Setting up an AWS account
Setting up an AWS account
Create an AWS account and set up a policy to register that account in the CloudXper Management Platform.
There are two ways to register an AWS account with CloudXper, as follows:
Currently, for security issues and convenience of work, Unification of registration method through AWS RoleTherefore, those who have previously used the ‘Key method’ are requested to register for conversion based on the guide.
How to register through AWS Role (Recommended)
How to create and register AccessKey ID and Secret Access Key (Termination of use)
- 2 Guide to Registering with AWS Roles (Recommended)
- 3 Guide to registering using AccessKey ID and Secret Access key (Ended)
- 4 Request follow-up processing for AWS account setup
- 5 Guide to Viewing AWS Commitments and Reservations
Guide to Registering with AWS Roles (Recommended)
This method involves creating an AWS Role and having CloudXper delegate that Role.
Step 1. Create an AWS Policy
Policies are divided into the following two types depending on their purpose.
CloudXper's Basic functions (Inventory collection)Policy for using (essential)
→ ReadOnlyAccess(AWS managed) is required by default, and for items that cannot be collected with ReadOnlyAccess, follow the guide below: "1. Basic Function Policy" Proceed with the creation process.
CloudXper's Additional features (New ITSM, CSR automation, solutions)Policy for using (Optional)
→ For the creation/change/delete function of cloud resources, follow the guide below:2. Additional Features Policy" Proceed with the creation process.
Policy for using basic functionsIs essentialis required, and the Policy for using additional features depends on whether it is used or not. OptionalPlease create it as .
Basic Function Policy
1.1. Go to AWS Console > IAM > Policies and click Create Policy.
1.2. When creating a policy, choose to input JSON directly.
1.3. Copy and paste the Policy below into the JSON input window.
AWS Inventory Additional Collection Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Get*",
"kms:List*",
"elasticfilesystem:List*",
"support:DescribeTrusted*",
"glue:Get*",
"glue:List*",
"ec2:Describe*",
"rds:Describe*",
"elasticache:Describe*",
"redshift:Describe*",
"es:Describe*",
"savingsplans:Describe*",
"s3express:ListAllMyDirectoryBuckets",
"bedrock:List*",
"bedrock:Get*",
"airflow:List*",
"airflow:Get*"
],
"Resource": "*"
}
]
}
1.4. Next: Tags. Next: Click Riveiw sequentially.
1.5. After entering the name and description of the policy, click Create policy to create the policy.
Add Policy for AutoCSR (optional if automated through NextITSM)
2.1. Go to AWS Console > IAM > Policies and click Create Policy.
2.2. When creating a policy, choose to input JSON directly.
2.3. Copy and paste the Policy below into the JSON input window.
Policy Json for New ITSM and CSR Automation Integration
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"Action": [
"ec2:*Tags",
"ec2:Describe*",
"ec2:DeregisterImage",
"ec2:RegisterImage",
"ec2:CreateImage",
"ec2:CreateSecurityGroup",
"ec2:CreateKeyPair",
"ec2:CreateVolume",
"ec2:CreateSnapshot",
"ec2:CopyImage",
"ec2:CopySnapshot",
"ec2:RunInstances",
"ec2:RebootInstances",
"ec2:StartInstances",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume",
"ec2:ModifyVolumeAttribute",
"ec2:ModifyImageAttribute",
"ec2:ModifySnapshotAttribute",
"ec2:StopInstances",
"ec2:AssociateIamInstanceProfile",
"ec2:AssociateAddress",
"ec2:ReplaceIamInstanceProfileAssociation",
"ec2:DisassociateIamInstanceProfile",
"ec2:DisassociateAddress",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:DeleteVolume",
"ec2:DeleteSnapshot",
"ec2:DeleteSecurityGroup",
"ec2:DeleteKeyPair",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
"ec2:AllocateAddress",
"ec2:ReleaseAddress",
"ec2:TerminateInstances",
"tag:*Resources",
"tag:GetTagKeys",
"tag:GetTagValues",
"iam:TagRole",
"iam:TagUser",
"iam:UntagRole",
"iam:UntagUser",
"iam:List*",
"iam:CreateInstanceProfile",
"iam:CreateRole",
"iam:AddRoleToInstanceProfile",
"iam:PutRolePolicy",
"iam:PutUserPolicy",
"iam:PassRole",
"iam:CreateUser",
"iam:CreateLoginProfile",
"iam:CreateAccessKey",
"iam:CreateServiceSpecificCredential",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:UpdateUser",
"iam:UpdateLoginProfile",
"iam:UpdateAssumeRolePolicy",
"iam:DeleteUser",
"iam:DeleteLoginProfile",
"iam:DeleteUserPolicy",
"iam:DeleteAccessKey",
"iam:DeleteServiceSpecificCredential",
"iam:DeleteSSHPublicKey",
"iam:DeleteVirtualMFADevice",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:DeleteRolePolicy",
"iam:AddUserToGroup",
"iam:RemoveUserFromGroup",
"iam:AttachUserPolicy",
"iam:AttachRolePolicy",
"iam:DetachUserPolicy",
"iam:DetachRolePolicy",
"iam:GetAccountPasswordPolicy",
"iam:DeactivateMFADevice",
"iam:GetGroup",
"iam:GetRole",
"iam:GetUser",
"iam:GetPolicy",
"iam:GetGroupPolicy",
"iam:GetPolicyVersion",
"iam:GetUserPolicy",
"iam:GetInstanceProfile",
"iam:SimulatePrincipalPolicy",
"iam:DeleteSigningCertificate",
"s3:DeleteObjectVersionTagging",
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersion",
"s3:GetObjectTagging",
"s3:GetObjectVersionTagging",
"s3:GetStorageLensConfigurationTagging",
"s3:PutBucketTagging",
"s3:PutLifecycleConfiguration",
"s3:PutBucketPolicy",
"s3:PutObject*",
"s3:ReplicateTags",
"s3:CreateBucket",
"s3:GetObject",
"s3:GetObjectRetention",
"s3:GetObjectLegalHold",
"s3:GetObjectAcl",
"s3:GetAccessPoint",
"s3:GetLifecycleConfiguration",
"s3:GetBucket*",
"s3:GetInventoryConfiguration",
"s3:GetAccelerateConfiguration",
"s3:GetEncryptionConfiguration",
"s3:GetAccessPointPolicyStatus",
"s3:GetMetricsConfiguration",
"s3:GetReplicationConfiguration",
"s3:GetAccountPublicAccessBlock",
"s3:GetAnalyticsConfiguration",
"s3:GetAccessPointPolicy",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteBucketPolicy",
"s3:List*",
"route53:ChangeTagsForResource",
"route53:ChangeResourceRecordSets",
"route53:GetChange",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:RemoveTags",
"elasticloadbalancing:Describe*",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:RegisterTargets",
"rds:RebootDBInstance",
"rds:RemoveTagsFromResource",
"rds:AddTagsToResource",
"rds:DeleteDBInstance",
"rds:CreateDBSnapshot",
"rds:DescribeOptionGroups",
"rds:DescribeDB*",
"rds:DescribeEvents",
"rds:ModifyDBInstance",
"rds:ListTagsForResource",
"secretsmanager:GetRandomPassword",
"sts:AssumeRole",
"sts:GetCallerIdentity",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeLifecycleConfiguration",
"elasticfilesystem:DescribeFileSystemPolicy",
"elasticfilesystem:DescribeBackupPolicy",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:ListTagsForResource",
"elasticfilesystem:CreateFileSystem",
"elasticfilesystem:CreateAccessPoint",
"elasticfilesystem:DeleteAccessPoint",
"elasticfilesystem:CreateMountTarget",
"elasticfilesystem:DeleteMountTarget",
"elasticfilesystem:PutLifecycleConfiguration",
"elasticfilesystem:PutFileSystemPolicy",
"elasticfilesystem:PutBackupPolicy",
"elasticfilesystem:UpdateFileSystem",
"elasticfilesystem:DeleteFileSystem",
"elasticfilesystem:DeleteTags",
"elasticfilesystem:CreateTags",
"elasticfilesystem:ModifyMountTargetSecurityGroups",
"elasticfilesystem:DeleteFileSystemPolicy",
"backup:CreateBackupSelection",
"backup:GetBackupSelection",
"dynamodb:ListTagsOfResource",
"dynamodb:TagResource",
"dynamodb:UntagResource",
"kms:TagResource",
"kms:UntagResource",
"lambda:ListTags",
"lambda:TagResource",
"lambda:UntagResource"
]
}
]
}
2.4. Next: Tags. Next: Click Riveiw sequentially.
2.5. After entering the name and description of the policy, click Create policy to create the policy.
Step 2. Create an AWS Role
1. Create a role and grant permissions
1.1. Go to AWS Console > IAM > Roles and click Create role.
1.2. " from a trusted entityAnother AWS accountAfter selecting " , enter " in the Account ID field.611495371442"Enter.
1.3. In Attach permissions policies Policy created in Step 1With ReadOnlyAccessSelect .
1.4. Role name must be CloudXper_Management_Role After entering the information, click Create role to create a role.
Step 3. Establish trust relationships
1. Change trust relationships
1.1. After searching and selecting the Role created in Step 2, click the Trust relationships tab.
1.2. Click Edit trust relationship.
1.3. Enter the following in the Policy Document:
JSON for trust relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::611495371442:role/CrossAccountManagementRole",
"arn:aws:iam::611495371442:role/CX-PROD-EKS-NODEGROUP-NodeInstanceRole-1HYC11PY1OT07"
]
},
"Action": "sts:AssumeRole"
}
]
}
1.4. Click Update Trust Policy to complete the Trust relationships setup.
Guide to registering using AccessKey ID and Secret Access key (Ended)
This method involves creating an AccessKey ID and Secret Access Key directly through the AWS console or API, and then entering the created information into the CloudXper application form.
Step 1. Create an AWS Policy
1. Above "2. Guide to Registering Using AWS Roles" middle "Step 1. Create an AWS Policy" Proceed with the procedure.
Step 2. Create AccessKey ID / Secret Access Key
Generate an AccessKey ID and Secret Access Key to fill out on the CloudXper application form.
1. Create an AWS IAM User and Grant Permissions
1.1. Go to AWS Console > IAM > Users and click Add user.
1.2. After entering the user name to use, in access type Programmatic accessSelect .
1.3. In Set permissions "Attach existing policies directlyAfter selecting ", Policy created aboveWith ReadOnlyAccessSelect .
1.4. Click Next: Tags, Next: Review, and Create user in sequence.
1.5. Enter the generated Access Key ID and Secret access key into the CloudXper application form.
Request follow-up processing for AWS account setup
memo
After setting up your account managerYou must provide the following information to the administrator to request follow-up processing for normal function use (requests to administrators must be made through the TSC portal (Inquiries > Resource Collection Request)).
1.1. If this is an AWS Role registration guide, provide the ARN of the Role you created to your administrator.
1.2. If this is a registration guide for AccessKey ID and Secret Access Key, provide the created Account Id, AccessKey ID, and Secret Access Key information to the manager.
1.3 New ITSM solution provides administrators with the ability to synchronize CMDB.
1.4 New ITSM solution provides administrators with the ability to enable automatic CSR.
Guide to Viewing AWS Commitments and Reservations
memo
To take advantage of the usage and savings cost inquiry feature for commitments and reservation purchases in the CloudXper Management Platform, you must have the following: Payer AccountYou must register.
1.1. Register a Payer account by selecting either '1. Registration Guide using AWS Role' or '2. Registration Guide using AccessKey ID, Secret Access key' written above.
1.2. When registering through Role, Role Name is 'billing-cloudxper' is specified.
1.3. After that The Policy Document contains the following:Enter .
AWS Commitment and Reservation Purchase Collection Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ce:Get*",
"organizations:List*"
],
"Resource": "*"
}
]
}1.4. Once your account setup is complete, you will be asked to contact your administrator for further processing.
1.5. Any additional requests? TSC(Technical Support Center) You can request it through the portal.