ROLE-BASED ACCESS NOTE: Some of the features and functionality described in this article require the assignment of the Admin or the DevOps user role to your user account. Without one of these roles assigned, some or all of the functionality may not be available to you.
When you initiate the Aimably connection wizard to AWS, a CloudFormation script runs in your AWS account to establish a trusted relationship between your account and the Aimably AWS account, using a role customized for Aimably purposes and limited with a series of permissions applied in a custom Aimably policy.
If your account is part of an AWS Organization, ensure you run the CloudFormation script on the managing account. By establishing the trusted relationship with the managing account, Aimably is typically able to leverage the default trusted relationship between your managing account and member accounts.
We understand that users, roles, policies, and access are not often the most straightforward features of AWS console management, and you may have questions about the details. Read on for frequently asked questions and their answers.
Do I need to create a user account in one of my AWS Accounts for Aimably?
No. Aimably uses its own AWS account to collect data from each of our customers' AWS organizations. The AWS Connection Wizard in Aimably uses a CloudFormation script to create a role in your managing AWS account that grants trusted access between Aimably's AWS account and your managing AWS account for a limited set of data collection and/or scheduling actions. As a result, no user account is necessary.
How does Aimably pull data from my AWS Account(s)?
Upon connection, Aimably retrieves as much historical usage data as is available from each of your AWS accounts. Then, on a regular basis, Aimably queries each of your accounts for a series of usage data and stores these in your Aimably account. These queries are performed from the Aimably AWS account via the Aimably-IAM-Role installed in your managing account.
How much access does Aimably have to my AWS Organization and Accounts?
Aimably's access to your AWS accounts is governed by the policy that you select upon implementation. For a detailed discussion of Aimably access policies, please refer to this guide: Selecting the Right AWS Policy for Your Business
Can I connect more than one AWS Organization to a single Aimably account?
Absolutely. For detailed instructions, please refer to this guide: Connecting Multiple AWS Accounts
Can Aimably access my source code or client data?
No. Aimably uses a restricted policy that allows for access to usage data and, in some cases, server scheduling. Aimably cannot access either your source code or client data.
Can I see Aimably access in my AWS Management Console?
Yes. Aimably uses a custom role established in your AWS managing account with the prefix 'Aimably-IAM-Role.' In reviewing your IAM roles in the managing account, you can open up this role and review access history.
Can I revoke Aimably access to my AWS Organization?
Absolutely! You're in control. For detailed instructions, please refer to this guide: Revoking Aimably's AWS Access
It looks like Aimably is having trouble connecting to one of my member accounts. How do I fix this?
Aimably uses the default trusted relationship between your managing account and member accounts in order to connect to member accounts and pull relevant data. In the event that this default trusted relationship does not exist, we'll need to help you establish a custom trusted relationship for Aimably purposes. For detailed instructions on establishing this relationship to unblock your connection, please refer to this guide: Resolving the 'Connection Blocked' Error on an AWS Member Account