AWS GovCloud Quickstart Guide

Follow

AWS GovCloud Quickstart Guide

This guide is designed to walk you through the quickest way to configure Kion for AWS GovCloud deployments.

For the sake of brevity, we are assuming you have already installed Kion in your environment. Looking for a comprehensive guide for AWS deployment? See the AWS Deployment Guide.

Our application supports a wide range of configurations and customizations, but this guide focuses on the most common setup. If you find yourself with unique requirements, we will point you to other relevant documentation at critical points where alternatives exist.

After you have completed the steps in this guide, users will be able to log in and begin using Kion.

1. Setup AWS to Share Billing Data With Kion

In order for Kion to interpret and manage your AWS accounts, you must first enable access in AWS and add your AWS management account as the billing source in the Kion application.

This process requires both a GovCloud and commercial management account. Billing will be processed through your commercial account.

In the steps below, replace any instance of accountnumber with your commercial AWS management account number.

1. Create an S3 billing bucket in AWS

An S3 billing bucket stores billing data for Kion to access. If you already have monthly billing reports and cost and usage reports set up, you can skip to Add the Kion IAM Role.

  1. Log in to your AWS management account.

  2. Navigate to the AWS CloudFormation service.

  3. Click Create Stack.

  4. Upload this template: billing-bucket.json.

  5. Name the stack: cloudtamer-billing-bucket.

  6. Follow the remainder of the prompts.

To download the .json file, go to the AWS Billing Sources, scroll to the bottom of the article, and download the attached file named billing-bucket.json.

2. Enable monthly reports

Enabling monthly reports allows AWS to send its monthly billing data to the S3 bucket we just created. 

  1. Log in to the AWS management account account.

  2. Click your username at the top right.

  3. Click My Billing Dashboard.

  4. Click Billing preferences.

  5. Scroll to the bottom of the page and expand Detailed Billing Reports [Legacy].

  6. Enable Turn on the legacy Detailed Billing Reports feature to receive ongoing reports of your AWS charges.

  7. Name the bucket: cloudtamer-accountnumber-hourly

  8. If you are asked to verify the bucket policy, check the box and click Save.

  9. Select all of the reports.

  10. Click Save preferences.

3. Enable cost and usage reports

Enabling cost and usage reports allows AWS to send its cost and usage billing data to the S3 bucket we created. 

  1. Log in to the AWS management account account.

  2. Click your username at the top right.

  3. Click My Billing Dashboard.

  4. Click Cost & Usage Reports.

    • For FOCUS setup information, please reference here.

  5. Click Create report.

  6. Name the report: cloudtamer-accountnumber-hourly

  7. Enable Include resource IDs.

  8. Enable Automatically refresh your Cost & Usage Report when charges are detected for previous months with closed bills.

  9. Click Next.

  10. Name the bucket: cloudtamer-accountnumber-hourly

  11. If you are asked to verify the bucket policy, check the box and click Save.

  12. Enter the report prefix: report

  13. For Report Versioning, enter: Create new report version

  14. Enable report data integration for Amazon Redshift and Amazon QuickSight.

  15. Click Next.

  16. Click Review and Complete.

4. Add the "cloudtamer-service-role" IAM role

The IAM role allows Kion to access the data in the S3 bucket and create accounts in AWS. We recommend you use the default  govcloud-billing-role-full-access.json file as a best practice. For a list of alternative files with different levels of access, see AWS Billing Sources.

  1. Log in to the AWS management account account.

  2. Navigate to the AWS CloudFormation service.

  3. Click Create Stack.

  4. Upload govcloud-billing-role-full-access.json.

  5. Name the stack: cloudtamer-service-role

  6. Replace the AWS Account with the AWS account number where Kion is installed.

  7. Follow the remainder of the prompts.

To download the .json file, go to the AWS Billing Sources, scroll to the bottom of the article, and download the attached file named govcloud-billing-role-full-access.json.

5. Partition user setup

To configure billing for your new instance of Kion in AWS GovCloud, you must configure a partition user in AWS Commercial. This partition user is used for several operations, including accessing the list of available AWS commercial regions and performing AWS commercial operations.

  1. In Kion, navigate to Settings > System Settings > AWS Settings > AWS Partitions.

  2. Download the AWS CloudFormation template at the top of the page.

  3. Deploy the downloaded AWS CloudFormation template in the AWS commercial account that correlates to your AWS GovCloud installation account. This creates your AWS Commercial partition account.

    • Do not execute this AWS CloudFormation template in your AWS commercial management (billing) account.

  4. In your AWS commercial partition account, navigate to IAM > Users.

  5. Select the cloudtamer-service-user.

  6. Click Security Credentials.

  7. Generate a new access key for this user. Take note of the Access Key ID and the Secret Access Key.

  8. In the Kion AWS Partitions settings, select AWS Commercial.

  9. Enter the Access Key ID and Secret Access Key that you generated earlier.

  10. Click Save.

  11. Log in to your AWS commercial management account.

  12. Navigate to IAM > Roles.

  13. Select the cloudtamer-service-role.

  14. In the details section, select Trust Relationships.

  15. Edit the trust policy by adding the following code. Replace [ACCOUNTNUMBER] with the account numeber for your AWS commercial partition account.

    { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::[ACCOUNTNUMBER]:root" }, "Action": "sts:AssumeRole" }

  16. In Kion, navigate to Settings > System Settings > AWS Settings > AWS Regions.

  17. Select the AWS regions you plan to use. Ensure you select the region that contains your S3 billing buckets for your AWS commercial management account.

  18. Click Update.

6. Add a billing source to Kion

  1. Log in to Kion.

  2. Click Accounts on the left menu.

  3. Click Billing Sources.

  4. Click the Add New + button at the top of the page.

  5. For Account Type, select AWS.

  6. Select a Billing Report Type. We recommend using FOCUS or Cost & Usage Report. Select the Detailed Billing Report if you use C2S and SC2S.

  7. Fill in the form with the following information:

    • Billing Source Name. Enter AWS management account.

    • AWS Account Number. Enter the account number of the commercial AWS management account.

    • Billing Start Date. Set the date to when the monthly reports are first available.

    • AWS Linked Role. The AWS linked role is the name of the IAM role that AWS Organizations automatically configures during account creation. The linked role is used as the default for any new accounts associated with this billing source.

    • Billing Report Type:

      • Selecting FOCUS will generate data from the FOCUS data export

        • Click here for more information on the FOCUS spec

      • Selecting FOCUS and AWS Billing Report will prioritize generating data from the FOCUS export, and the AWS Billing Report will be an alternative option if Kion is unable to find the FOCUS export.

      • Selecting AWS Billing Report will give an option of Cost & Usage Report or Detailed Billing Report. Data will be generated from the option chosen.

    The below steps apply to any of the Billing Report Types chosen:

    • S3 Bucket. Enter cloudtamer-*accountnumber*hourly.

      • If you are using replication, enter cloudtamer-*accountnumber*hourly-replicated.

    • S3 Bucket Region. Select the region where the S3 billing bucket is located.

    • Report Prefix. Enter: report.

    • S3 Bucket Region. Select the region where the S3 billing bucket is located.

    • Report Name. Enter cloudtamer-*accountnumber*hourly.

    • AWS Account Number Containing S3 Buckets. Enter the account number of the AWS management account.

      • If you are using replication, enter the AWS account number where Kion is installed.

    • Billing S3 Bucket Access Role. Leave this field blank unless you are using replication.

      • If you are using replication, enter: cloudtamer-service-role.

    • Select whether Kion can use this management account to create AWS accounts.

    • Leave Skip Billing Source validation unchecked.

    • Select if you would like to enroll all AWS accounts created in Kion for this billing source in your existing AWS Business or Enterprise Support plan. This option only displays if you already have an AWS support plan.

  8. Click Test Billing Connection. The number of reports found is based on how long reporting has been enabled. If you just enabled reporting, it can take up to 24 hours for your first report to come in from AWS. In this case, it is normal to see a report count of 0.

  9. Click Create Billing Source.

7. Add your GovCloud organization master account

For Kion to support AWS Organizations lookups and account creation, you must configure your billing source to use your AWS GovCloud Organizations master account. This is the top-level of your AWS Organizations structure within AWS GovCloud.

  1. In Kion, navigate to Accounts > Billing Sources.

  2. Click the ellipsis menu next to the billing source you configured earlier and select GovCloud Settings.

  3. Enter a friendly name for the account.

  4. Enter the account number for your GovCloud Organization master account.

  5. Click Save.

  6. Contact Kion Support for the AWS CloudFormation template to create a role in your GovCloud Organization master account.

2. Import IAM Policies into Kion

IAM policies are the permission building blocks used to create cloud rules and cloud access roles. Kion uses native IAM policies within AWS and also allows you to create and manage your own custom policies.

ClosedImport AWS managed policies

3. Add Users

We recommend tying to an Identity Management System (IDMS) if you have a large number of user accounts to create, but you can add users one by one. The steps to add an IDMS to Kion depend on what type of IDMS you use.

You’ll want at least one user added in addition to your root account to be able to log in and start using the application, so that’s what we’ll do here.

Closed1. Add a user

Closed2. (Optional) Add a user group

For information about adding an IDMS, see Identity Management.

4. Define Permissions for Users

Permission roles define what a user is allowed to do within the Kion application. Permission schemes are how those roles apply to objects (OUs, projects, funding sources) within Kion.

Closed1. Add a permission role

Closed2. Assign a permission role to a permissions scheme

For more information, see Getting Started with Permissions

5. Build Organizational Hierarchy with OUs

We organize hierarchy within Kion using organizational units (OUs). You can apply funding, cloud rules, and permission schemes to OUs. We recommend structuring your organization’s hierarchy around where funds originate.

Child OUs are defined as any OU that falls below a top-level OU. Child OUs can hold projects and are used to define funding paths. We will create a project and add it to an OU later on in this guide.

ClosedAdd an OU

For more information, see What is an OU?

6. Set Limits on User Access

Cloud rules limit the services that are accessible by users. These limits ensure your users remain compliant with whichever universal rules you have in place. Cloud rules apply to all users at the level they are placed in the OU hierarchy along with any descendant resources. 

Before creating cloud rules, consider what universal limits you want to place on users. For best practice suggestions, see What is a Cloud Rule?

Closed1. Create a cloud rule

Closed2. Assign a cloud rule to an OU

7. Create a Funding Source and Allocate Funds

Funding sources are used to allocate funding to specific OUs and projects. Funding sources represent a single deposit of funds and must be associated with a top-level OU.

After creating a funding source, funds can be disseminated down to destination OUs. A destination OU can be any child OU below the source OU.  

Closed1. Add a funding source

Closed2. Allocate funds to a child OU

For more information, see Financial Management Methods.

8. Create Projects and Assign Users and Groups

Projects provide the most granular level of organization in Kion. Permissions are organized at the project level, so, although we support multi-account projects, we recommend a 1:1 ratio between projects and individual cloud accounts for maximum flexibility and control. 

ClosedAdd a new project

For more information, see What is a Project? and What is a Project Spend Plan?

9. Set Budget Enforcement Actions on Project

Enforcement actions control how much money each of your cloud accounts spend. You can set enforcement actions at the funding source level, but we recommend setting them at the project level for more control. You can set triggers to run a cloud rule when significant events occur. Cloud rules triggered by enforcements can do things like pause funding or lock accounts to prevent further spending.

ClosedCreate a budget enforcement action

For more information, see What is a Financial Enforcement Action?

10. Attach AWS Accounts to Kion Projects

Now we can link the projects you’ve created to existing AWS accounts. Once an account is added, Kion will be able to perform actions inside the account, including accessing billing data, roles, policies, and permissions.

Before you can create accounts via Kion, you must enable account creation for GovCloud. However, accounts created in AWS can be imported into Kion without enabling this feature. For more information, see Enabling AWS GovCloud Account Creation.

ClosedAttach an AWS GovCloud account to a project

For more information, see Getting Started with Account Management.

11. Import Existing Policies from AWS

IAM policies are the permission building blocks used to create cloud rules and cloud access roles. Kion uses native IAM policies within AWS and also allows you to create and manage your own custom policies.

ClosedImport your own AWS IAM policies

12. Create Cloud Access Roles for Users

The last step is to create cloud access roles for users. These allow users to access the AWS console or provision AWS API access keys.

Cloud access roles can be applied to OUs to be inherited by multiple projects, or they can be applied to individual projects.

We will create a cloud access role on a project to get you started, but you may want to consider creating cloud access roles on OUs for system administrators, network engineers, or billing managers that need access to the same services in every account.

ClosedCreate a cloud access role in a project

For more information, see What is a Cloud Access Role?