AWS onboarding
This page explains the onboarding process if you prefer to preserve your own AWS Organization after signing up with DoiT.
Except for the payment method and tax settings, which will be handled by the DoiT team, this process is self-service. You can always request our assistance if needed!
Step 1 — Readiness (by the Customer)
After signing a contract with DoiT, you will receive an overview of our onboarding process from the DoiT Account Executive team, who will also guide you through the readiness phase. Here is what to expect:
-
Identify the AWS management account in your AWS organization (formerly known as Master Payer Account).
-
Ensure all AWS organizations features are enabled.
-
Notify your Account Executive about completing the steps above.
Step 2 — Self-service Onboarding (by the Customer)
Watch the short video below or follow the step-by-step instructions.
- Within the
us-east-1region, import one of the available Service Catalog portfolios using the portfolio ID.
Make sure you are importing the portfolio in the us-east-1 region. Otherwise, the portfolio will fail to import.
- us-east-1
Only one of the three AWS Service Catalog portfolios will be shared with your account by our automated system due to service quotas. If one fails to import, try the next.
port-npjvbgaskjcos
port-el7j5lgjtsz5i
port-xb7rsjalewmas
-
Grant access to your AWS principal on the
DoiT-Onboarding-*Service Catalog portfolio. -
Launch the
mpa-accessService Catalog product. Below are the available options:
| Option | Description | Supported values | Default |
|---|---|---|---|
| PayerAccountType | Do not change unless you are asked to by the DoiT team. | standard, nra | standard |
- Launch the
mpa-onboardingService Catalog product. Below are the available options:
| Option | Description | Default |
|---|---|---|
| countryCode | Country Code to set the correct contact details on the AWS Account, provided by your DoiT Account Executive | - |
| deployAwsOrg | Create an AWS Organization, or import the existing one and enable all AWS organization's features. | true |
| deployCloudTrail | Deploys a AWS CloudTrail Trail and S3 Bucket used as Destination. | true |
| isNra | Special setting for onboardings. Please change only if asked to. | false |
| payerId | DoiT internal payer ID, provided by your DoiT Account Executive. Must follow the schema [0-9]. | - |
Step 3 — Account Configuration (by the DoiT AWS Ops team)
-
Complete the organization email verification process (necessary because the management account root user email has changed).
-
Reset the AWS management account root user password.
-
Onboard the organization to SPP using AWS Channel Management dashboard.
-
Replace the existing payment method with a DoiT payment method.
-
Set tax profile to the country matching DoiT's billing profile.
FAQ
Will anything break during the process?
No, the process was designed to be disruption free.
What's the impact on AWS Organizations features?
All AWS Organization features (AWS SSO, AWS Backup, AWS Firewall Manager, Resource Manager, etc.) will continue to function in the same way as before.
Where can I find the IAM policies for the roles you create on the management account?
Before installing anything, you can review the resources that will be created using one of the following methods:
-
Reviewing the CloudFormation stack that the AWS Service Catalog products are going to install before launching the products.
-
Creating an AWS Service Catalog launch plan, which will provide you with a computed preview of the resources.
What permissions to I need to perform the self-service onboarding?
Please refer to the up-to-date minimum required IAM permissions.
What if I need to access the management account using root user credentials after onboarding?
We provide an IAM administrator role for you to perform daily admin tasks and access AWS resources. This is in line with the AWS Best practices to protect your account's root user.
In case you need to perform Tasks that require root user credentials, open a support request to request DoiT to carry out the tasks.
See AWS management account root user credentials for more information.
Am I on a DoiT consolidated billing account or a dedicated payer account?
If your account is a member account of one of the three consolidated payer accounts listed below, then you're on a DoiT consolidated billing account.
| Payer account ID | Payer account name |
|---|---|
561602220360 | doitintl-payer-01 |
017920819041 | doitintl-payer-02 |
279843869311 | doitintl-payer-07 |
If your account is on a DoiT reseller payer account other than the three listed above, then you're on a dedicated payer account.
See also Payer account and member account.