Skip to main content

AWS onboarding

This page explains the onboarding process if you prefer to preserve your own AWS Organization after signing up with DoiT.

Except for the payment method and tax settings, which will be handled by the DoiT team, this process is self-service. You can always request our assistance if needed!

Step 1 Readiness (by the Customer)

After signing a contract with DoiT, your Customer Success Manager will provide you with an onboarding process overview and guide you through the readiness phase. Here is what to expect:

  1. Identify the AWS management account in your AWS organization (formerly known as Master Payer Account).

  2. Ensure all AWS organizations features are enabled.

  3. Notify your customer success manager about completing the steps above.

Step 2 Self-service Onboarding (by the Customer)

Watch the short video below or follow the step-by-step instructions.

  1. Within the us-east-1 region, import one of the available Service Catalog portfolios using the portfolio ID.


    Make sure you are importing the portfolio in the us-east-1 region. Otherwise, the portfolio will fail to import.


    Only one of the three AWS Service Catalog portfolios will be shared with your account by our automated system due to service quotas. If one fails to import, try the next.

  2. Grant access to your AWS principal on the DoiT-Onboarding-* Service Catalog portfolio.

  3. Launch the mpa-access Service Catalog product. Below are the available options:

    OptionDescriptionSupported valuesDefault
    PayerAccountTypeDo not change unless you are asked to by the DoiT team.standard, nrastandard
  4. Launch the mpa-onboarding Service Catalog product. Below are the available options:

    countryCodeCountry Code to set the correct contact details on the AWS Account, provided by your DoiT Account Executive-
    deployAwsOrgCreate an AWS Organization, or import the existing one and enable all AWS organization's features.true
    deployCloudTrailDeploys a AWS CloudTrail Trail and S3 Bucket used as Destination.true
    isNraSpecial setting for onboardings. Please change only if asked to.false
    payerIdDoiT internal payer ID, provided by your DoiT Account Executive. Must follow the schema [0-9].-

Step 3 Account Configuration (by the DoiT AWS Ops team)

  1. Complete the organization email verification process (necessary because the management account root user email has changed).

  2. Reset the AWS management account root user password.

  3. Onboard the organization to SPP using AWS Channel Management dashboard.

  4. Replace the existing payment method with a DoiT payment method.

  5. Set tax profile to the country matching DoiT's billing profile.


Will anything break during the process?

No, the process was designed to be disruption free.

What's the impact on AWS Organizations features?

All AWS Organization features (AWS SSO, AWS Backup, AWS Firewall Manager, Resource Manager, etc.) will continue to function in the same way as before.

Where can I find the IAM policies for the roles you create on the management account?

Before installing anything, you can review the resources that will be created using one of the following methods:

  • Reviewing the CloudFormation stack that the AWS Service Catalog products are going to install before launching the products.

  • Creating an AWS Service Catalog launch plan, which will provide you with a computed preview of the resources.

What permissions to I need to perform the self-service onboarding?

Please refer to the up-to-date minimum required IAM permissions.

What if I need to access the management account using root user credentials after onboarding?

We provide an IAM administrator role for you to perform daily admin tasks and access AWS resources. This is in line with the AWS Best practices to protect your account's root user.

In case you need to perform Tasks that require root user credentials, please open a support ticket to request DoiT to carry out the tasks.

See AWS management account root user credentials for more information.

Am I on a DoiT consolidated billing account or a dedicated payer account?

If your account is a member account of one of the three consolidated payer accounts listed below, then you're on a DoiT consolidated billing account.

Payer account IDPayer account name

If your account is on a DoiT reseller payer account other than the three listed above, then you're on a dedicated payer account.

See also Payer account and member account.