ROLE-BASED ACCESS NOTE: Some of the features and functionality described in this article require the assignment of the Admin or the DevOps user role to your user account. Without one of these roles assigned, some or all of the functionality may not be available to you.
You may discover that Aimably does not have connection access to a specific member account within your AWS Organization. You will know this is the case whenever a member account is tinted red in the organizational diagram found on the Connect to AWS page in the Configure navigation group, such as in this image below.
Why is Aimably's Connection Blocked?
Aimably accesses your AWS organization's member accounts by establishing a trusted relationship between your managing account and Aimably's AWS account, then using the default trusted relationship between your managing account and member accounts. This default trusted relationship typically exists in all AWS organizations, provided that the member account was created after the AWS organization was established or the default role was not edited or removed. In the event that this default trusted relationship does not exist on a member account or has been limited in functionality, Aimably's connection will be blocked.
Resolving the Aimably Connection to All Member Accounts by Creating a AWS StackSet
In order to ensure Aimably can gain access to all member accounts in an AWS organization, a custom trusted relationship must be installed in each member account granting limited access to Aimably via the managing account. While the default trusted relationship could be established, we always err on the side of granting the fewest permissions possible between Aimably and your AWS organization.
In order to install the custom managing-member account trusted relationship on all current and future member accounts, we recommend using a StackSet, which is a CloudFormation tool built by AWS. Using a StackSet ensures you will not need to add roles or policies in the event of creating new member accounts. The installation of an Aimably StackSet removes any blocked connections on all member accounts at once.
This guide will walk you through installing the StackSet in your managing account for propagation through to all member accounts.
You must be signed in to the managing account's AWS Management Console with a user possessing sufficient permissions to create IAM StackSets, roles, and policies in that account.
In the AWS Management Console, enter the phrase 'StackSets' in the top search bar, then click on the top result titled 'StackSets' under the 'Features' header in the search results.
When the StackSets page loads, you may encounter a blue alert requesting that you enable trusted access for your AWS Organization. This is required. Click 'Enable trusted access.'
Once trusted access is enabled, a green confirmation alert will appear. You can dismiss this alert by clicking on the X in the top right of your screen.
Get Started With the StackSet
AWS provides a workflow for creating a StackSet with a click-through wizard in the AWS Management Console. Get started by clicking the 'Create StackSet' button near the top right of your StackSets screen.
Apply the Appropriate Template
The first step in the StackSet wizard requires selecting a template. By default, the correct template options are typically selected, but always confirm that 'Template is ready' is selected in the 'Prepare template' section and 'Amazon S3 URL' is selected in the 'Select template' section.
Aimably offers two templates to choose from, depending on your preferred policy access. Depending on the policy access you prefer, select the URL text from the table below and paste it into the Amazon S3 URL field provided.
|AWS Access Policy||Amazon S3 URL|
|Usage Data Only||https://s3-us-west-2.amazonaws.com/com.cloudycosts.cloudformation/AimablyStackSetTemplateDataOnly.json|
|Data & Scheduling||https://s3-us-west-2.amazonaws.com/com.cloudycosts.cloudformation/AimablyStackSetTemplateDataAndScheduling.json|
Not sure which policy to choose? Check out this guide: Selecting the Right AWS Policy for Your Business.
Once you have entered the appropriate template URL, click 'Next' to advance the wizard.
Configure the StackSet
Each of the next components of the wizard moves quickly. On the 'Specify StackSet details' screen, you will give a name to the StackSet that is purely for your own reference. Make sure you will understand the name when you see it in your AWS Management Console in the future. We recommend a name that references Aimably and the AWS policy, such as 'AimablyDataOnly' or 'AimablyDataAndScheduling.'
Next, you'll want to confirm the description. A default description is provided. Feel free to update as you would like to ensure clarity for other users.
Next, enter the AWS Account ID for your managing account. You can find this by clicking on the user menu in the upper right corner of your screen and copying the number as it appears.
Once you've confirmed your entries are correct, click 'Next'
On the 'Configure StackSet options' page, you may leave all settings in their default states: no tags applied, and 'Service-managed permissions' selected. The only exception would be if your company's policies encourage meaningful tagging of StackSets, which you can apply at this time. Click Next when you are satisfied.
On the 'Set Deployment Options' page, the first 'Deployment targets' section must match the following settings: 'Deploy to organization' selected, 'Automatic deployment' enabled, and 'Account removal behavior' set to 'Delete stacks.' These are demonstrated in the image below.
Specification of regions is not critical for a StackSet of this type, and the StackSet can actually run in virtually any region. You do not need to select all your operating regions. We recommend selecting just one region on this screen in order to keep the running process simple. In our case, we selected 'US West (Oregon)' in the 'Specify regions' module of the page.
Next, the configuration of 'Deployment options' is up to you. These settings can allow for faster run times. Keep in mind that this particular StackSet takes less than a minute to run per account, so larger organizations may choose to increase concurrent account processing and/or engage in parallel processing. We do recommend that you set your failure tolerance to a number exceeding the number of accounts in your organization, which will allow for the StackSet to run even if an error is encountered on more than one member account.
Once you are satisfied with the selections on this page, click 'Next.'
Finally, you are presented with a review screen confirming all your previous selections. Scroll down the page to review, then check the acknowledgment box and click 'Submit.'
Tracking StackSet Execution
Once you have clicked the 'Submit' button on the wizard, the StackSet begins to execute. You are presented with a screen demonstrating the StackSet details and highlighting the 'Operations' tab where you can see that the StackSet is currently running.
As the StackSet runs, it will create one stack instance per member account within your AWS organization. You can track this progress as it occurs by clicking on the 'Stack instances' tab. Keep in mind that the red 'Outdated' status which appears is simply an indicator that the stack is not yet complete. The status will change for each stack to the green 'Current' once the stack is complete for the member account.
You will know that the StackSet has completed execution when the status on the 'Operations' tab turns to the green 'Succeeded.' You may need to refresh your browser to see this update.
Congratulations! The StackSet has now granted trusted access to all current member accounts and is now programmed to execute whenever a new member account is associated with your AWS organization.
You can track and confirm this behavior by navigating to the StackSets page, selecting your custom-named StackSet from the list, then reviewing the Operations tab. A new operation will appear in this list each time the StackSet executes.
Updating the Aimably Sync
Now that the trusted access has been granted between your managing and member accounts, it's time to update the sync in Aimably to confirm all data has been properly retrieved. Go back to the Aimably app (app.aimably.com) and open the Configure navigation menu group. Then, select Connect to AWS.
Find the name of the AWS managing account where you installed the StackSet and click on the circular sync icon to trigger the data sync. Pause and observe the sync progress across the top of the screen as it completes the syncing progress.
Once the sync is complete, the organizational diagram will refresh its appearance, though a browser refresh may be required. The process will be complete when you see the red tint color has been removed from the member accounts that were previously blocked.
Limitations to this Method
In future releases of Aimably, we may deploy additional policies to access further data in your AWS organization. In the event of a new Aimably policy deployment, you will need to create a new StackSet. We will notify you if this ever becomes a requirement.
Additionally, if you choose to terminate your relationship with Aimably in the future, it will be a good idea to revoke this StackSet inter-account access. Detailed instructions on revoking access can be found here: Revoking Aimably's AWS Access
For more information on Aimably's connection with AWS, please refer to this guide: FAQ: Understanding How Aimably Retrieves AWS Account Data