Link AWS accounts via DoiT console

Link new account

To link new AWS accounts:

1. Sign in to the DoiT console, select Data ingestion and integrations > AWS from the top navigation mega menu.

2. On the Connect Amazon Web Services page, select Link new account.

   

3. Choose an option to create a cross-account AWS IAM Role with the required policies.

   • Create a role automatically (recommended)

   • Create a role manually

   Quota

   AWS Identity and Access Management (IAM) sets a default quota of 10 managed policies per role. If you need to increase the limit to enable multiple features on an account, you must submit a quota increase request with AWS. See IAM object quotas for more information.

Create a role automatically

DoiT supports two ways to automatically create the cross-account IAM role:

• Create a CloudFormation stack for individual AWS accounts.

• Create a CloudFormation StackSet with service-managed permissions in your management account.

  • Prerequisites:

    • You must have access to your management account (not available if you're on a DoiT consolidated billing account).

    • You must enable AWS Organizations in your management account and create an organizational unit (OU) to host the DoiT StackSet.

    • You must activate trusted access for StackSets with AWS Organizations to allow StackSets to deploy across accounts and AWS Regions using service-managed permissions.

Using StackSets allows you to automate the deployment of necessary permissions across all member accounts within an OU with a single setup. It also automates the account lifecycle management.

• If you add a new member account to your AWS Organization in the future, the StackSet will detect the new account and deploy the required permissions, and DoiT will discover the new asset and display it in the DoiT console automatically.

• If you move an account out of the linked OU, the stack will be automatically deleted from that account, and the features will no longer be available for that specific account.

Tip

For accounts that are already connected using CloudFormation stacks, to switch to the CloudFormation StackSet approach, you must first unlink each account or delete the CloudFormation stack in the AWS console.

To create a role automatically:

1. Select Create a role automatically.

   

2. Select features to enable on your AWS account. You can expand a feature to review its required AWS policies.

   • Read-only permissions: Features requiring only Read-only access are included by default; you do not have to manually select them.

   • Write permissions: Features requiring Write access must be manually added by selecting the corresponding checkboxes.

   • If you select the Real-time anomalies feature, you'll be asked to provide an S3 bucket that contains CloudTrail event files. See Enable real-time anomaly on AWS accounts for more information.

3. Select Link new account.

4. Choose the way to create the cross-account IAM role.

   

   • Deployment target ID: See CloudFormation StackSet.

   • Link single account: See CloudFormation stack.

CloudFormation StackSets

For this approach, you need to provide the Deployment target ID.

1. Open the AWS Organizations console, locate the Organizational Unit (OU) on whose member accounts you want to enable the selected features.

2. Copy the OU ID. For example, ou-abcd-12345678.

3. Return to the DoiT console and paste the OU ID (or root ID) into the Deployment target ID field.

4. Read the message in the dialog and select Link new account.

5. You will be redirected to the AWS CloudFormation Quick create stack page to create a CloudFormation StackSet with service-managed permissions.

6. Review parameters. The stack name and required parameters (including your OU ID and External ID) will be pre-filled.

7. Adjust the following thresholds if necessary:

   • FailureTolerancePercentage: The percentage of accounts that can fail before the StackSet operation halts. The DoiT template sets this value to 20.

   • Max Concurrent Percentage: Maximum percentage of target accounts to deploy to concurrently. The DoiT template sets this value to 100.

8. Scroll to the bottom and select the checkboxes to acknowledge that AWS CloudFormation might create IAM resources with custom names and require the CAPABILITY_AUTO_EXPAND capability.

9. Select Create stack.

The process can take several minutes. If successful, your linked AWS accounts will show a Healthy status.

CloudFormation stack

You will be taken to the AWS console to create a CloudFormation stack template.

1. Create a CloudFormation stack for the IAM role, using AWS CloudFormation console or AWS CloudShell.

   AWS CloudFormation console

   1. Select Link New account to launch the DoiT stack template in the AWS CloudFormation console.

   2. Make sure that you are in the US East (N. Virginia) us-east-1 region.

      

   3. Select the checkbox at the bottom of the page to acknowledge that AWS CloudFormation might create IAM resources with custom names.

      

   4. Create the stack. (See also cross-account AWS IAM Role.)

   AWS CloudShell

   1. Select Prefer CLI.

   2. Copy the command from the pop-up window.

      Caution

      If you edit the CLI command before execution, you must keep the region to us-east-1.

   3. Run the command in AWS CloudShell to create the specified CloudFormation stack.

After creating the stack, it can take up to 30 seconds for the account to link to the DoiT Platform. If successful, your linked AWS account will show a Healthy status.

Create a role manually

This options applies to all types of AWS accounts.

1. Select Create a role manually.

2. Note down the values of Our AWS Account and Your External ID displayed in the DoiT console.

   

3. (Optional) If you want to enable real-time anomaly detection on the account, enter the AWS CloudTrail S3 bucket name and specify the region where the bucket resides (the bucket must reside in one of the supported regions).

4. Create an AWS IAM Role in the AWS Management Console. (See also Creating an IAM role (console).)

   1. Navigate to the AWS IAM console, select Roles in the left-hand side navigation pane, and then select Create role.

   2. Select AWS account as the trusted entity.

   3. Select Another AWS account, enter the DoiT AWS account ID (the Our AWS Account provided in the DoiT console).

   4. Select the checkbox Require external ID, enter your external ID.

   5. Select Next to add permissions.

      Choose policies in accordance with the features to enable:

      • For Core, add specific AWS managed policies to your role.

      • For other features, create custom policies by selecting Create policy, switching to the JSON tab, and then pasting the relevant feature permissions.

      See also

      AWS Documentation: Creating IAM policies (console)

   6. Once the policies are created, go back to your original tab. You may need to refresh to see the new policies in the search list.

   7. Select all the new policies for the features you want to enable in addition to the three built-in policies required for Core features.

   8. Select Next, give the Role a name, review the selected policies, and then select Create role.

5. After creating the role, select the role name to open its summary page, copy the value of the role's ARN, and paste the Role ARN to the DoiT console.

6. Select Add to link your AWS account.

If successfully, the status of your AWS account will show as Healthy in the DoiT console.

Feature permissions

Below are the required permissions of the core functionality and some features you can enable on a linked account. See Security and data access policy: Amazon Web Services for the full list of available features.

Core, Quota Monitoring, and more:

Core

Core permissions consist of three AWS managed policies. If you choose to create the IAM role automatically, read-only permissions required by other DoiT features in your Cloud Intelligence plan are also included in core permissions.

AWS managed policy	Description
SecurityAudit	Grants access to read security configuration metadata.
AWSSavingsPlansReadOnlyAccess	Provides read-only access to Savings Plans service.
Billing	Grants permissions for billing and cost management.

PerfectScale for Spot

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*",
        "ec2:CreateLaunchTemplate",
        "ec2:CreateLaunchTemplateVersion",
        "ec2:ModifyLaunchTemplate",
        "ec2:RunInstances",
        "ec2:TerminateInstances",
        "ec2:CreateTags",
        "ec2:DeleteTags",
        "ec2:CreateLaunchTemplateVersion",
        "ec2:CancelSpotInstanceRequests",
        "autoscaling:CreateOrUpdateTags",
        "autoscaling:UpdateAutoScalingGroup",
        "autoscaling:Describe*",
        "autoscaling:AttachInstances",
        "autoscaling:BatchDeleteScheduledAction",
        "autoscaling:BatchPutScheduledUpdateGroupAction",
        "cloudformation:ListStacks",
        "cloudformation:Describe*",
        "iam:PassRole",
        "events:PutRule",
        "events:PutTargets",
        "events:PutEvents"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

Quota Monitoring

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "support:DescribeTrustedAdvisorCheckSummaries",
        "support:DescribeTrustedAdvisorCheckRefreshStatuses",
        "support:DescribeTrustedAdvisorChecks",
        "support:DescribeSeverityLevels",
        "support:RefreshTrustedAdvisorCheck",
        "support:DescribeSupportLevel",
        "support:DescribeCommunications",
        "support:DescribeServices",
        "support:DescribeIssueTypes",
        "support:DescribeTrustedAdvisorCheckResult",
        "trustedadvisor:DescribeNotificationPreferences",
        "trustedadvisor:DescribeCheckRefreshStatuses",
        "trustedadvisor:DescribeCheckItems",
        "trustedadvisor:DescribeAccount",
        "trustedadvisor:DescribeAccountAccess",
        "trustedadvisor:DescribeChecks",
        "trustedadvisor:DescribeCheckSummaries"
      ],
      "Resource": "*"
    }
  ]
}

Kubernetes core

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "eks:ListAccessPolicies",
        "eks:ListAccessEntries",
        "eks:DescribeCluster",
        "eks:ListClusters"
      ],
      "Resource": "*"
    }
  ]
}

Real-time anomalies

For real-time anomalies, in addition to the IAM policy, you also need to configure an Amazon S3 event notification for the CloudTrail bucket, targeting the real-time anomaly SNS topic.

IAM Policy

This policy allows the cross-account role to describe EC2 AMIs, decrypt KMS-encrypted data, and access the S3 bucket that hosts the CloudTrail logs.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowDescribeImagesForRealtimeData",
      "Effect": "Allow",
      "Action": "ec2:DescribeImages",
      "Resource": "*"
    },
    {
      "Sid": "AllowAccessToEncryptedS3Buckets",
      "Effect": "Allow",
      "Action": "kms:Decrypt",
      "Resource": "*"
    },
    {
      "Sid": "AllowCloudTrailBucketLevelAccess",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketNotification"
      ],
      "Resource": "arn:aws:s3:::YOUR_CLOUDTRAIL_BUCKET_NAME"
    },
    {
      "Sid": "AllowCloudTrailObjectLevelAccess",
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::YOUR_CLOUDTRAIL_BUCKET_NAME/*"
    }
  ]
}

CloudTrail S3 bucket notification

See Configure S3 bucket event notification for detailed instructions.

Caution

Note that AWS supports only a single destination for each event notification type. Ensure that the CloudTrail S3 bucket does not already have the s3:ObjectCreated:* event type configured for another destination.

DoiT Insights:

Trusted Advisor insights

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "trustedadvisor:GetRecommendation",
        "trustedadvisor:ListRecommendations",
        "trustedadvisor:ListRecommendationResources"
      ],
      "Resource": "*"
    }
  ]
}

Cost Optimization Hub insights

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cost-optimization-hub:ListRecommendations"
      ],
      "Resource": "*"
    }
  ]
}

Security Hub insights

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "securityhub:GetFindings"
      ],
      "Resource": "*"
    }
  ]
}

Edit linked accounts

Caution

This section applies only to AWS accounts that are not linked via CloudFormation StackSets. To unlink a member account of an OU, you have to remove the account from the OU. To modify the feature access of a member account, move the account to a different OU with the desired feature set.

Unlink an account

To unlink an account:

1. Navigate to the Link Amazon Web Services page.

2. Locate the account of interest.

3. Select the kebab menu (⋮) at the rightmost end of the account entry.

4. Select Unlink account.

   

Modify feature access

Add a feature

To add a new feature, you need to update the IAM role of the linked account with additional permissions:

1. Select the kebab menu (⋮) at the rightmost end of the account entry.

2. Select Edit account.

3. Select the checkbox of the new feature.

4. Update the IAM role with the new permissions by using one of the following options.

   • Select Update account to create a CloudFormation stack in the AWS console.

   • Select Prefer CLI to get the command to create the CloudFormation stack via AWS CloudShell.

   See Create a role automatically for more information.

Remove a feature

To remove a feature:

1. Open the IAM page in the AWS console.

2. Detach the policies associated with the feature in the linked account's role.