use.
  2. AWS account name:
    Enter the name of the AWS account that you want to use.
  3. Email address of the account’s owner:
    Enter the email address of the person you want to be the owner of this account. If this is not you, select
    No
    in the toggle next to this field. This email will be validated when you click
    Next
    .
  4. Tags:
    This section can be used to create key-value pairs that you can add to your AWS resources so that you can identify and track them more efficiently. A standardized set of pairs will be automatically created based on the information that you have entered. You can create up to 50 additional tags. To create a tag, click
    Add Tag
    and fill out the following fields. To delete one, click the
    Trash Can
    icon next to it.
    • Key:
      The category of the tag. You can have multiple values for each key.   
    • Value:
      The specific value of the tag.   
    • Description:
      An optional description of the tag.
Adding service control policies
The
Service Control Policies
tab allows you to create and attach service control policies, which allow you to manage the permissions assigned to users, groups, or roles assigned in your organization. You are not required to add service control policies. Any policies assigned to root or to organizational units (OUs) can be inherited by child OUs and accounts.
The
Service control policies
section lists all policies that are currently attached to the account. A set of most used policies for the type of account you selected are automatically attached, as well as any policies inherited from the OU. You can add additional policies provided by the provider by clicking the
Attach
icon next to them in the
Attach policies
section. You can also click
Attach All
to attach all the displayed policies. When you are done, click
Next
.
Policies are listed as being
Strongly Recommended Guardrails
,
Mandatory Guardrails
, and
Elective Guardrails
based on how they are categorized by the provider, as well as
Deny All
and
Custom Policies
.
To create a policy, click
Create Policy
, complete the following fields and then click
Create
:
  • Policy Name:
    Enter a descriptive name for your policy.
  • Description:
    Optionally, add a detailed description of the function of the policy.
  • Policy as Code:
    Paste the contents of your policy JSON into this field. 
Assigning budgets
Use the
Budget
tab to assign budgets and configure thresholds and actions for those budgets. Multiple thresholds can be set for a budget, and multiple actions can be triggered when a specific threshold is reached.
See the following websites for more information about budgets in specific providers:
Complete the following steps to create a budget and thresholds, then click
Next
:
  1. Assign a budget by entering the following parameters:
    • Budget name:
      Enter a name for your budget.   
    • Budget scope:
      These selections are preset based on common practices. You cannot currently modify them.   
    • In the
      Set budget amount
      section, enter the following parameters:
      • Enter your budgeted amount:
        Enter the amount for your budget.       
      • Period:
        Select the time period that the budget covers.       
      • Budget renewal type:
        Select either
        Recurring budget
        or
        Expiring budget
        . For a recurring budget, you must enter the
        Start Month
        and
        Start Year
        . For an expiring budget, you must also enter the
        End Month
        and
        End Year
        .       
      • Budget method:
        Leave as
        Fixed
        , which is currently the only option.
  2. You can set alert thresholds that automatically send you an alert and perform actions when the threshold is met. You can set multiple thresholds. Click
    Add alert threshold
    and provide these parameters for each alert:
    • Threshold:
      The point at which the alert is triggered.   
    • Select the type of threshold. Your options are
      % of budgeted amount
      and
      Absolute value
      .
    • Trigger:
      Determine whether the value is
      Actual
      (the amount is reached) or
      Forecasted
      (the amount is projected to be reached within a specific time frame).
    • Email recipients:
      Enter the email addresses for everyone you want alerts sent to when the threshold is reached.
    • Add action:
      Click this to create an action that will occur when the threshold is reached, then select from the following options. You can add multiple actions to the threshold.
      • IAM Policy:
        Attach one or more policies to IAM identities by selecting the policy or policies you want to apply from the second (
        Select an existing IAM Policy you want to apply
        ) table. The most common policies are already attached for your convenience. You can click the tabs to sort among the policies and can click
        Attach All
        to attach all the currently listed policies. In addition, set the users, groups, and roles that you want the IAM policy to apply to from these fields. You can make multiple selections from all three categories. Policies are listed as being
        Strongly Recommended Guardrails
        ,
        Mandatory Guardrails
        , and
        Elective Guardrails
        based on how they are categorized by the provider, as well as
        Deny All
        and
        Custom Policies
        .
      • Service Control Policy:
        Select this to apply a service control policy when the threshold is reached. The most common policies are already attached for your convenience. To add one, select the policy or policies you want to apply from the second (
        Select an existing Service Control Policy you want to apply
        ) table. You can click the tabs to sort among the policies and can click
        Attach All
        to attach all the currently listed policies. Policies are listed as being
        Strongly Recommended Guardrails
        ,
        Mandatory Guardrails
        , and
        Elective Guardrails
        based on how they are categorized by the provider, as well as
        Deny All
        and
        Custom Policies
        .
      • Automate instances to stop for EC2 or RDS:
        You can choose to
        Stop All EC2
        (Virtual Machines),
        Stop All RDS
        (RDS databases), or both to stop the expenses associated with those items.
Reviewing your parameters
On the
Review
tab, make sure all the parameters are correct. You can go back to the tab and correct any that are in error using the
Edit
option for that section. When you are satisfied, click
Submit request
.

Requesting an IAM user

To allow your users to work with the provider, you need to add them as IAM users. To get to the
Request Development IAM User
page, complete these steps:
  1. Navigate to the
    Catalog
    . To learn more about navigating to the different services from each tenant, refer to Landing page navigation or Kyndryl Bridge Landing page navigation.
  2. In the Navigation pane, click
    Security & Identity
    .
  3. On the
    Security & Identity
    page, click
    IAM User-Development User
    for the provider. You will have three type options by default. Other options can be added in addition to these.
    • Advanced:
      A user with few preconfigured privileges to be used for customized access.   
    • Development:
      A user with privileges and policies designed for development tasks.   
    • Privileged:
        A user with high level privileges.
Complete these steps to create a user:
  1. On the
    Set user details & access type
    tab, click either
    Raising a request for yourself
    or
    Raising a request on another account owner’s behalf
    . If you select the second option, enter the email address of that person. Otherwise your email will appear in the field automatically.
  2. Click
    Select OU
    .
  3. In
    Select the Organization Unit
    , choose the unit that you want to use.
  4. In
    Select an Account
    , select the account from the unit that you want to use.
    As a security feature, you can only request that an IAM User be created for accounts that you are listed as the owner of.  If the account does not have an owner, you can add an email address for a new owner in the
    Email address of the account’s owner
    field. This new owner will be assigned when the request is approved.
  5. In the
    Set new IAM User details
    section, enter the following parameters:
    • User name:
      Provide a name for the new user.
    • Select AWS credential type:
      Select one or both of these options:
      • Access key - Programmatic access:
        Enables an access key ID and secret access key so that the user has access to the AWS API, CLI, SDK, and other development tools.
      • Password - AWS Management Console access:
        Enables a password that allows the user to access the AWS Management Console. If you select this option, you must provide a
        Custom password
        that contains at least 32 characters and at least one upper case character, one special character, and a digit. This is an initial password that the user will be required to change when first logging in to the provider.
  6. Click
    Next
    at the top of the page.
  7. On the
    Set permissions
    tab, select from these options and then click
    Next
    :
    • Copy permissions from existing user:
      Select the user that you want to copy the permissions from.
    • Attach existing policies directly:
      Policies that are inherited from the account are automatically attached. Select one or more policies that you want to add from the
      Attach policies
      section and click the
      Attach
      icon next to the ones that you want to add. The
      IAMUserChangePassword
      policy is attached by default. This policy allows the user to change their password on initial login and should not be removed. You can also click
      Attach All
      . To create a policy, click
      Create Policy
      , complete the following fields and then click
      Create
      :
      • Policy Name:
        Enter a descriptive name for your policy.
      • Description:
        Optionally, add a detailed description of the function of the policy.
      • Policy as Code:
        Paste the contents of your policy JSON into this field.
  8. On the
    View & Add additional IAM User Tags
    tab, you can optionally add tags to your user that help identify, organized, and secure your AWS resources. A set of standard tags based on the account are added automatically and cannot be altered. You can create up to 50 tags. To create a tag, click
    Add Tag
    and fill in the following parameters.  You can click
    Delete
    to remove erroneous tags. When you are done, click
    Next
    .
    • Key:
      The key (group attribute) for the tag.
    • Value:
      The specific attribute for the tag.
    • Description:
      An optional explanation of the tag.
  9. On the
    Budget
    tab, select from among these options, enter the appropriate information about the budget you want to use, and click
    Next
    :
    • Select one or both of the following options:
      • Control using Service Control Policy (SCP) at the Organization level:
        Select this option if you want to use the Budget definition for other accounts and IAM users.
      • Control using IAM Policy, for the requested IAM User:
        Select if you want to create a budget that only applies to the user you are creating.
    • Budget name:
      Enter a name for your budget.
    • Budget scope:
      These selections are preset based on common practices. You cannot currently modify them.
    • In the
      Set budget amount
      section, enter the following parameters:
      • Enter your budgeted amount:
        Enter the amount for your budget.
      • Period:
        Select the time period that the budget covers.
      • Budget renewal type:
        Select either
        Recurring budget
        or
        Expiring budget
        . For a recurring budget, you must enter the
        Start Month
        and
        Start Year
        . For an expiring budget, you must also enter the
        End Month
        and
        End Year
        .   
      • Budget method:
        Leave as
        Fixed
        , which is currently the only option.
      • You can set alert thresholds that automatically send you an alert and perform actions when the threshold is met. A standard set of alerts will automatically be generated for you. You can alter these alerts if desired. You can also create your own alerts by clicking
        Add alert threshold
        and providing these parameters for each alert:
        • Threshold:
          The point at which the alert is triggered.
        • Select the type of threshold. Your options are
          % of budgeted amount
          and
          Absolute value
          .
        • Trigger:
          Determine whether the value is
          Actual
          (the amount is reached) or
          Forecasted
          (the amount is projected to be reached within a specific time frame).
        • Email recipients
          : Enter email addresses for everyone you want alerts sent to when the threshold is reached.
        • Add action:
          Click this to create an action that will occur when the threshold is reached, then select from the following options. You can add multiple actions to the threshold.
          • IAM Policy:
            Attach one or more policies to IAM identities by selecting the policy or policies you want to apply from the second (
            Select an existing IAM Policy you want to apply
            ) table. The policy automatically affects the user that you are requesting. The most common policies are already attached for your convenience. You can click the tabs to sort among the policies and can click
            Attach All
            to attach all the currently listed policies. In addition, set the users, groups, and roles that you want the IAM policy to apply to from these fields. You can make multiple selections from all three categories. The user that is being created will be automatically assigned and cannot be removed.
          • Service Control Policy:
            Select this to apply a service control policy when the threshold is reached. The most common policies are already attached for your convenience. To add one, select the policy or policies you want to apply from the second (
            Select an existing Service Control Policy you want to apply
            ) table. You can click the tabs to sort among the policies and can click
            Attach All
            to attach all the currently listed policies.
          • Automate instances to stop for EC2 or RDS: You can choose to
            Stop All EC2
            (Virtual Machines),
            Stop All RDS
            (RDS databases), or both to halt the expenses associated with those items.
  10. On the
    Review
    tab, make sure all the parameters are correct. You can go back to the tab and correct any that are in error using the
    Edit
    option for that section. When you are satisfied, click
    Submit request
    .

Retrieving user credentials

After you have created users, you must send their credentials to them before they can use the system. To retrieve the credentials for a user, complete these steps:
  1. Log in to Kyndryl Modern Operations Applications.
  2. Navigate to the
    Amazon Web Services
    page. To learn more about navigating to the different services from each tenant, refer to Landing page navigation or Kyndryl Bridge Landing page navigation.
  3. On the
    AWS Landing Zone
    page, scroll to the
    IAM Users
    section.
  4. Select the user that you want to retrieve credentials for, and click
    Retrieve User Credentials
    .
  5. On the
    Retrieve Credentials
    page, the credentials for the user are displayed. They can be copied by clicking the
    Copy
    icon next to them.
Do you have two minutes for a quick survey?
Take Survey