To You can configure AWS in Aquila Clouds , perform in any one of the following tasksways:
| Table of Contents | ||||
|---|---|---|---|---|
|
Define permissions for billing reports
...
Configuring without using the Cloud Formation Template
To configure AWS in Aquila Clouds without using the Cloud Formation Template, perform the following tasks:
| Table of Contents | ||||||
|---|---|---|---|---|---|---|
|
Define permissions for billing reports
This section lists the permissions that enable billing reports of your organization's AWS resources on the Aquila Clouds platform.
{
"Version": 2012-10-17,
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::BUCKET_NAME",
"arn:aws:s3:::BUCKET_NAME/*"
]
}
]
}
Define permissions for organizational metadata
This section lists the permissions that are required to get the organizational metadata on the Aquila Clouds platform.
{ "Version": "2012-FinOps platform. This enables you to fetch metadata for multiple customers associated with a master account. For instance, if Customer A and B are associated with a master account, these permissions enable to fetch the metadata for both customers.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"organizations:Describe*",
"organizations:List*"
],
"Resource": "*"
}
]
}
Configuring IAM role related permissions in AWS
To properly monitor and manage AWS on the Aquila Clouds platform, on the AWS platform, create an IAM role for Aquila Clouds and assign all the permissions to that role. We recommend you use Aquila Clouds' Role Creator application to create and configure the IAM role for Aquila Clouds.
If you cannot use the Role Creator application, see the following steps to create and configure an IAM role in AWS platform.
Before you begin: Identify the permissions required for your organization's setup.
If you want to use the Aquila Clouds platform only for monitoring AWS VMs, assign only the following two permissions to the IAM role.
AmazonEC2ReadOnlyAccess
CloudWatchReadOnlyAccess
Configuring IAM role related permissions in AWS
Log in to the AWS management console
Open the IAM console and from the navigation pane, choose Roles > Create Role page.
Choose the Another AWS account role type.
For Account ID, type 813367342454. This is AWS Account ID for Aquila Clouds.
Select the Require external ID check box, to enhance security.
In the External ID box, type A2I_COMPANY_EXTERNAL_ID.
Choose Next: Permissions.
Select the check box for the required permission.
Note: Aquila Clouds recommends assigning all permissions to the IAM role to effectively use the Aquila Clouds platform.
Choose Next: Review.
For Role name, type a name for your role. Role names must be unique within your AWS account.
Click Create Role.
Navigate to the Roles page and open the new role.
Select the Trust relationships tab and click Edit trust relationship.
In the Policy Document, next to the Account ID, replace root with user/aquila_product_user.
Save the Policy Document and in the Role Summary, copy the ARN for the role and add it in the Add Environment page of Aquila Clouds.
Figure 1: TRUST RELATIONSHIPS SCREEN The IAM role is created and configured in the AWS platform for Aquila Clouds.
...
Configuring access to billing details in AWS
You can create an S3 bucket, billing reports of required resources and configure AWS to store billing reports in the new S3 bucket.
Note: If you do not create an S3 bucket, Aquila Clouds will still be able to display the billing reports in the Aquila Clouds platform. These reports will be based on the standard billing rates available from AWS and will not include any user/organization specific discounts (if any).
Configuring IAM role related permissions in AWS
Login to the Amazon S3 console. Create an S3 bucket to store the daily billing reports of your AWS resources that are generated by AWS.
In the AWS Billing and Cost Management console, create a billing report and schedule daily generation of AWS cost and usage report.
On the navigation pane, choose Cost & Usage Reports.
Choose Reports > Create Report.
For Report name, type the name for your report.
For Additional report details, select Include resource IDs to associate resources with business services and click Next.
In the Configure S3 bucket, select the S3 bucket created in Step 1.
For the Report path prefix, define the required prefix to be prepended to the name of the report.
Note: If you don't specify a prefix, the default prefix is the name that you specified for the report in Step c and the date range for the report, in the following format:
/report-name/date-range/
For Time granularity, select Daily to aggregate report data every day.
Enable the Automatically refresh your Cost & Usage Report when charges are detected for previous months with closed bills checkbox.
Click Next.
Review the settings and click Review and Complete.
S3 bucket is created and AWS is configured to store billing details in the new S3 bucket.
Creating IAM role related policy to grant access to the S3 bucket
You can grant the access of S3 bucket to the IAM role created for Aquila Clouds platform.
Creating IAM role related policy to grant access to the S3 bucket
In the AWS Management Console, in the navigation pane, choose Policies.
On the Welcome to Managed Policies page, click Create Policy.
Choose Create Policies with the Visual Editor.
On the Visual editor tab, choose Choose a service.
Select S3 service.
Choose Select Actions and in the Access level group, select the List and Read check boxes.
In the Resources group, select Specific.
In the bucket section, click Add ARN.
In the Add ARN dialog box, type the required bucket name in the Bucket name box and click Add. For instance, set the bucket name to aquila-billing-bucket.
In the object section, click Add ARN.
In the Add ARN dialog box, type the same bucket name as used for Add ARN (in Step 9) and in the Object name box type *{}(wildcard) and select the Any check box for the Object name. Verify the bucket name and object name in the Specify ARN for Object box. For instance, for the bucket name set to aquila-billing-bucket, the text in Specify ARN for Object box is set to arn:aws:s3::: aquila-billing-bucket/{*}.
This grants permissions to any resource of aquila-billing-bucket type.Figure 3: ADD ARN FOR OBJECT SCREEN
...
Click Add.
Click Review policy and type Name and Description for the new policy.
Review the policy summary and click Create Policy.
AWS creates the new policy for Aquila Clouds.
In the navigation pane, choose Policies.
From the policies list, select the new policy and in the Policy actions, choose Attach.
Select the IAM role for Aquila Clouds to attach to the policy and choose Attach Policy.
AWS attaches the new policy to the IAM role for Aquila Clouds.
Navigate to S3 > Buckets and open the bucket for Aquila Clouds.
In the Json permissions code, set the <bucketname> to the name of the S3 bucket created for Aquila Clouds.
{
Version: 2012-10-17,
Statement: [
{
Effect: Allow,
Principal: {
AWS: 386209384616
},
Action: [
s3:GetBucketAcl,
s3:GetBucketPolicy
],
Resource: arn:aws:s3:::<bucketname>
},
{
Effect: Allow,
Principal: {
AWS: 386209384616
},
Action: s3:PutObject,
Resource: arn:aws:s3:::<bucketname>/*
}
]
}
Note: Ensure that you do not change the AWS Principal number 386209384616.
This enables AWS to send billing reports to the S3 bucket.
Adding AWS environment to Aquila Clouds
In the Aquila Clouds platform, add the AWS environment details to enable monitoring and management of your AWS resources from the Aquila Clouds platform.
Before you begin: Get the following details from your AWS environment:
ARNs
Payee Account ID
Billing bucket name and region
Billing report prefix and name
Adding AWS environment to Aquila Clouds
...
On the side navigation bar, select Administration tab.
...
On the Administration tab, click Environments.
...
On the Environments page, click Add.
...
On the Add Environment page, toggle on Active.
...
In the Environment Type group, select Amazon AWS.
...
In the Name of the environment, type the name of AWS environment.
...
Enter the following details for the connection parameters:
Bill as Master Account Level: Toggle on to use this account as the master account level.
ARN List: Type ARN or list of ARNs that are configured in AWS for permitting access of your AWS environment to the Aquila Clouds platform.
Note: You would typically have a list of ARNs for managing a set of related accounts (root and its sub accounts together) by Aquila Clouds. For a set of related accounts, add the ARNs in another Environment.Payee Account Id: Type the payee account ID of the AWS environment required to be managed from the Aquila Clouds platform. If an explicit Payee Account is not designated, you can type the root account ID.
Billing Bucket Name: Type the name of the S3 bucket created in AWS for Aquila Clouds.
Billing Bucket Region: Type the region code for the region that S3 bucket is created. For instance, for Ohio the region code is us-east-2.
Billing Report Prefix: Type the billing prefix as defined in the AWS environment without using '/'.
Billing Report Name: Type the name of the billing report configured in AWS for Aquila Clouds platform.
...
Click Apply.
...
Permissions for cost optimization recommendations
This section lists the permissions that enable the cost optimization recommendations in Aquila Clouds FinOps platform for your organization’s AWS resources.
ec2:DescribeSnapshots,
ec2:DescribeVolumes,
ec2:DescribeVolumeStatus,
ec2:DescribeSnapshotAttribute,
ec2:DescribeInstances,
ec2:DescribeVolumeAttribute,
ec2:DescribeInstanceStatus,
ec2:DescribeTags,
ecs:List*,
ecs:Describe*,
eks:List*,
eks:Describe*,
ec2:Describe*,
elasticloadbalancing:Describe*,
cloudwatch:ListMetrics,
cloudwatch:GetMetricStatistics,
cloudwatch:GetMetricData,
cloudwatch:Describe*,
autoscaling:Describe*,
Permissions for supporting cost optimization actions based on the recommendations
This section lists the permissions that enable cost optimization actions based on the recommendations in the OPTIMIZER tab in the Aquila Clouds FinOps platform for your organization’s AWS resources.
ec2:CopySnapshot
ec2:ModifyVolumeAttribute,
ec2:CreateImage,
ec2:ResetInstanceAttribute,
ec2:CopyImage,
ec2:StartInstances,
ec2:StopInstances
ec2:ImportSnapshot,
ec2:CreateLaunchTemplateVersion,
ec2:CreateLaunchTemplate,
ec2:ModifyInstanceCreditSpecification,
ec2:AssociateIamInstanceProfile
ec2:UnmonitorInstances
ec2:MonitorInstances,
ec2:ReportInstanceStatus,
ec2:DeleteVolume,
ec2:ModifySnapshotAttribute,
ec2:StartInstances,
ec2:CreatePlacementGroup,
ec2:ImportImage,
ec2:DetachVolume,
ec2:ModifyVolume,
ec2:ResetImageAttribute,
ec2:CreateTags,
ec2:RegisterImage,
ec2:ModifyInstanceEventStartTime,
ec2:RunInstances,
ec2:StopInstances,
ec2:CreateVolume,
ec2:EnableVolumeIO,
ec2:AttachVolume,
ec2:ImportVolume,
ec2:RequestSpotInstances,
ec2:DeleteTags,
ec2:RunScheduledInstances,
ec2:RequestSpotFleet,
ec2:ModifyImageAttribute,
ec2:CreateSnapshot,
ec2:ModifyInstanceAttribute,
ec2:ModifyReservedInstances,
ec2:RebootInstances,
ec2:CreateInstanceExportTask,
ec2:ModifyInstancePlacement,
ec2:TerminateInstances,
ec2:ImportInstance,
ec2:ResetSnapshotAttribute,
ec2:ModifyInstanceCapacityReservationAttributes
Comprehensive set of permissions for the entire set of features
This section lists comprehensive set of permissions for the entire set of features in the Aquila Clouds FinOps platform for your organization’s AWS resources.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:CopySnapshot",
"ec2:DescribeInstances",
"ec2:UnmonitorInstances",
"ec2:ModifyVolumeAttribute",
"ec2:MonitorInstances",
"ec2:CreateImage",
"ec2:ResetInstanceAttribute",
"ec2:CopyImage",
"ec2:DescribeSnapshots",
"ec2:ReportInstanceStatus",
"ec2:DeleteVolume",
"ec2:DescribeVolumeStatus",
"ec2:ModifySnapshotAttribute",
"ec2:StartInstances",
"ec2:CreatePlacementGroup",
"ec2:DescribeVolumes",
"ec2:ImportImage",
"ec2:DetachVolume",
"ec2:ModifyVolume",
"ec2:ResetImageAttribute",
"ec2:CreateTags",
"ec2:DescribeSnapshotAttribute",
"ec2:RegisterImage",
"ec2:ModifyInstanceEventStartTime",
"ec2:RunInstances",
"ec2:StopInstances",
"ec2:DescribeVolumeAttribute",
"ec2:CreateVolume",
"ec2:EnableVolumeIO",
"ec2:ModifyInstanceCapacityReservationAttributes",
"ec2:AttachVolume",
"ec2:ImportVolume",
"ec2:RequestSpotInstances",
"ec2:DeleteTags",
"ec2:RunScheduledInstances",
"ec2:RequestSpotFleet",
"ec2:ModifyImageAttribute",
"ec2:CreateSnapshot",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyReservedInstances",
"ec2:DescribeInstanceStatus",
"ec2:RebootInstances",
"ec2:CreateInstanceExportTask",
"ec2:ModifyInstancePlacement",
"ec2:TerminateInstances",
"ec2:ImportInstance",
"ec2:DescribeTags",
"ec2:ResetSnapshotAttribute",
"ec2:ImportSnapshot",
"ec2:CreateLaunchTemplateVersion",
"ec2:CreateLaunchTemplate",
"ec2:ModifyInstanceCreditSpecification",
"ec2:AssociateIamInstanceProfile",
"ecs:List*",
"ecs:Describe*",
"eks:List*",
"eks:Describe*",
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:GetMetricData",
"cloudwatch:Describe*",
"autoscaling:Describe*",
"ec2:DescribeInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"rds:DescribeReservedDBInstances",
"rds:ListTagsForResource",
"rds:DescribeDBInstances",
"rds:DescribeDBParameters",
"pi:*",
"rds:DescribeDBClusters"
],
"Resource": "*"
}
]
}
Configuring IAM role related permissions in AWS
To properly monitor and manage AWS on the Aquila Clouds platform, on the AWS platform, create an IAM role for Aquila Clouds and assign all the permissions to that role. We recommend you use Aquila Clouds' Role Creator application to create and configure the IAM role for Aquila Clouds.
If you cannot use the Role Creator application, see the following steps to create and configure an IAM role in AWS platform.
Before you begin: Identify the permissions required for your organization's setup.
If you want to use the Aquila Clouds platform only for monitoring AWS VMs, assign only the following two permissions to the IAM role.
AmazonEC2ReadOnlyAccess
CloudWatchReadOnlyAccess
Configuring IAM role related permissions in AWS
Log in to the AWS management console
Open the IAM console and from the navigation pane, choose Roles > Create Role page.
Choose the Another AWS account role type.
For Account ID, type 813367342454. This is AWS Account ID for Aquila Clouds.
Select the Require external ID check box, to enhance security.
In the External ID box, type A2I_COMPANY_EXTERNAL_ID.
Choose Next: Permissions.
Select the check box for the required permission.
Note: Aquila Clouds recommends assigning all permissions to the IAM role to effectively use the Aquila Clouds platform.
Choose Next: Review.
For Role name, type a name for your role. Role names must be unique within your AWS account.
Click Create Role.
Navigate to the Roles page and open the new role.
Select the Trust relationships tab and click Edit trust relationship.
In the Policy Document, next to the Account ID, replace root with user/aquila_product_user.
Save the Policy Document and in the Role Summary, copy the ARN for the role and add it in the Add Environment page of Aquila Clouds.
Figure 1: TRUST RELATIONSHIPS SCREEN The IAM role is created and configured in the AWS platform for Aquila Clouds.
...
Configuring access to billing details in AWS
You can create an S3 bucket, billing reports of required resources and configure AWS to store billing reports in the new S3 bucket.
Note: If you do not create an S3 bucket, Aquila Clouds will still be able to display the billing reports in the Aquila Clouds platform. These reports will be based on the standard billing rates available from AWS and will not include any user/organization specific discounts (if any).
Configuring IAM role related permissions in AWS
Login to the Amazon S3 console. Create an S3 bucket to store the daily billing reports of your AWS resources that are generated by AWS.
In the AWS Billing and Cost Management console, create a billing report and schedule daily generation of AWS cost and usage report.
On the navigation pane, choose Cost & Usage Reports.
Choose Reports > Create Report.
For Report name, type the name for your report.
For Additional report details, select Include resource IDs to associate resources with business services and click Next.
In the Configure S3 bucket, select the S3 bucket created in Step 1.
For the Report path prefix, define the required prefix to be prepended to the name of the report.
Note: If you don't specify a prefix, the default prefix is the name that you specified for the report in Step c and the date range for the report, in the following format:
/report-name/date-range/
For Time granularity, select Daily to aggregate report data every day.
Enable the Automatically refresh your Cost & Usage Report when charges are detected for previous months with closed bills checkbox.
Click Next.
Review the settings and click Review and Complete.
S3 bucket is created and AWS is configured to store billing details in the new S3 bucket.
Creating IAM role related policy to grant access to the S3 bucket
You can grant the access of S3 bucket to the IAM role created for Aquila Clouds platform.
Creating IAM role related policy to grant access to the S3 bucket
In the AWS Management Console, in the navigation pane, choose Policies.
On the Welcome to Managed Policies page, click Create Policy.
Choose Create Policies with the Visual Editor.
On the Visual editor tab, choose Choose a service.
Select S3 service.
Choose Select Actions and in the Access level group, select the List and Read check boxes.
In the Resources group, select Specific.
In the bucket section, click Add ARN.
In the Add ARN dialog box, type the required bucket name in the Bucket name box and click Add. For instance, set the bucket name to aquila-billing-bucket.
In the object section, click Add ARN.
In the Add ARN dialog box, type the same bucket name as used for Add ARN (in Step 9) and in the Object name box type *{}(wildcard) and select the Any check box for the Object name. Verify the bucket name and object name in the Specify ARN for Object box. For instance, for the bucket name set to aquila-billing-bucket, the text in Specify ARN for Object box is set to arn:aws:s3::: aquila-billing-bucket/{*}.
This grants permissions to any resource of aquila-billing-bucket type.Figure 3: ADD ARN FOR OBJECT SCREEN.
Click Add.
Click Review policy and type Name and Description for the new policy.
Review the policy summary and click Create Policy.
AWS creates the new policy for Aquila Clouds.In the navigation pane, choose Policies.
From the policies list, select the new policy and in the Policy actions, choose Attach.
Select the IAM role for Aquila Clouds to attach to the policy and choose Attach Policy.
AWS attaches the new policy to the IAM role for Aquila Clouds.Navigate to S3 > Buckets and open the bucket for Aquila Clouds.
In the Json permissions code, set the <bucketname> to the name of the S3 bucket created for Aquila Clouds.
{
Version: 2012-10-17,
Statement: [
{
Effect: Allow,
Principal: {
AWS: 386209384616
},
Action: [
s3:GetBucketAcl,
s3:GetBucketPolicy
],
Resource: arn:aws:s3:::<bucketname>
},
{
Effect: Allow,
Principal: {
AWS: 386209384616
},
Action: s3:PutObject,
Resource: arn:aws:s3:::<bucketname>/*
}
]
}
Note: Ensure that you do not change the AWS Principal number 386209384616.
This enables AWS to send billing reports to the S3 bucket.
Adding AWS environment to Aquila Clouds
In the Aquila Clouds platform, add the AWS environment details to enable monitoring and management of your AWS resources from the Aquila Clouds platform.
Before you begin: Get the following details from your AWS environment:
ARNs
Payee Account ID
Billing bucket name and region
Billing report prefix and name
Adding AWS environment to Aquila Clouds
On the side navigation bar, select Administration tab.
On the Administration tab, click Environments.
On the Environments page, click Add.
On the Add Environment page, toggle on Active.
In the Environment Type group, select Amazon AWS.
In the Name of the environment, type the name of AWS environment.
Enter the following details for the connection parameters:
Bill as Master Account Level: Toggle on if this is an AWS master account and to use this master account to consolidate all billing information at this account level.
ARN List: Type ARN or list of ARNs that are configured in AWS for permitting access of your AWS environment to the Aquila Clouds platform.
Note: You would typically have a list of ARNs for managing a set of related accounts (root and its sub accounts together) by Aquila Clouds. For a set of related accounts, add the ARNs in another Environment.Payee Account Id: Type the payee account ID of the AWS environment required to be managed from the Aquila Clouds platform. If an explicit Payee Account is not designated, you can type the root account ID.
Billing Bucket Name: Type the name of the S3 bucket created in AWS for Aquila Clouds.
Billing Bucket Region: Type the region code for the region that S3 bucket is created. For instance, for Ohio the region code is us-east-2.
Billing Report Prefix: Type the billing prefix as defined in the AWS environment without using '/'.
Billing Report Name: Type the name of the billing report configured in AWS for Aquila Clouds platform.
Click Apply.
Review the environment details and click Do you wish to confirm?. AWS environment is configured in Aquila Clouds. You can start monitoring and managing AWS resources from Aquila Clouds platform according to the permissions defined in AWS environment.
Configuring using the Cloud Formation Template
To configure AWS in Aquila Clouds using AWS Cloud Formation Template, perform the following tasks:
| Table of Contents | ||||||
|---|---|---|---|---|---|---|
|
Configuring access to billing details in AWS for cloud formation template
You can create an S3 bucket, billing reports of required resources and configure AWS to store billing reports in the new S3 bucket.
Note: If you do not create an S3 bucket, Aquila Clouds will still be able to display the billing reports in the Aquila Clouds platform. These reports will be based on the standard billing rates available from AWS and will not include any user/organization specific discounts (if any).
Configuring IAM role related permissions in AWS
Login to the Amazon S3 console. Create an S3 bucket to store the daily billing reports of your AWS resources that are generated by AWS.
In the AWS Billing and Cost Management console, create a billing report and schedule daily generation of AWS cost and usage report.
On the navigation pane, choose Cost & Usage Reports.
Choose Reports > Create Report.
For Report name, type the name for your report.
For Additional report details, select Include resource IDs to associate resources with business services and click Next.
In the Configure S3 bucket, select the S3 bucket created in Step 1.
For the Report path prefix, define the required prefix to be prepended to the name of the report.
Note: If you don't specify a prefix, the default prefix is the name that you specified for the report in Step c and the date range for the report, in the following format:
/report-name/date-range/
For Time granularity, select Daily to aggregate report data every day.
Enable the Automatically refresh your Cost & Usage Report when charges are detected for previous months with closed bills checkbox.
Click Next.
Review the settings and click Review and Complete.
S3 bucket is created and AWS is configured to store billing details in the new S3 bucket.
Create stack with new resources in AWS for role ARN creation in root account
Before you begin: Get the cloud formation template file from Aquila Clouds.
Log in to the AWS management console using credentials of a user with privileges to access cloud formation template and to create a stack.
Search for CloudFormation.
In the search results, click CloudFormation to create and manage resources with template.
You can also use the following URL to create and manage resources with template.
https://console.aws.amazon.com/cloudformation/On the Stacks page, choose Create Stack > With new resources (standard).
On the Create Stack page, in the Prerequisite - Prepare template group, select Upload a template. file to upload the template provided by Aquila Clouds.
Browse to the directory containing template file provided by Aquila Clouds and upload it.
You can use the template available at the following URL:
https://aquila-helper.s3.us-east-2.amazonaws.com/s3bucketorgpolicyIamcft.jsonClick Next.
Specify stack name and billing CUR bucket name.
Type the RoleName and S3Bucket.
Click Next.
On the Configure stack options page, click Next Step.
On the Review page, click Create stack.
Create stack with new resources in AWS for sub accounts
Before you begin, if you require to restrict access to specific organizational units or accounts get the Organization Unit ID (OU-ID).
Log in to the AWS management console using credentials of a user with privileges to access cloud formation template and to create a stack.
Search for CloudFormation.
In the search results, click CloudFormation to create and manage resources with template.
You can also use the following URL to create and manage resources with template.
https://console.aws.amazon.com/cloudformation/On the Stacks page, choose Create StackSet.
On the Choose a template page, select the Service-managed permissions option.
Select Upload a template file.
Browse to the directory containing template file provided by Aquila Clouds.
Click Next.
On the Specify StackSet details page, specify the stackset name, stackset description, rolename and S3 bucket.
Click Next.
On the Configure StackSet options page, click Next.
On the Set deployment options page, select any one of the following option:
Select the Deploy to organization option to create roles and policies for all sub account.
Select the Deploy to organizational units (OUs) option to create roles and policies in specific organizational unit.
Type the AWS OU ID. You can add more than one AWS OU ID.
Click Next.
On the Review page, click Create StackSet.
Adding AWS environment for cloud formation template to Aquila Clouds
In the Aquila Clouds platform, add the AWS environment details to enable monitoring and management of your AWS resources from the Aquila Clouds platform.
Before you begin: Get the following details from your AWS environment:
ARNs
Payee Account ID
Billing bucket name and region
Billing report prefix and name
Adding AWS environment to Aquila Clouds
On the side navigation bar, select Administration tab.
On the Administration tab, click Environments.
On the Environments page, click Add.
On the Add Environment page, toggle on Active.
In the Environment Type group, select Amazon AWS.
In the Connection Type list, select AWS Role ARN.
In the Name of the environment, type the name of AWS environment.
Enter the following details for the connection parameters:
ARN List: Type ARN or list of ARNs that are configured in AWS for permitting access of your AWS environment to the Aquila Clouds platform.
Note: You would typically have a list of ARNs for managing a set of related accounts (root and its sub accounts together) by Aquila Clouds. For a set of related accounts, add the ARNs in another Environment.Account Id: Type the account ID of the AWS environment required to be managed from the Aquila Clouds platform. If an explicit Payee Account is not designated, you can type the root account ID.
Billing Bucket Name: Type the name of the S3 bucket created in AWS for Aquila Clouds.
Billing Bucket Region: Type the region code for the region that S3 bucket is created. For instance, for Ohio the region code is us-east-2.
Billing Report Prefix: Type the billing prefix as defined in the AWS environment without using '/'.
Billing Report Name: Type the name of the billing report configured in AWS for Aquila Clouds platform.
Config Aggregator Name:
Config Aggregator Region:
Related Govt Account: Provide mapping of commercial account with government account where the commercial account ID is the leftmost value followed by double colons and the government account ID. For example, 123456::789464. You can use comma separated values to map multiple accounts.
Click Apply.
Review the environment details and click Do you wish to confirm?. AWS environment is configured in Aquila Clouds. You can start monitoring and managing AWS resources from Aquila Clouds platform according to the permissions defined in AWS environment.
Configuring using the IAM credentials
In the Aquila Clouds platform, add the AWS environment using the IAM credentials to enable monitoring and management of your AWS resources from the Aquila Clouds platform.
Before you begin: Get the following details from your AWS environment:
Account ID
Access key ID
Secret Access key
Adding AWS environment to Aquila Clouds
On the side navigation bar, select Administration tab.
On the Administration tab, click Environments.
On the Environments page, click Add.
On the Add Environment page, toggle on Active.
In the Environment Type group, select Amazon AWS.
In the Connection Type list, select AWS IAM Credentials.
In the Name of the environment, type the name of AWS environment.
Enter the following details for the connection parameters:
Account Id: Type the account ID of the AWS environment required to be managed from the Aquila Clouds platform. If an explicit Payee Account is not designated, you can type the root account ID.
Access Key ID: Type the access key ID that you have created for programmatic calls to AWS. For example,
AKIAIOSFODNN7EXAMPLE.Secret Access Key: Type the secret key that you have created. For example,
JalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.
Click Apply.
Review the environment details and click Do you wish to confirm?. AWS environment is configured in Aquila Clouds. You can start monitoring and managing AWS resources from Aquila Clouds platform according to the permissions defined in AWS environment.
Quick Reference - CFT Permissions
Service | Type | Permissions |
|---|---|---|
AWS Organizations | organizations | organizations:Describe* |
Amazon Elastic Compute Cloud (ASG) | autoscaling | autoscaling:Describe* |
Amazon Elastic Compute Cloud (EC2) | ec2 | ec2:Describe* |
Amazon Elastic Compute Cloud (elb) | elasticloadbalancing | elasticloadbalancing:Describe* |
Cloudwatch | cloudwatch | cloudwatch:Describe* |
Elastic Container Registry | ecr-public | ecr-public:DescribeImageTags |
Elastic Container Registry | ecr-private | ecr:DescribeImages |
Elastic Container Service | ecs | ecs:Describe |
Elastic Kubernetes Service | eks | eks:Describe* |
Elastic Filesystem | elasticfilesystem | elasticfilesystem:ClientMount |
Relational Database Service | rds pi | pi:* |
s3 | s3:GetBucketLocation | |
AWS Config | config | config:DescribeConfigRules config:PutConfigRule config:DeleteConfigRule |
| Anchor | ||||
|---|---|---|---|---|
|
Policy | Details | Requirement |
|---|---|---|
s3:GetBucketLocation | Returns Bucket Location | Metadata |
s3:GetBucketPolicy | To Retrieve existing bucket life cycle policy | Lifecycle |
s3:GetObject | The following action is related to GetBucketPolicy, restricted to bucket retrieval policy | Lifecycle |
s3:GetBucketPolicyStatus | Retrieves the policy status for an Amazon S3 bucket, indicating whether the bucket is public | Metadata |
s3:GetBucketTagging | Retrieves tags associated with Bucket | Metadata |
s3:GetBucketVersioning | Retrieves the versioning state of a bucket | Metadata |
s3:GetEncryptionConfiguration | Retrieves the default encryption configuration for an Amazon S3 bucket | Metadata |
s3:GetIntelligentTieringConfiguration | Gets the S3 Intelligent-Tiering configuration from the specified bucket, The S3 Intelligent-Tiering storage class is designed to optimize storage costs by automatically moving data to the most cost-effective storage access tier, without performance impact or operational overhead | Metadata |
s3:GetInventoryConfiguration | Retrieves inventory configuration (identified by the inventory configuration ID) from the bucket, Parent permission for Bucket Lifecycle Configurations | Metadata |
s3:GetLifecycleConfiguration | Retrieves the lifecycle configuration information set on the bucket. For information about lifecycle configuration | Lifecycle |
s3:GetMetricsConfiguration | Retrieves the metrics configurations and cloudwatch metrics for the metrics of the bucket | Metrics |
s3:GetObjectRetention | Retrieves an object's retention settings based on Lifecycle, evication policy | Lifecycle |
s3:GetObjectTagging | Retreives the tag-set of an object. Request to get the tagging subresource associated with the object, part of lifecycle retention policy | Metadata |
s3:GetObjectVersion | Retreives metadata about all versions of the objects in a bucket based on lifecycle | Lifecycle |
s3:GetReplicationConfiguration | Retreives the replication configuration of a bucket, part of replication policy settings | Metadata |
s3:ListAllMyBuckets | Permission to list all the buckets to go over above mentioned metadata and lifecycle calls | Describe |
s3:ListBucket | Permission to list the buckets in paginated order to go over above mentioned metadata and lifecycle calls |
|
s3:ListBucketVersions | Retreives if can use the versions subresource to list metadata about all of the versions of objects in a bucket. | Lifecycle |
How to enable additional metrics on EC2 Instances
Collect metrics and logs from Amazon EC2 instances and on-premises servers with the CloudWatch agent