Skip to main content

AWS onboarding

This page explains the onboarding process for customers who prefer to preserve their own AWS Organizations after signing up with DoiT.

Step 1 Readiness (by Customer)

After signing a contract with DoiT, your customer success manager will provide you with an onboarding process overview and guide you through the readiness phase. Here is what to expect:

  1. Identify the AWS management account in your AWS organization (formerly known as Master Payer Account).

  2. Under the management account, create a new IAM user with Administrator policy. You'll be using this user to manage your organization post onboarding.

    You can skip this step if you already have an IAM user with full permissions.

  3. Change the root user email address on the management account to the one provided by DoiT.

  4. Remove MFA from the management account root user (no worries, we'll re-enable it in the next step).

  5. Notify your customer success manager about completing the steps above.

Step 2 Initial Onboarding (by DoiT AWS Ops team)

  1. Reset the AWS management account root user password.

  2. Re-enable MFA on the management account root user.

  3. Create the doitintl_cmp IAM role to facilitate access from the DoiT Platform.

  4. Create the AWSAdmin IAM role to access billing data under the AWS Channel Reseller Program.

  5. Onboard the organization to SPP using AWS Channel Management dashboard.

Step 3 Account Configuration (by DoiT AWS Ops team)

  1. Replace the existing payment method with a DoiT payment method.

  2. Set tax profile to the country matching DoiT's billing profile.

  3. Complete the organization email verification process (necessary because the management account root user email has changed).

  4. Enable Cost and Usage Reports (if not enabled already).

  5. Create a new S3 bucket (named as doitintl-awsops-{id}) to store the AWS Cost and Usage report.

  6. Set up a new Cost and Usage report (doitintl-awsops-{id})).

Note

If you're moving from a DoiT consolidated billing management account to a DoiT dedicated payer account, be aware that the DoiT Platform doesn't automate the transfer of historical cost data to the new account. See Backfill historical CUR for more information.

FAQ

Will anything break during the process?

No, the process was designed to be disruption free.

What's the impact on AWS Organizations features?

All AWS Organization features (AWS SSO, AWS Backup, AWS Firewall Manager, Resource Manager, etc.) will continue to function in the same way as before.

Where can I find the IAM policies for the roles you create on the management account?

You can find the policy for DoiT Platform at this gist.

What if I need to access the management account using root user credentials after onboarding?

We provide an IAM administrator role for you to perform daily admin tasks and access AWS resources. This is in line with the AWS Best practices to protect your account's root user.

In case you need to perform Tasks that require root user credentials, please open a support ticket to request DoiT to carry out the tasks.

See AWS management account root user credentials for more information.

Am I on a DoiT consolidated billing account or a dedicated payer account?

If your account is a member account of one of the following three payer account IDs: 561602220360, 017920819041 and 279843869311, then you're on a DoiT consolidated billing account.

If your account is on a DoiT reseller payer account other than the three consolidated accounts listed above, then you're on a dedicated payer account.

See also Payer account and member account.