Documentation
Start typing to search…

πŸš€ AWS Automatic Onboarding

This article describes how to get started with automatic onboarding with AWS.

The Automatic Onboarding process simplifies the onboarding process by running a script that validates the process and automates the setup of AWS permissions, policies, and data collection configurations.

πŸ“

Before starting the flow ensure that:

  • You have AWS organization permissions to create IAM roles.
  • The account you want to onboard is a payer account (not a linked account)

Form the Accounts dropdown list, click Add account and then click the AWS icon.

Automatic Onboarding Process Flow

The automatic onboarding script:

  1. Creates an IAM role in the payer account, allowing Umbrella to access cost data securely.
  2. Attache required Policy to Role, to grant the necessary permissions.
  3. Configured Cost and Usage Report (CUR) with the proper configuration.
  4. Create an S3 bucket to host the CURs and configure Umbrella's access to it (SNS notification).
  5. (Optional) Connecting Linked Accounts to Umbrella Cost:
    • A CloudFormation stack will create an IAM Policy and Role for each linked account in your organization, allowing Umbrella to provide recommendations for every linked account.
    • The setup also includes automatic detection of future linked accounts, ensuring roles and policies are created for them automatically.
    • Up to one hour after onboarding is complete, we’ll validate the linked accounts automatically. No action is needed on the platform- after validation, the linked accounts will appear as connected on the Linked Accounts page.

ℹ️

Onboarding Script Validations Purpose and Actions

To ensure a smooth onboarding experience, our script performs multiple validations:

  1. Ensures onboarding is performed on a payer account, not a linked account.
  2. Validates that Cost & Usage Reports (CUR) are enabled, correctly configured, and stored in an accessible S3 bucket.
  3. Check if Umbrella's IAM Role already exists.
  4. Ensures the provided S3 bucket name is valid/ already exists.
  5. Check if the required Lambda/Stack already exists.

Automatic Onboarding Wizard Steps

Choose how you would like to complete the onboarding

1. AWS Details

Enter your AWS Root Account ID, select the account name that will be displayed in Umbrella, and click Next.
Note: We will create the bucket that will host the CUR files in us-east-1 region by default.

2. Validate Access

Download the two files (AnodotPayer.yaml + Connect2Anodot.sh).

There are two common options to run the script:

1. Automatic onboarding using CloudShell πŸ’«

  1. In the AWS console navigate to CloudShell.
  2. Click on Action > Upload file, and upload the file AnodotPayer.yaml you just downloaded.
  3. Repeat step #2 for the file AnodotLinkedAccounts.yaml (If you selected the option to connect linked accounts).
  4. Repeat step #2 for the file deploy_anodot.sh.
  5. Run the command bash ./deploy_anodot.sh (this will run the script).
  6. Go to AWS CloudFormation page.
  7. When the status of the Stack anodot-Onboarding changes to CREATE_COMPLETE, it means the process is complete. You can now return to the Umbrella console and click Next to continue.

Note:

  • The files should be named as indicated above, avoiding duplicates such as AnodotPayer(1).yaml, AnodotPayer(2).yaml.

  • If you selected the option to connect linked accounts, you will see two stacks. There is no need to wait for the linked accounts stack to complete before continuing the onboarding process in the Umbrella console.


2. Automatic onboarding general flow (Preferred workspace such as Terminal)

  1. Prepare the AWS profile for your management account in AWS. If you do not have it, you can run the following command to see it: cat ~/.aws/config
  2. To verify that this is the account you want to onboard, run the following commands:
    1. export AWS_PROFILE=<profile-name>
    2. aws sts get-caller-identity
  3. Run the script by running the command: bash ./deploy_anodot.sh
  4. Go to the Umbrella platform, and click Next.

πŸ“

Validating Account

After clicking on Next, Umbrella validates all your AWS details. This step can take up to 1 hour.
We will inform you once the validation is done so that you will be able to connect your linked account. Note: In case you do not want to connect your linked accounts you can ignore the email and we will notify you again after the entire process is done and you can see data in your account.


3. (Optional) Linked Account Status

Connect your linked accounts to Umbrella to see recommendations.

  • If you connected your linked accounts automatically as part of the onboarding automation, skip this step.
  • If not, for guidance on how to connect your linked accounts click here .

4. Process Data

This step can take up to 48 hours (depending on when we will receive your files from AWS).
We will notify you by email once it is done and you can see data in your account.

πŸ””

For Umbrella Cost to be able to create recommendations for your account, you will need to connect all the linked accounts to the platform. You can find the full instructions here.

Updated 15 days ago

What’s Next