Link your AWS account
Link your AWS account to unlock advanced functionalities such as proactive resource quota monitoring, Spot Scaling, real-time anomaly detection, AWS Trusted Advisor insights, and AWS Cost Optimization Hub insights.
Required permission
- Manage Settings
Link an account
To link an AWS account to DoiT:
-
Sign in to the DoiT console, select Integrate from the top navigation bar, and then select Amazon Web Services.
-
On the Link Amazon Web Services page, select Link account.
Proceed to create an AWS IAM Role with the required policies. You can choose to Create a role automatically or Create a role manually.
Create a role automatically
-
Select Create a role automatically.
-
Select features to enable on your AWS account. You can expand a feature to review its required AWS policies.
-
Create a CloudFormation stack for the IAM role, using AWS CloudFormation console or AWS CloudShell.
- AWS CloudFormation console
- AWS CloudShell
-
Select Link account to launch the DoiT stack template in the AWS CloudFormation console.
-
Make sure that you are in the
US East (N. Virginia) us-east-1region.
-
Select the checkbox at the bottom of the page to acknowledge that AWS CloudFormation might create IAM resources with custom names.
-
Create the stack.
-
Select Prefer CLI.
-
Copy the command from the pop-up window.
CautionIf you edit the CLI command before execution, you must keep the region to
us-east-1. -
Run the command in AWS CloudShell to create the specified CloudFormation stack.
After creating the stack, it can take up to 30 seconds for the account to link to the DoiT Platform. If successful, your linked AWS account will show a Healthy status.
Create a role manually
-
Select Create a role manually.
-
Note down the values of
Our AWS AccountandYour External IDdisplayed in the DoiT console.
-
(Optional) If you want to enable real-time anomaly detection on the account, enter the AWS CloudTrail S3 bucket name and specify the region where the bucket resides (the bucket must reside in one of the supported regions).
-
Create an AWS IAM Role in the AWS Management Console. (See also Creating an IAM role (console).)
-
Navigate to the AWS IAM console, select Roles in the left-hand side navigation pane, and then select Create role.
-
Select AWS account as the trusted entity.
-
Select Another AWS account, enter the DoiT AWS account ID (the
Our AWS Accountprovided in the DoiT console). -
Select the checkbox
Require external ID, enter your external ID. -
Select Next to add permissions.
Choose policies in accordance with the features to enable:
-
For Core, add specific AWS managed policies to your role.
-
For other features, create custom policies by selecting Create policy, switching to the JSON tab, and then pasting the relevant feature permissions.
See alsoAWS Documentation: Creating IAM policies (console)
-
-
Once the policies are created, go back to your original tab. You may need to refresh to see the new policies in the search list.
-
Select all the new policies for the features you want to enable in addition to the three built-in policies required for Core features.
-
Select Next, give the Role a name, review the selected policies, and then select Create role.
-
-
After creating the role, select the role name to open its summary page, copy the value of the role's ARN, and paste the Role ARN to the DoiT console.
-
Select Add to link your AWS account.
If successfully, the status of your AWS account will show as Healthy in the DoiT console.
Feature permissions
Below are the required permissions of the core functionality and various features you can enable on a linked account. See also Security and data access policy.
- Core
- Spot Scaling
- Quota Monitoring
- Real-time anomaly
- Trusted Advisor insights
- Cost Optimization Hub insights
Core permissions are a minimum set of read-only permissions for many DoiT platform features. It consists of the following AWS managed policies:
| AWS managed policy | Description |
|---|---|
SecurityAudit | Grants access to read security configuration metadata. |
AWSSavingsPlansReadOnlyAccess | Provides read-only access to Savings Plans service. |
Billing | Grants permissions for billing and cost management. |
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*",
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:ModifyLaunchTemplate",
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:CreateLaunchTemplateVersion",
"ec2:CancelSpotInstanceRequests",
"autoscaling:CreateOrUpdateTags",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:Describe*",
"autoscaling:AttachInstances",
"autoscaling:BatchDeleteScheduledAction",
"autoscaling:BatchPutScheduledUpdateGroupAction",
"cloudformation:ListStacks",
"cloudformation:Describe*",
"iam:PassRole",
"events:PutRule",
"events:PutTargets",
"events:PutEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"support:DescribeTrustedAdvisorCheckSummaries",
"support:DescribeTrustedAdvisorCheckRefreshStatuses",
"support:DescribeTrustedAdvisorChecks",
"support:DescribeSeverityLevels",
"support:RefreshTrustedAdvisorCheck",
"support:DescribeSupportLevel",
"support:DescribeCommunications",
"support:DescribeServices",
"support:DescribeIssueTypes",
"support:DescribeTrustedAdvisorCheckResult",
"trustedadvisor:DescribeNotificationPreferences",
"trustedadvisor:DescribeCheckRefreshStatuses",
"trustedadvisor:DescribeCheckItems",
"trustedadvisor:DescribeAccount",
"trustedadvisor:DescribeAccountAccess",
"trustedadvisor:DescribeChecks",
"trustedadvisor:DescribeCheckSummaries"
],
"Resource": "*"
}
]
}
For real-time anomaly, in addition to two IAM policies, you also need to configure an Amazon S3 event notification for the CloudTrail bucket, targeting the real-time anomaly SNS topic.
IAM policies
The policy below allows the cross-account role to describe EC2 AMIs and decrypt data encrypted with KMS.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeImages"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowDescribeImagesForRealtimeData"
},
{
"Action": [
"kms:Decrypt"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowAccessToEncryptedS3Buckets"
}
]
}
The policy below allows the cross-account role to perform actions on the S3 bucket that hosts the CloudTrail logs.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetBucketNotification"
],
"Resource": "arn:aws:s3:::${CloudTrailBucketName}",
"Effect": "Allow",
"Sid": "AllowAccessToCloudTrailS3BucketListObjects"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::${CloudTrailBucketName}/*",
"Sid": "AllowAccessToCloudTrailS3BucketGetObjects"
}
]
}
CloudTrail S3 bucket notification
After linking your AWS account manually within the DoiT console, you need to configure an Amazon S3 event notification for the CloudTrail bucket to send events to the DoiT SNS topic. You can add an AWS CloudTrail bucket notification configuration via the Amazon S3 console or the AWS CloudShell (CLI).
Follow these steps to add the S3 bucket notification using the AWS CLI:
-
Identify the region where your CloudTrail S3 bucket is located.
NoteThe SNS topic ARN must match the region where your S3 bucket is located.
-
Run the appropriate AWS CLI command based on your bucket's region:
-
If your S3 bucket is in the
us-east-1region:aws s3api put-bucket-notification-configuration --bucket <S3_BUCKET_NAME> --notification-configuration '{
"TopicConfigurations": [
{
"Id": "NotifyCrossAccountSNSTopic",
"TopicArn": "arn:aws:sns:us-east-1:676206900418:realtime-event-topic-trigger",
"Events": ["s3:ObjectCreated:*"]
}
]
}' -
If your S3 bucket is in any other region:
aws s3api put-bucket-notification-configuration --bucket <S3_BUCKET_NAME> --notification-configuration '{
"TopicConfigurations": [
{
"Id": "NotifyCrossAccountSNSTopic",
"TopicArn": "arn:aws:sns:<S3_BUCKET_REGION>:676206900418:realtime-event-topic-trigger-<S3_BUCKET_REGION>",
"Events": ["s3:ObjectCreated:*"]
}
]
}'
-
Replace <S3_BUCKET_NAME> with your CloudTrail bucket name and <S3_BUCKET_REGION> with your bucket's region.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"trustedadvisor:GetRecommendation",
"trustedadvisor:ListRecommendations"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cost-optimization-hub:ListRecommendations"
],
"Resource": "*"
}
]
}
Edit linked accounts
Unlink an account
To unlink an account:
-
Navigate to the Link Amazon Web Services page.
-
Locate the account of interest.
-
Select the three dots menu (⋮) at the rightmost end of the account entry.
-
Select Unlink account.
Modify feature access
Add a feature
To add a new feature, you need to update the IAM role of the linked account with additional permissions:
-
Select the three dots menu (⋮) at the rightmost end of the account entry.
-
Select Edit account.
-
Select the checkbox of the new feature.
-
Update the IAM role with the new permissions by using one of the following options.
-
Select Update account to create a CloudFormation stack in the AWS console.
-
Select Prefer CLI to get the command to create the CloudFormation stack via AWS CloudShell.
See Create a role automatically for more information.
-
Remove a feature
To remove a feature:
-
Open the IAM page in the AWS console.
-
Detach the policies associated with the feature in the linked account's role.