Link your AWS account

To unlock advanced functionalities such as proactive resource quota monitoring and Spot Scaling, you need to link your AWS account to the DoiT Platform.

Note

Required Permission: Manage Settings

Link an account

To link an account:

1. Log in to the DoiT Console, select the gear icon in the upper-right corner of the top navigation bar, and then select Amazon Web Services from the drop-down menu.

2. On the Link Amazon Web Services page, select the Link account button next to the filter bar.

   

   To link your AWS account, you need to create an AWS IAM Role and attach IAM Policies to it. You can create the IAM role with the required policies either automatically or manually.

Automatically link AWS account

To automatically link an AWS account:

1. Select Create a role automatically.

2. Select the checkboxes of the available features to enable for the linked AWS account.

   You can also select the expand button to the left of the feature name to review the required AWS policies.

   

3. Choose the way to create a CloudFormation stack for the IAM role with required policies.

   There are two options:

   • Select Link account to create a CloudFormation stack template in the AWS console.

     1. Read the message about AWS CloudFormation stack creation.

     2. Select Link account to launch a preconfigured stack template with the necessary roles and permissions in a new AWS CloudFormation tab in the AWS console.

        Caution

        You must create the CloudFormation stack in the us-east-1 region.

     3. In your AWS account, review the details, then select the I acknowledge that AWS CloudFormation might create IAM resources with custom names checkbox under Capabilities.

     4. Create the stack.

   • Select Prefer CLI.

     1. Copy the the command from the pop-up window.

        Caution

        If you choose to edit the CLI command before execution, you must leave the region set to us-east-1.

     2. Run the command in AWS CloudShell to create the specified CloudFormation stack.

After creating the stack, it may take up to 30 seconds for the account to link to the DoiT Platform. If the link attempt was successful, your linked AWS account will show a Healthy status.

Manually link AWS account

To manually link an AWS account:

1. Select Create a role manually. Note down the listed Our AWS Account and Your External ID.

   

2. Create an AWS IAM Role.

   1. Log in to the AWS Management Console, go to the IAM console, and then select Roles in the left-hand side navigation pane.

      See also

      AWS Documentation: Creating an IAM role (console)

   2. Select Create role.

   3. Select AWS account as the trusted entity.

   4. Select Another AWS account and enter the DoiT AWS account ID (the Our AWS Account in the previous step).

   5. Select the checkbox Require external ID and enter your external ID.

   6. Select Next to add permissions.

      Depending on the features you want to enable for the account, you need to choose different policies:

      • For Core, you need to add specific AWS managed policies to your role.

      • For Quotas and Spot Scaling, you need to create custom policies by selecting Create policy, switching to the JSON tab and then pasting the Quota monitoring permissions or the Spot Scaling permissions as the JSON policy document.

      See also

      AWS Documentation: Creating IAM policies (console)

   7. Once the new policies are created, go back to your original tab. You may need to refresh to see the newly-created policies in the search list. Select all the new policies for the features you want to enable in addition to the three built-in policies required for Core features.

   8. Select Next, give the Role an identifiable name , review the selected policies, and then select Create role.

3. After creating the role, select the role name to open its summary page. Copy the value of the role's ARN.

4. Paste the Role ARN to the DoiT Console.

5. Select Add to link your AWS account.

If successfully, the status of your AWS account will show as Healthy in the DoiT Console.

Feature permissions

Below are the required permissions for the features you can enable for a linked account.

Core

Core permissions are a minimum set of read-only permissions for many DoiT Platform features. It consists of the following AWS managed policies:

• SecurityAudit
• Billing
• AWSSavingsPlansReadOnlyAccess

Spot Scaling

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*",
        "ec2:CreateLaunchTemplate",
        "ec2:CreateLaunchTemplateVersion",
        "ec2:ModifyLaunchTemplate",
        "ec2:RunInstances",
        "ec2:TerminateInstances",
        "ec2:CreateTags",
        "ec2:DeleteTags",
        "ec2:CreateLaunchTemplateVersion",
        "ec2:CancelSpotInstanceRequests",
        "autoscaling:CreateOrUpdateTags",
        "autoscaling:UpdateAutoScalingGroup",
        "autoscaling:Describe*",
        "autoscaling:AttachInstances",
        "autoscaling:BatchDeleteScheduledAction",
        "autoscaling:BatchPutScheduledUpdateGroupAction",
        "cloudformation:ListStacks",
        "cloudformation:Describe*",
        "iam:PassRole",
        "events:PutRule",
        "events:PutTargets",
        "events:PutEvents"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

Quota Monitoring

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "support:DescribeTrustedAdvisorCheckSummaries",
        "support:DescribeTrustedAdvisorCheckRefreshStatuses",
        "support:DescribeTrustedAdvisorChecks",
        "support:DescribeSeverityLevels",
        "support:RefreshTrustedAdvisorCheck",
        "support:DescribeSupportLevel",
        "support:DescribeCommunications",
        "support:DescribeServices",
        "support:DescribeIssueTypes",
        "support:DescribeTrustedAdvisorCheckResult",
        "trustedadvisor:DescribeNotificationPreferences",
        "trustedadvisor:DescribeCheckRefreshStatuses",
        "trustedadvisor:DescribeCheckItems",
        "trustedadvisor:DescribeAccount",
        "trustedadvisor:DescribeAccountAccess",
        "trustedadvisor:DescribeChecks",
        "trustedadvisor:DescribeCheckSummaries"
      ],
      "Resource": "*"
    }
  ]
}

Edit linked accounts

Unlink an account

To unlink an account:

1. Navigate to the Link Amazon Web Services page.

2. Locate the account of interest.

3. Select the three dots menu (⋮) at the rightmost end of the account entry.

4. Select Unlink account.

Modify feature access

Add a feature

To add a new feature, you need to update the IAM role of the linked account with additional permissions:

1. Select the three dots menu (⋮) at the rightmost end of the account entry.

2. Select Edit account.

3. Select the checkbox of the new feature.

4. Choose the way to update the IAM role with the new permissions.

   There are two options:

   • Select Update account to create a CloudFormation stack template in the AWS console.

   • Select Prefer CLI to get the command to create the specified CloudFormation stack via AWS CloudShell.

   See automatically link AWS account for more information.

Remove a feature

To remove a feature:

1. Go to the IAM page in the AWS console.

2. Detach the policies associated with the feature in that linked account's role.