AWS Commercial Quickstart Guide
This guide is designed to walk you through the quickest way to configure Kion for Commercial AWS deployments.
For the sake of brevity, we are assuming you have already installed Kion in your environment. Looking for a comprehensive guide for AWS deployment? See the AWS Deployment Guide.
Our application supports a wide range of configurations and customizations, but this guide focuses on the most common setup. If you find yourself with unique requirements, we will point you to other relevant documentation at critical points where alternatives exist.
After you have completed the steps in this guide, users will be able to log in and begin using Kion.
1. Setup AWS to Share Billing Data With Kion
In order for Kion to interpret and manage your AWS accounts, you must first enable access in AWS and add your AWS management account as the billing source in the Kion application.
In the steps below, replace any instance of accountnumber with your AWS management account number.
1. Create an S3 billing bucket in AWS
An S3 billing bucket stores billing data for Kion to access. If you already have monthly billing reports and cost and usage reports set up, you can skip to Add the Kion IAM Role.
- Log in to your AWS management account.
- Navigate to the AWS CloudFormation service.
- Click Create Stack.
- Upload this template: billing-bucket.json.
- Name the stack:
cloudtamer-billing-bucket
.
- Follow the remainder of the prompts.
To download the .json file, go to the AWS Billing Sources, scroll to the bottom of the article, and download the attached file named billing-bucket.json.
2. Enable monthly reports
Enabling monthly reports allows AWS to send its monthly billing data to the S3 bucket we just created.
- Log in to the AWS management account account.
- Click your username at the top right.
- Click My Billing Dashboard.
- Click Billing preferences.
- Scroll to the bottom of the page and expand Detailed Billing Reports [Legacy].
- Enable Turn on the legacy Detailed Billing Reports feature to receive ongoing reports of your AWS charges.
- Name the bucket:
cloudtamer-accountnumber-hourly
- If you are asked to verify the bucket policy, check the box and click Save.
- Select all of the reports.
- Click Save preferences.
3. Enable cost and usage reports
Enabling cost and usage reports allows AWS to send its cost and usage billing data to the S3 bucket we created.
- Log in to the AWS management account account.
- Click your username at the top right.
- Click My Billing Dashboard.
- Click Cost & Usage Reports.
- Click Create report.
- Name the report:
cloudtamer-accountnumber-hourly
- Enable Include resource IDs.
- Enable Automatically refresh your Cost & Usage Report when charges are detected for previous months with closed bills.
- Click Next.
- Name the bucket:
cloudtamer-accountnumber-hourly
- If you are asked to verify the bucket policy, check the box and click Save.
- Enter the report prefix:
report
- For Report Versioning, enter:
Create new report version
- Enable report data integration for
Amazon Redshift
and Amazon QuickSight
.
- Click Next.
- Click Review and Complete.
4. Add the "cloudtamer-service-role" IAM role
The IAM role allows Kion to access the data in the S3 bucket and create accounts in AWS. We recommend you use the default billing-role-full-access.json file as a best practice. For a list of alternative files with different levels of access, see AWS Billing Sources.
- Log in to the AWS management account account.
- Navigate to the AWS CloudFormation service.
- Click Create Stack.
- Upload billing-role-full-access.json.
- Name the stack:
cloudtamer-service-role
- Replace the AWS Account with the AWS account number where Kion is installed.
- Follow the remainder of the prompts.
To download the .json file, go to the AWS Billing Sources, scroll to the bottom of the article, and download the attached file named billing-role-full-access.json.
5. Add a billing source to Kion
This step links Kion to your AWS management account, so Kion can begin reading billing data and operating in AWS. For this example, we are assuming you have the “full-access” configuration.
- Log in to Kion.
- Click Accounts on the left menu.
- Click Billing Sources.
- Click the Add New + button at the top of the page.
- For Account Type, select AWS.
- Select a Billing Report Type. We recommend using the Cost and Usage Report and Detailed Billing Report. Select the Detailed Billing Report if you use C2S and SC2S.
- Fill in the form with the following information:
-
Billing Source Name. Enter
AWS management account
.
-
AWS Account Number. Enter the account number of the AWS management account.
-
Billing Report Type. Selecting Cost & Usage Report and Detailed Billing Report generates data from both reports. Selecting Only Cost & Usage Report generates data from the Cost and Usage Report (CUR), which supports the use of the AWS Enterprise Billing Console.
-
Monthly Report S3 Bucket: Enter
cloudtamer-accountnumber-hourly
.
-
Cost & Usage Report S3 Bucket. Enter
cloudtamer-accountnumber-hourly
.
- If you are using replication, enter
cloudtamer-accountnumber-hourly-replicated
.
-
Monthly Report S3 Bucket Region. Select the region where the S3 billing bucket is located.
-
Cost & Usage Report Prefix. Enter:
report
.
-
Cost & Usage Report S3 Bucket Region. Select the region where the S3 billing bucket is located.
-
Cost & Usage Report Name. Enter
cloudtamer-accountnumber-hourly
.
-
AWS Account Number Containing S3 Buckets. Enter the account number of the AWS management account.
- If you are using replication, enter the AWS account number where Kion is installed.
-
Billing S3 Bucket Access Role. Leave this field blank unless you are using replication.
- If you are using replication, enter:
cloudtamer-service-role
.
-
Billing Start Date. Set the date to when the monthly reports are first available.
-
AWS Linked Role. The AWS linked role is the name of the IAM role that AWS Organizations automatically configures during account creation. The linked role is used as the default for any new accounts associated with this billing source.
- Select whether Kion can use this management account to create AWS accounts.
- Leave Skip Billing Source validation unchecked.
- Select if you would like to enroll all AWS accounts created in Kion for this billing source in your existing AWS Business or Enterprise Support plan. This option only displays if you already have an AWS support plan.
- Click Create Billing Source.
2. Import IAM Policies into Kion
IAM policies are the permission building blocks used to create cloud rules and cloud access roles. Kion uses native IAM policies within AWS and also allows you to create and manage your own custom policies.
Import AWS managed policies
- Log in to Kion.
- Navigate to Settings > System Settings.
- Expand the AWS Settings section and select Import AWS Policies.
- Select AWS Managed IAM Policies.
- Click Import Policies.
Once the import completes, you will have access to the AWS library of pre-established IAM Policies.
3. Add Users
We recommend tying to an Identity Management System (IDMS) if you have a large number of user accounts to create, but you can add users one by one. The steps to add an IDMS to Kion depend on what type of IDMS you use.
You’ll want at least one user added in addition to your root account to be able to log in and start using the application, so that’s what we’ll do here.
1. Add a user
- Select Users > All Users.
- Click Add New.
- Click Create New User.
- Enter the user's first name.
- Enter the user's last name.
- Enter the user's email address. Email addresses do not need to be unique.
- Enter a user name for the user. User names must be unique within the same IDMS.
- (Optional) Enter the user's phone number.
- In the Identity Management System dropdown menu, select an IDMS. If you select an IDMS that is not an Internal type, the user will be updated on their first login with the proper values from the identity provider. This gives you the ability to pre-create users so you can assign them to groups without having them log in first. For information about using an IDMS, see Identity Management.
- (Optional) Select any groups you want the user to be a member of.
- (Optional) Select an multi-factor identification (MFA) method you want the user to be forced to register with on their first login. This option will not display if a SAML IDMS is selected. For information about using MFA, see Multi-Factor Authentication.
- Click Create User.
2. (Optional) Add a user group
Creating groups makes it easy to manage teams and users with similar types of access. Rather than managing users one by one, you can group them and grant access, create permissions, and manage them all from one location.
- In the left navigation menu, click Users > User Groups.
- Click Add New.
- Enter a name to identify the group in Kion. The group name must be unique.
- (Optional) Enter a description of the user group.
- Select any users you want to be members of this group.
- Select users or groups you want to have ownership over the group.
- Click Create User Group.
For information about adding an IDMS, see Identity Management.
4. Defining Permissions for Users
Permission roles define what a user is allowed to do within the Kion application. Permission schemes are how those roles apply to objects (OUs, projects, funding sources) within Kion.
1. Add a permission role
- In the left navigation menu, select Settings > Permissions.
- Click the Roles tab.
- Click Create New.
- In the Role Name field, enter a unique name.
- Click Create Role.
2. Assign a permission role to a permissions scheme
- In the left navigation menu, select Settings > Permissions.
- Click the ellipsis menu on the right side of a permissions scheme card and select Edit.
- In the dropdown menus, select any roles you would like assigned to the permissions.
- Click Update Permission Scheme.
- Repeat this process for every object you want to configure permissions for.
For more information, see Getting Started with Permissions
5. Build Organizational Hierarchy with OUs
We organize hierarchy within Kion using organizational units (OUs). You can apply funding, cloud rules, and permission schemes to OUs. We recommend structuring your organization’s hierarchy around where funds originate.
Child OUs are defined as any OU that falls below a top-level OU. Child OUs can hold projects and are used to define funding paths. We will create a project and add it to an OU later on in this guide.
Add an OU
- Navigate to OUs > All OUs.
- Click Add New.
- Enter an OU Name to identify the OU throughout the application. The name must be unique among OUs.
- In the Parent OU field, select None to designate this as a top-level OU, or select a parent OU to designate this as a child OU.
- Select at least one user or user group as the OU owner.
- (Optional) Enter a description.
- Click Create OU.
By default, Owners have full access to the OU if you are using the Default OU Permissions Scheme.
For more information, see What is an OU?
6. Set Limits on User Access
Cloud rules limit the services that are accessible by users. These limits ensure your users remain compliant with whichever universal rules you have in place. Cloud rules apply to all users at the level they are placed in the OU hierarchy along with any descendant resources.
Before creating cloud rules, consider what universal limits you want to place on users. For best practice suggestions, see What is a Cloud Rule?
1. Create a cloud rule
- Select Cloud Management > Cloud Rules.
- Click Add New.
- In the Cloud Rule Name field, enter a name to identify the cloud rule throughout the application. This field must be unique among cloud rules.
- In the Owners dropdown menu, select users and user groups that will have permission to edit this cloud rule.
- Select AWS Service Control Policies to apply. These SCPs will apply account-wide for accounts associated with the objects this cloud rule is applied to.
- Select AWS IAM Policies to apply to cloud access roles when this cloud rule is applied.
- Select AWS AWS CloudFormation Templates to apply to cloud accounts when this cloud rule is applied.
- Select AWS AMIs to apply.
- Select AWS Service Catalog Portfolios to apply.
- Select Compliance Standards to apply to this cloud rule. Compliance standards are applied to cloud rules, which are applied to projects. All resources within that project will be subject to the compliance checks included in that compliance standard.
- Click Create Cloud Rule.
2. Assign a cloud rule to an OU
- Navigate to OUs > All OUs.
- Click on the name of the OU you want to add the cloud rule to.
- Select the Cloud Management tab.
- Click the ellipsis menu in the upper right corner of the Cloud Rules box and select Add Existing Cloud Rule.
- Select the cloud rule you want to add.
- Click Confirm Selection.
When you add a cloud rule to an OU, it is immediately inherited and all items in the cloud rule are applied to all of the OU's descendant projects.
7. Set Spending Limits and Create Budgets
Kion offers a modular approach to financial management. We offer many tools for various use cases, and you can choose which ones you would like to use. If you continue without using any additional financial tools, you can still track and view data visualizations of your spending.
When you are first getting started, we suggest setting up a few OU financial thresholds. An OU financial threshold is a way to track and estimate spending from the OU level. They are set on OUs and represent the maximum cumulative spend by projects descending from that OU. When first setting up your financial structure, this allows you to create upper spend limits, even if you don't know the exact amount you want to budget for individual projects yet.
Create an OU threshold
- Navigate to OUs > All OUs.
- Select the OU you would like to create a threshold on.
- Click the Financials tab.
- Click OU Thresholds.
- Click Create.
- Select a type of threshold time frame. All time frame types are customizable down to individual months.
- Select a threshold type.
-
Fixed Amount. Set a total amount for the threshold, and distribute it between each month within your time frame. This type is recommended if you have a fixed, maximum amount you plan to spend during the time frame.
-
Cumulative. Set amounts for each month within your time frame that are added together to create a total. This type is recommended if you would like to plan your spend by month without a fixed maximum amount for the time frame.
- Click Continue to Threshold Settings.
-
- Enter a Threshold Total.
- Select whether you would like to have your threshold total evenly distributed throughout your time frame or if you would like to set each month's amount manually.
- Click Continue to Threshold Set Up.
- Edit any of the monthly amounts as desired.
- Click Create Threshold.
- Enter an amount for each month within your time frame.
- Click Create Threshold.
Once you have had time to plan your spending on a more granular level, we suggest creating project budgets. OU thresholds and project budgets can be used together, so you will not be making your previously created OU thresholds redundant, only building on them. For more information, see Creating a Project Budget.
Project budgets and OU thresholds include notifications when resources overspend. With enforcements, you can automate what remediation action should be taken when one of those notifications is triggered. For more information, see What is a Financial Enforcement Action?
For more information on all of our financial tools, see Getting Started with Financial Management.
8. Create Projects and Assign Users and Groups
Projects provide the most granular level of organization in Kion. Permissions are organized at the project level, so, although we support multi-account projects, we recommend a 1:1 ratio between projects and individual cloud accounts for maximum flexibility and control.
Add a new project
- Click Projects> All Projects.
- Click Add New.
- Enter a Project Name to identify the project throughout the application. This name must be unique among projects.
- (Optional) Enter a description.
- Select an OU to add the project to.
- Select at least one user or user group as the project owner.
- In the Project Spend Plan section, click Add Funding Source.
- Select the funding source that the project will use.
- You can add more than one funding source to the project spend plan.
- There must be a funding source available for every month you want the project to operate.
- You can use more than one funding source in a given month.
- You can drag and drop the funding sources to prioritize the order in which they are used.
- Select the start and end months during which the project can use the funding source. Funding sources can only be set on month boundaries since cloud accounts generally finalize spend once a month.
- In the Planned Amount field, enter the dollar amount available to the project.
- Click Create Project.
For more information, see What is a Project? and What is a Project Spend Plan?
9. Attach AWS Accounts to Kion Projects
Now we can link the projects you’ve created to existing AWS accounts. Once an account is added, Kion will be able to perform actions inside the account, including accessing billing data, roles, policies, and permissions.
Attach an AWS commercial account to a project
Accounts can be added to Kion in a few places:
-
Accounts > All Accounts. Navigate to Accounts > All Accounts and click Add. This brings up the account wizard.
-
The Accounts tab of a project. Navigate to the project details page of the project you want to add the account to. Select the Accounts tab. Click Add. This brings up the account wizard.
-
The Quick Connect menu. The Quick Connect button is always available at the top of your screen next to the global search. Click the Quick Connect button. Click Accounts. Select whether you want to add new accounts or existing accounts. This brings up the account wizard.
-
The Accounts Not in Kion list of a billing source. This option is only for existing AWS and Azure accounts. Navigate to Accounts > Billing Sources. Click the name of the billing source the account you want to add is under. Expand the Accounts not in Kion list. Click the ellipsis menu next to the account you want to add, and select whether you want to add it to a project or to the account cache.
To add an account:
- Navigate to the account wizard using one of the methods above.
- Select Amazon Web Services.
- Select AWS Commercial.
- Select whether you want to add one account or multiple accounts.
- Select the billing source for the account.
- The account wizard will walk you through the remaining steps that are specific to the type of account you are adding. Below are some recommended configurations:
-
Skip account access checking. Enable this if you don't want Kion to verify the role is available. This allows you to preload accounts without having access to them.
-
Add to cache or add to existing project. Add accounts to the Account Cache if you want to preload your accounts and attach them to projects later on.
-
Linked Role. Leave this as
OrganizationAccountAccessRole
unless you changed the organization role during initial AWS account creation.
-
Include spend from linked GovCloud/Commercial account. Enable this to include the spend data from a linked GovCloud or commercial account. This lets you create combined financial reports without adding the linked account directly to Kion. For more information, see Reporting AWS GovCloud Spend.
-
Sync account information with AWS Organizations. Enable this if you would like to keep the account name and account email updated with those specified in AWS Organizations. You need to ensure the IAM role in the management account has access to Organizations for this to work properly.
-
Add to AWS Organizational Unit. Enable this to add the account to an existing or new AWS organizational unit. This won't affect the account's placement within Kion OUs.
For more information, see Getting Started with Account Management.
10. Import Existing Policies from AWS
IAM policies are the permission building blocks used to create cloud rules and cloud access roles. Kion uses native IAM policies within AWS and also allows you to create and manage your own custom policies.
Import your own AWS IAM policies
- Navigate to Settings > System Settings.
- Expand the AWS Settings section and select Import AWS Policies.
- Select Customer Managed IAM Policies.
- Click Import Policies.
- Select the account to import the IAM policies from.
- (Optional) Enable the option to Replace Partition and Account IDs with Application Variables. This replaces any account IDs and partitions found within the IAM policy's text with application variables (i.e.,
{{CT::AWSAccountId}}
and {{CT::AWSPartition}}
). This ensures that policies that are account-specific or partition-specific in AWS can be applied across resources in Kion.
- Click Import.
This process may take a minute or two. Leaving the page will not prevent the policies from loading. Kion will notify you when the import is complete.
11. Create Cloud Access Roles for Users
The last step is to create cloud access roles for users. These allow users to access the AWS console or provision AWS API access keys.
Cloud access roles can be applied to OUs to be inherited by multiple projects, or they can be applied to individual projects.
We will create a cloud access role on a project to get you started, but you may want to consider creating cloud access roles on OUs for system administrators, network engineers, or billing managers that need access to the same services in every account.
Create a cloud access role in a project
- In the left navigation menu, click Projects > All Projects.
- Click the name of the project to which you will add a cloud access role.
- Click the Cloud Management tab.
- Click the Cloud Access Roles subtab.
- Click Add.
- In the Cloud Access Role Name field, enter a name to identify it on the project.
- In the Access Type dropdown, select one or more types of access you wish to grant. The options are:
-
Web Access. Provides the user access to log in to the cloud console/portal.
-
Short Term Access Key. Provides the user the ability to generate temporary access keys that expire after a certain period of time.
-
Long Term Access Key. Provides the user the ability to generate long-term access keys that may or may not expire depending on the settings defined at a global level. No matter the settings at the global level, if the user is disabled, the LTAKs will be disabled as well.
- Select the users and groups that will have access to use this role.
- Select an account to apply the role to.
- (Optional) Check the Also apply to all future accounts to automatically apply this cloud access role to accounts that are added to this project in the future.
- Enter the name of the AWS IAM role that will be created in the AWS accounts attached to the project.
This is the name of the role that displays in the top right of the AWS console. It displays as: rolename/username. Any value in the gray box is a prefix that is set at the global level and cannot be edited here. For information on changing this prefix, see AWS Access.
- Select AWS IAM policies to associate with this role. These allow console access for AWS.
- Select AWS permissions boundaries to associate with this role.
For more information, see What is a Cloud Access Role?