AWS Commercial Quickstart Guide


AWS Commercial Quickstart Guide

This guide is designed to walk you through the quickest way to configure Kion for Commercial AWS deployments.

For the sake of brevity, we are assuming you have already installed Kion in your environment. Looking for a comprehensive guide for AWS deployment? See the AWS Deployment Guide.

Our application supports a wide range of configurations and customizations, but this guide focuses on the most common setup. If you find yourself with unique requirements, we will point you to other relevant documentation at critical points where alternatives exist.

After you have completed the steps in this guide, users will be able to log in and begin using Kion.

1. Setup AWS to Share Billing Data With Kion

In order for Kion to interpret and manage your AWS accounts, you must first enable access in AWS and add your AWS management account as the billing source in the Kion application.

In the steps below, replace any instance of accountnumber with your AWS management account number.

Closed1. Create an S3 billing bucket in AWS

Closed2. Enable monthly reports

Closed3. Enable cost and usage reports

Closed4. Add the "cloudtamer-service-role" IAM role

Closed5. Add a billing source to Kion

2. Import IAM Policies into Kion

IAM policies are the permission building blocks used to create cloud rules and cloud access roles. Kion uses native IAM policies within AWS and also allows you to create and manage your own custom policies.

ClosedImport AWS managed policies

3. Add Users

We recommend tying to an Identity Management System (IDMS) if you have a large number of user accounts to create, but you can add users one by one. The steps to add an IDMS to Kion depend on what type of IDMS you use.

You’ll want at least one user added in addition to your root account to be able to log in and start using the application, so that’s what we’ll do here.

Closed1. Add a user

Closed2. (Optional) Add a user group

For information about adding an IDMS, see Identity Management.

4. Defining Permissions for Users

Permission roles define what a user is allowed to do within the Kion application. Permission schemes are how those roles apply to objects (OUs, projects, funding sources) within Kion.

Closed1. Add a permission role

Closed2. Assign a permission role to a permissions scheme

For more information, see Getting Started with Permissions

5. Build Organizational Hierarchy with OUs

We organize hierarchy within Kion using organizational units (OUs). You can apply funding, cloud rules, and permission schemes to OUs. We recommend structuring your organization’s hierarchy around where funds originate.

Child OUs are defined as any OU that falls below a top-level OU. Child OUs can hold projects and are used to define funding paths. We will create a project and add it to an OU later on in this guide.

ClosedAdd an OU

For more information, see What is an OU?

6. Set Limits on User Access

Cloud rules limit the services that are accessible by users. These limits ensure your users remain compliant with whichever universal rules you have in place. Cloud rules apply to all users at the level they are placed in the OU hierarchy along with any descendant resources. 

Before creating cloud rules, consider what universal limits you want to place on users. For best practice suggestions, see What is a Cloud Rule?

Closed1. Create a cloud rule

Closed2. Assign a cloud rule to an OU

7. Set Spending Limits and Create Budgets

Kion offers a modular approach to financial management. We offer many tools for various use cases, and you can choose which ones you would like to use. If you continue without using any additional financial tools, you can still track and view data visualizations of your spending.

When you are first getting started, we suggest setting up a few OU financial thresholds. An OU financial threshold is a way to track and estimate spending from the OU level. They are set on OUs and represent the maximum cumulative spend by projects descending from that OU. When first setting up your financial structure, this allows you to create upper spend limits, even if you don't know the exact amount you want to budget for individual projects yet.

ClosedCreate an OU threshold

Once you have had time to plan your spending on a more granular level, we suggest creating project budgets. OU thresholds and project budgets can be used together, so you will not be making your previously created OU thresholds redundant, only building on them. For more information, see Creating a Project Budget.

Project budgets and OU thresholds include notifications when resources overspend. With enforcements, you can automate what remediation action should be taken when one of those notifications is triggered. For more information, see What is a Financial Enforcement Action?

For more information on all of our financial tools, see Getting Started with Financial Management.

8. Create Projects and Assign Users and Groups

Projects provide the most granular level of organization in Kion. Permissions are organized at the project level, so, although we support multi-account projects, we recommend a 1:1 ratio between projects and individual cloud accounts for maximum flexibility and control. 

ClosedAdd a new project

For more information, see What is a Project? and What is a Project Spend Plan?

9. Attach AWS Accounts to Kion Projects

Now we can link the projects you’ve created to existing AWS accounts. Once an account is added, Kion will be able to perform actions inside the account, including accessing billing data, roles, policies, and permissions.

ClosedAttach an AWS commercial account to a project

For more information, see Getting Started with Account Management.

10. Import Existing Policies from AWS

IAM policies are the permission building blocks used to create cloud rules and cloud access roles. Kion uses native IAM policies within AWS and also allows you to create and manage your own custom policies.

ClosedImport your own AWS IAM policies

11. Create Cloud Access Roles for Users

The last step is to create cloud access roles for users. These allow users to access the AWS console or provision AWS API access keys.

Cloud access roles can be applied to OUs to be inherited by multiple projects, or they can be applied to individual projects.

We will create a cloud access role on a project to get you started, but you may want to consider creating cloud access roles on OUs for system administrators, network engineers, or billing managers that need access to the same services in every account.

ClosedCreate a cloud access role in a project

For more information, see What is a Cloud Access Role?