AWS Commercial Quickstart Guide

Follow

AWS Commercial Quickstart Guide

This guide is designed to walk you through the quickest way to configure Kion for Commercial AWS deployments.

For the sake of brevity, we are assuming you have already installed Kion in your environment. Looking for a comprehensive guide for AWS deployment? See the AWS Deployment Guide.

Our application supports a wide range of configurations and customizations, but this guide focuses on the most common setup. If you find yourself with unique requirements, we will point you to other relevant documentation at critical points where alternatives exist.

After you have completed the steps in this guide, users will be able to log in and begin using Kion.

1. Setup AWS to Share Billing Data With Kion

In order for Kion to interpret and manage your AWS accounts, you must first enable access in AWS and add your AWS management account as the billing source in the Kion application.

In the steps below, replace any instance of accountnumber with your AWS management account number.

1. Create an S3 billing bucket in AWS

An S3 billing bucket stores billing data for Kion to access. If you already have monthly billing reports and cost and usage reports set up, you can skip to Add the Kion IAM Role.

  1. Log in to your AWS management account.
  2. Navigate to the AWS CloudFormation service.
  3. Click Create Stack.
  4. Upload this template: billing-bucket.json.
  5. Name the stack: cloudtamer-billing-bucket.
  6. Follow the remainder of the prompts.

To download the .json file, go to the AWS Billing Sources, scroll to the bottom of the article, and download the attached file named billing-bucket.json.

2. Enable monthly reports

Enabling monthly reports allows AWS to send its monthly billing data to the S3 bucket we just created. 

  1. Log in to the AWS management account account.
  2. Click your username at the top right.
  3. Click My Billing Dashboard.
  4. Click Billing preferences.
  5. Scroll to the bottom of the page and expand Detailed Billing Reports [Legacy].
  6. Enable Turn on the legacy Detailed Billing Reports feature to receive ongoing reports of your AWS charges.
  7. Name the bucket: cloudtamer-accountnumber-hourly
  8. If you are asked to verify the bucket policy, check the box and click Save.
  9. Select all of the reports.
  10. Click Save preferences.

3. Enable cost and usage reports

Enabling cost and usage reports allows AWS to send its cost and usage billing data to the S3 bucket we created. 

  1. Log in to the AWS management account account.
  2. Click your username at the top right.
  3. Click My Billing Dashboard.
  4. Click Cost & Usage Reports.
    • For FOCUS export information, please reference here.
  5. Click Create report.
  6. Name the report: cloudtamer-accountnumber-hourly
  7. Enable Include resource IDs.
  8. Enable Automatically refresh your Cost & Usage Report when charges are detected for previous months with closed bills.
  9. Click Next.
  10. Name the bucket: cloudtamer-accountnumber-hourly
  11. If you are asked to verify the bucket policy, check the box and click Save.
  12. Enter the report prefix: report
  13. For Report Versioning, enter: Create new report version
  14. Enable report data integration for Amazon Redshift and Amazon QuickSight.
  15. Click Next.
  16. Click Review and Complete.

4. Add the "cloudtamer-service-role" IAM role

The IAM role allows Kion to access the data in the S3 bucket and create accounts in AWS. We recommend you use the default  billing-role-full-access.json file as a best practice. For a list of alternative files with different levels of access, see AWS Billing Sources.

  1. Log in to the AWS management account account.
  2. Navigate to the AWS CloudFormation service.
  3. Click Create Stack.
  4. Upload billing-role-full-access.json.
  5. Name the stack: cloudtamer-service-role
  6. Replace the AWS Account with the AWS account number where Kion is installed.
  7. Follow the remainder of the prompts.

To download the .json file, go to the AWS Billing Sources, scroll to the bottom of the article, and download the attached file named billing-role-full-access.json.

5. Add a billing source to Kion

  1. Log in to Kion.

  2. Click Accounts on the left menu.

  3. Click Billing Sources.

  4. Click the Add New + button at the top of the page.

  5. For Account Type, select AWS.

  6. Select a Billing Report Type. We recommend using FOCUS or Cost & Usage Report. Select the Detailed Billing Report if you use C2S and SC2S.

  7. Fill in the form with the following information:

    • Billing Source Name. Enter AWS management account.
    • AWS Account Number. Enter the account number of the AWS management account.
    • Billing Start Date. Set the date to when the monthly reports are first available.
    • AWS Linked Role. The AWS linked role is the name of the IAM role that AWS Organizations automatically configures during account creation. The linked role is used as the default for any new accounts associated with this billing source.
    • Billing Report Type.
      • Selecting FOCUS will generate data from the FOCUS data export
        • Click here for more information on the FOCUS spec
      • Selecting FOCUS and AWS Billing Report will prioritize generating data from the FOCUS export, and the AWS Billing Report will be an alternative option if Kion is unable to find the FOCUS export.
      • Selecting AWS Billing Report will give an option of Cost & Usage Report or Detailed Billing Report. Data will be generated from the option chosen.

    The below steps apply to any of the Billing Report Types chosen. For FOCUS specific setup information, please reference here.

    • S3 Bucket. Enter cloudtamer-*accountnumber*hourly.
      • If you are using replication, enter cloudtamer-*accountnumber*hourly-replicated.
    • S3 Bucket Region. Select the region where the S3 billing bucket is located.
    • Report Prefix. Enter: report.
    • S3 Bucket Region. Select the region where the S3 billing bucket is located.
    • Report Name. Enter cloudtamer-*accountnumber*hourly.
    • AWS Account Number Containing S3 Buckets. Enter the account number of the AWS management account.
      • If you are using replication, enter the AWS account number where Kion is installed.
    • Billing S3 Bucket Access Role. Leave this field blank unless you are using replication.
      • If you are using replication, enter: cloudtamer-service-role.
    • Select whether Kion can use this management account to create AWS accounts.
    • Leave Skip Billing Source validation unchecked.
    • Select if you would like to enroll all AWS accounts created in Kion for this billing source in your existing AWS Business or Enterprise Support plan. This option only displays if you already have an AWS support plan.
  8. Click Test Billing Connection. The number of reports found is based on how long reporting has been enabled. If you just enabled reporting, it can take up to 24 hours for your first report to come in from AWS. In this case, it is normal to see a report count of 0.

  9. Click Create Billing Source.

2. Import IAM Policies into Kion

IAM policies are the permission building blocks used to create cloud rules and cloud access roles. Kion uses native IAM policies within AWS and also allows you to create and manage your own custom policies.

ClosedImport AWS managed policies

3. Add Users

We recommend tying to an Identity Management System (IDMS) if you have a large number of user accounts to create, but you can add users one by one. The steps to add an IDMS to Kion depend on what type of IDMS you use.

You’ll want at least one user added in addition to your root account to be able to log in and start using the application, so that’s what we’ll do here.

Closed1. Add a user

Closed2. (Optional) Add a user group

For information about adding an IDMS, see Identity Management.

4. Defining Permissions for Users

Permission roles define what a user is allowed to do within the Kion application. Permission schemes are how those roles apply to objects (OUs, projects, funding sources) within Kion.

Closed1. Add a permission role

Closed2. Assign a permission role to a permissions scheme

For more information, see Getting Started with Permissions

5. Build Organizational Hierarchy with OUs

We organize hierarchy within Kion using organizational units (OUs). You can apply funding, cloud rules, and permission schemes to OUs. We recommend structuring your organization’s hierarchy around where funds originate.

Child OUs are defined as any OU that falls below a top-level OU. Child OUs can hold projects and are used to define funding paths. We will create a project and add it to an OU later on in this guide.

ClosedAdd an OU

For more information, see What is an OU?

6. Set Limits on User Access

Cloud rules limit the services that are accessible by users. These limits ensure your users remain compliant with whichever universal rules you have in place. Cloud rules apply to all users at the level they are placed in the OU hierarchy along with any descendant resources. 

Before creating cloud rules, consider what universal limits you want to place on users. For best practice suggestions, see What is a Cloud Rule?

Closed1. Create a cloud rule

Closed2. Assign a cloud rule to an OU

7. Set Spending Limits and Create Budgets

Kion offers a modular approach to financial management. We offer many tools for various use cases, and you can choose which ones you would like to use. If you continue without using any additional financial tools, you can still track and view data visualizations of your spending.

When you are first getting started, we suggest setting up a few OU financial thresholds. An OU financial threshold is a way to track and estimate spending from the OU level. They are set on OUs and represent the maximum cumulative spend by projects descending from that OU. When first setting up your financial structure, this allows you to create upper spend limits, even if you don't know the exact amount you want to budget for individual projects yet.

ClosedCreate an OU threshold

Once you have had time to plan your spending on a more granular level, we suggest creating project budgets. OU thresholds and project budgets can be used together, so you will not be making your previously created OU thresholds redundant, only building on them. For more information, see Creating a Project Budget.

Project budgets and OU thresholds include notifications when resources overspend. With enforcements, you can automate what remediation action should be taken when one of those notifications is triggered. For more information, see What is a Financial Enforcement Action?

For more information on all of our financial tools, see Getting Started with Financial Management.

8. Create Projects and Assign Users and Groups

Projects provide the most granular level of organization in Kion. Permissions are organized at the project level, so, although we support multi-account projects, we recommend a 1:1 ratio between projects and individual cloud accounts for maximum flexibility and control. 

ClosedAdd a new project

For more information, see What is a Project? and What is a Project Spend Plan?

9. Attach AWS Accounts to Kion Projects

Now we can link the projects you’ve created to existing AWS accounts. Once an account is added, Kion will be able to perform actions inside the account, including accessing billing data, roles, policies, and permissions.

ClosedAttach an AWS commercial account to a project

For more information, see Getting Started with Account Management.

10. Import Existing Policies from AWS

IAM policies are the permission building blocks used to create cloud rules and cloud access roles. Kion uses native IAM policies within AWS and also allows you to create and manage your own custom policies.

ClosedImport your own AWS IAM policies

11. Create Cloud Access Roles for Users

The last step is to create cloud access roles for users. These allow users to access the AWS console or provision AWS API access keys.

Cloud access roles can be applied to OUs to be inherited by multiple projects, or they can be applied to individual projects.

We will create a cloud access role on a project to get you started, but you may want to consider creating cloud access roles on OUs for system administrators, network engineers, or billing managers that need access to the same services in every account.

ClosedCreate a cloud access role in a project

For more information, see What is a Cloud Access Role?