AWS GovCloud Quickstart Guide
This guide is designed to walk you through the quickest way to configure Kion for AWS GovCloud deployments.
For the sake of brevity, we are assuming you have already installed Kion in your environment. Looking for a comprehensive guide for AWS deployment? See the AWS Deployment Guide.
Our application supports a wide range of configurations and customizations, but this guide focuses on the most common setup. If you find yourself with unique requirements, we will point you to other relevant documentation at critical points where alternatives exist.
After you have completed the steps in this guide, users will be able to log in and begin using Kion.
1. Setup AWS to Share Billing Data With Kion
In order for Kion to interpret and manage your AWS accounts, you must first enable access in AWS and add your AWS management account as the billing source in the Kion application.
This process requires both a GovCloud and commercial management account. Billing will be processed through your commercial account.
In the steps below, replace any instance of accountnumber with your commercial AWS management account number.
1. Create an S3 billing bucket in AWS
An S3 billing bucket stores billing data for Kion to access. If you already have monthly billing reports and cost and usage reports set up, you can skip to Add the Kion IAM Role.
- Log in to your AWS management account.
- Navigate to the AWS CloudFormation service.
- Click Create Stack.
- Upload this template: billing-bucket.json.
- Name the stack:
cloudtamer-billing-bucket
.
- Follow the remainder of the prompts.
To download the .json file, go to the AWS Billing Sources, scroll to the bottom of the article, and download the attached file named billing-bucket.json.
2. Enable monthly reports
Enabling monthly reports allows AWS to send its monthly billing data to the S3 bucket we just created.
- Log in to the AWS management account account.
- Click your username at the top right.
- Click My Billing Dashboard.
- Click Billing preferences.
- Scroll to the bottom of the page and expand Detailed Billing Reports [Legacy].
- Enable Turn on the legacy Detailed Billing Reports feature to receive ongoing reports of your AWS charges.
- Name the bucket:
cloudtamer-accountnumber-hourly
- If you are asked to verify the bucket policy, check the box and click Save.
- Select all of the reports.
- Click Save preferences.
3. Enable cost and usage reports
Enabling cost and usage reports allows AWS to send its cost and usage billing data to the S3 bucket we created.
- Log in to the AWS management account account.
- Click your username at the top right.
- Click My Billing Dashboard.
- Click Cost & Usage Reports.
- Click Create report.
- Name the report:
cloudtamer-accountnumber-hourly
- Enable Include resource IDs.
- Enable Automatically refresh your Cost & Usage Report when charges are detected for previous months with closed bills.
- Click Next.
- Name the bucket:
cloudtamer-accountnumber-hourly
- If you are asked to verify the bucket policy, check the box and click Save.
- Enter the report prefix:
report
- For Report Versioning, enter:
Create new report version
- Enable report data integration for
Amazon Redshift
and Amazon QuickSight
.
- Click Next.
- Click Review and Complete.
4. Add the "cloudtamer-service-role" IAM role
The IAM role allows Kion to access the data in the S3 bucket and create accounts in AWS. We recommend you use the default govcloud-billing-role-full-access.json file as a best practice. For a list of alternative files with different levels of access, see AWS Billing Sources.
- Log in to the AWS management account account.
- Navigate to the AWS CloudFormation service.
- Click Create Stack.
- Upload govcloud-billing-role-full-access.json.
- Name the stack:
cloudtamer-service-role
- Replace the AWS Account with the AWS account number where Kion is installed.
- Follow the remainder of the prompts.
To download the .json file, go to the AWS Billing Sources, scroll to the bottom of the article, and download the attached file named govcloud-billing-role-full-access.json.
5. Partition user setup
To configure billing for your new instance of Kion in AWS GovCloud, you must configure a partition user in AWS Commercial. This partition user is used for several operations, including accessing the list of available AWS commercial regions and performing AWS commercial operations.
- In Kion, navigate to Settings > System Settings > AWS Settings > AWS Partitions.
- Download the AWS CloudFormation template at the top of the page.
- Deploy the downloaded AWS CloudFormation template in the AWS commercial account that correlates to your AWS GovCloud installation account. This creates your AWS Commercial partition account.
- Do not execute this AWS CloudFormation template in your AWS commercial management (billing) account.
- In your AWS commercial partition account, navigate to IAM > Users.
- Select the cloudtamer-service-user.
- Click Security Credentials.
- Generate a new access key for this user. Take note of the Access Key ID and the Secret Access Key.
- In the Kion AWS Partitions settings, select AWS Commercial.
- Enter the Access Key ID and Secret Access Key that you generated earlier.
- Click Save.
- Log in to your AWS commercial management account.
- Navigate to IAM > Roles.
- Select the cloudtamer-service-role.
- In the details section, select Trust Relationships.
- Edit the trust policy by adding the following code. Replace
[ACCOUNTNUMBER]
with the account numeber for your AWS commercial partition account.
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[ACCOUNTNUMBER]:root"
},
"Action": "sts:AssumeRole"
}
In Kion, navigate to Settings > System Settings > AWS Settings > AWS Regions.
Select the AWS regions you plan to use. Ensure you select the region that contains your S3 billing buckets for your AWS commercial management account.
Click Update.
6. Add a billing source to Kion
This step links Kion to your AWS management account, so Kion can begin reading billing data and operating in AWS. For this example, we are assuming you have the “full-access” configuration.
- Log in to Kion.
- Click Accounts on the left menu.
- Click Billing Sources.
- Click the Add New + button at the top of the page.
- For Account Type, select AWS.
- Select a Billing Report Type. We recommend using the Cost and Usage Report and Detailed Billing Report. Select the Detailed Billing Report if you use C2S and SC2S.
- Fill in the form with the following information:
-
Billing Source Name. Enter
AWS management account
.
-
AWS Account Number. Enter the account number of the commercial AWS management account.
-
Billing Report Type. Selecting Cost & Usage Report and Detailed Billing Report generates data from both reports and is recommended. Selecting Only Cost & Usage Report generates data from the Cost and Usage Report (CUR), which supports the use of the AWS Billing Conductor.
-
Monthly Report S3 Bucket: Enter
cloudtamer-accountnumber-hourly
.
-
Cost & Usage Report S3 Bucket. Enter
cloudtamer-accountnumber-hourly
.- If you are using replication, enter
cloudtamer-accountnumber-hourly-replicated
.
-
Monthly Report S3 Bucket Region. Select the region where the S3 billing bucket is located. This will be a commercial region.
-
Cost & Usage Report Prefix. Enter:
report
.
-
Cost & Usage Report S3 Bucket Region. Select the region where the S3 billing bucket is located. This will be a commercial region.
-
Cost & Usage Report Name. Enter
cloudtamer-accountnumber-hourly
.
-
AWS Account Number Containing S3 Buckets. Enter the account number of the AWS management account.
- If you are using replication, enter the AWS account number where Kion is installed.
-
Billing S3 Bucket Access Role. Leave this field blank unless you are using replication.
- If you are using replication, enter:
cloudtamer-service-role
.
-
Billing Start Date. Set the date to when the monthly reports are first available.
-
AWS Linked Role. The AWS linked role is the name of the IAM role that AWS Organizations automatically configures during account creation. The linked role is used as the default for any new accounts associated with this billing source.
- Select whether Kion can use this management account to create AWS accounts.
- Leave Skip Billing Source validation unchecked.
- Select if you would like to enroll all AWS accounts created in Kion for this billing source in your existing AWS Business or Enterprise Support plan. This option only displays if you already have an AWS support plan.
- Click Test Billing Connection. The number of reports found is based on how long reporting has been enabled. If you just enabled reporting, it can take up to 24 hours for your first report to come in from AWS. In this case, it is normal to see a report count of 0.
- Click Create Billing Source.
7. Add your GovCloud organization master account
For Kion to support AWS Organizations lookups and account creation, you must configure your billing source to use your AWS GovCloud Organizations master account. This is the top-level of your AWS Organizations structure within AWS GovCloud.
- In Kion, navigate to Accounts > Billing Sources.
- Click the ellipsis menu next to the billing source you configured earlier and select GovCloud Settings.
- Enter a friendly name for the account.
- Enter the account number for your GovCloud Organization master account.
- Click Save.
- Contact Kion Support for the AWS CloudFormation template to create a role in your GovCloud Organization master account.
2. Import IAM Policies into Kion
IAM policies are the permission building blocks used to create cloud rules and cloud access roles. Kion uses native IAM policies within AWS and also allows you to create and manage your own custom policies.
Import AWS managed policies
- Log in to Kion.
- Navigate to Settings > System Settings.
- Expand the AWS Settings section and select Import AWS Policies.
- Select AWS Managed IAM Policies.
- Click Import Policies.
Once the import completes, you will have access to the AWS library of pre-established IAM Policies.
3. Add Users
We recommend tying to an Identity Management System (IDMS) if you have a large number of user accounts to create, but you can add users one by one. The steps to add an IDMS to Kion depend on what type of IDMS you use.
You’ll want at least one user added in addition to your root account to be able to log in and start using the application, so that’s what we’ll do here.
1. Add a user
- Select Users > All Users.
- Click Add New.
- Click Create New User.
- Enter the user's first name.
- Enter the user's last name.
- Enter the user's email address. Email addresses do not need to be unique.
- Enter a user name for the user. User names must be unique within the same IDMS.
- (Optional) Enter the user's phone number.
- In the Identity Management System dropdown menu, select an IDMS. If you select an IDMS that is not an Internal type, the user will be updated on their first login with the proper values from the identity provider. This gives you the ability to pre-create users so you can assign them to groups without having them log in first. For information about using an IDMS, see Identity Management.
- (Optional) Select any groups you want the user to be a member of.
- (Optional) Select an multi-factor identification (MFA) method you want the user to be forced to register with on their first login. This option will not display if a SAML IDMS is selected. For information about using MFA, see Multi-Factor Authentication.
- Click Create User.
2. (Optional) Add a user group
Creating groups makes it easy to manage teams and users with similar types of access. Rather than managing users one by one, you can group them and grant access, create permissions, and manage them all from one location.
- In the left navigation menu, click Users > User Groups.
- Click Add New.
- Enter a name to identify the group in Kion. The group name must be unique.
- (Optional) Enter a description of the user group.
- Select any users you want to be members of this group.
- Select users or groups you want to have ownership over the group.
- Click Create User Group.
For information about adding an IDMS, see Identity Management.
4. Define Permissions for Users
Permission roles define what a user is allowed to do within the Kion application. Permission schemes are how those roles apply to objects (OUs, projects, funding sources) within Kion.
1. Add a permission role
- In the left navigation menu, select Settings > Permissions.
- Click the Roles tab.
- Click Create New.
- In the Role Name field, enter a unique name.
- Click Create Role.
2. Assign a permission role to a permissions scheme
- In the left navigation menu, select Settings > Permissions.
- Click the ellipsis menu on the right side of a permissions scheme card and select Edit.
- In the dropdown menus, select any roles you would like assigned to the permissions.
- Click Update Permission Scheme.
- Repeat this process for every object you want to configure permissions for.
For more information, see Getting Started with Permissions
5. Build Organizational Hierarchy with OUs
We organize hierarchy within Kion using organizational units (OUs). You can apply funding, cloud rules, and permission schemes to OUs. We recommend structuring your organization’s hierarchy around where funds originate.
Child OUs are defined as any OU that falls below a top-level OU. Child OUs can hold projects and are used to define funding paths. We will create a project and add it to an OU later on in this guide.
Add an OU
- Navigate to OUs > All OUs.
- Click Add New.
- Enter an OU Name to identify the OU throughout the application. The name must be unique among OUs.
- In the Parent OU field, select None to designate this as a top-level OU, or select a parent OU to designate this as a child OU.
- Select at least one user or user group as the OU owner.
- (Optional) Enter a description.
- Click Create OU.
By default, Owners have full access to the OU if you are using the Default OU Permissions Scheme.
For more information, see What is an OU?
6. Set Limits on User Access
Cloud rules limit the services that are accessible by users. These limits ensure your users remain compliant with whichever universal rules you have in place. Cloud rules apply to all users at the level they are placed in the OU hierarchy along with any descendant resources.
Before creating cloud rules, consider what universal limits you want to place on users. For best practice suggestions, see What is a Cloud Rule?
1. Create a cloud rule
- Select Cloud Management > Cloud Rules.
- Click Add New.
- In the Cloud Rule Name field, enter a name to identify the cloud rule throughout the application. This field must be unique among cloud rules.
- In the Owners dropdown menu, select users and user groups that will have permission to edit this cloud rule.
- Select AWS Service Control Policies to apply. These SCPs will apply account-wide for accounts associated with the objects this cloud rule is applied to.
- Select AWS IAM Policies to apply to cloud access roles when this cloud rule is applied.
- Select AWS AWS CloudFormation Templates to apply to cloud accounts when this cloud rule is applied.
- Select AWS AMIs to apply.
- Select AWS Service Catalog Portfolios to apply.
- Select Compliance Standards to apply to this cloud rule. Compliance standards are applied to cloud rules, which are applied to projects. All resources within that project will be subject to the compliance checks included in that compliance standard.
- Click Create Cloud Rule.
2. Assign a cloud rule to an OU
- Navigate to OUs > All OUs.
- Click on the name of the OU you want to add the cloud rule to.
- Select the Cloud Management tab.
- Click the ellipsis menu in the upper right corner of the Cloud Rules box and select Add Existing Cloud Rule.
- Select the cloud rule you want to add.
- Click Confirm Selection.
When you add a cloud rule to an OU, it is immediately inherited and all items in the cloud rule are applied to all of the OU's descendant projects.
7. Create a Funding Source and Allocate Funds
Funding sources are used to allocate funding to specific OUs and projects. Funding sources represent a single deposit of funds and must be associated with a top-level OU.
After creating a funding source, funds can be disseminated down to destination OUs. A destination OU can be any child OU below the source OU.
1. Add a funding source
- In the left navigation menu, click Financials > All Funding Sources.
- Click Add New.
- Enter the Funding Source Name. This name must be unique among funding sources.
- Enter the Amount of funds in this funding source. This can be increased or decreased later.
- Enter a Start date. This is the first day of a month.
- Enter an End date. This is the last day of a month.
- In the Top-Level OU field, select the OU you want to add this funding source to.
- Select at least one user or user group as the funding source owner.
- (Optional) Enter a description.
- Click Create Funding Source.
2. Allocate funds to a child OU
- Click Financials > Allocate Funds.
- In the Source OU field, select an OU where there are funds available.
- In the Destination OU field, select the OU where the funds will be transferred.
- Next to each funding source, enter a dollar amount to allocate to the destination OU. You can allocate from multiple funding sources in the same operation.
- (Optional) Enter comments.
- Click Apply.
For more information, see Financial Management Methods.
8. Create Projects and Assign Users and Groups
Projects provide the most granular level of organization in Kion. Permissions are organized at the project level, so, although we support multi-account projects, we recommend a 1:1 ratio between projects and individual cloud accounts for maximum flexibility and control.
Add a new project
- Click Projects> All Projects.
- Click Add New.
- Enter a Project Name to identify the project throughout the application. This name must be unique among projects.
- (Optional) Enter a description.
- Select an OU to add the project to.
- Select at least one user or user group as the project owner.
- In the Project Spend Plan section, click Add Funding Source.
- Select the funding source that the project will use.
- You can add more than one funding source to the project spend plan.
- There must be a funding source available for every month you want the project to operate.
- You can use more than one funding source in a given month.
- You can drag and drop the funding sources to prioritize the order in which they are used.
- Select the start and end months during which the project can use the funding source. Funding sources can only be set on month boundaries since cloud accounts generally finalize spend once a month.
- In the Planned Amount field, enter the dollar amount available to the project.
- Click Create Project.
For more information, see What is a Project? and What is a Project Spend Plan?
9. Set Budget Enforcement Actions on Project
Enforcement actions control how much money each of your cloud accounts spend. You can set enforcement actions at the funding source level, but we recommend setting them at the project level for more control. You can set triggers to run a cloud rule when significant events occur. Cloud rules triggered by enforcements can do things like pause funding or lock accounts to prevent further spending.
Create a budget enforcement action
- In the left navigation menu, click Projects > All Projects.
- Click the name of the project to which you would like to add a financial enforcement action.
- Click the Enforcements tab.
- Click Add.
- Select Project to apply an enforcement based on the project as a whole, or Service to apply an enforcement based on the value of a single cloud service.
- Select a timeframe to determine the length of time that is taken into account by the enforcement.
- If you selected Enforcement Type: Service, select the Service to monitor.
- If you selected Enforcement Type: Project, choose what to monitor:
-
Spend. The dollar amount that has been spent in the selected timeframe.
-
Remaining. The dollar amount that is remaining for the selected timeframe.
-
Spend rate. The percentage of money being spent compared to the planned rate established in the project spend plan.
- In the Amount dropdown, enter a specific amount to use as a threshold, or select Last month's spend to use the total spend for the previous month.
- Under Events, select a cloud rule to run when the enforcement is triggered.
- Set the Overburn toggle to ON to add a badge to the OU when the trigger's conditions are met.
- Select any users and user groups to notify when the enforcement is triggered.
- (Optional) Enter a description.
- Click Save.
For more information, see What is a Financial Enforcement Action?
10. Attach AWS Accounts to Kion Projects
Now we can link the projects you’ve created to existing AWS accounts. Once an account is added, Kion will be able to perform actions inside the account, including accessing billing data, roles, policies, and permissions.
Before you can create accounts via Kion, you must enable account creation for GovCloud. However, accounts created in AWS can be imported into Kion without enabling this feature. For more information, see Enabling AWS GovCloud Account Creation.
Attach an AWS GovCloud account to a project
Accounts can be added to Kion in a few places:
-
Accounts > All Accounts. Navigate to Accounts > All Accounts and click Add. Select whether you want to add new accounts or existing accounts. This brings up the account wizard.
-
The Accounts tab of a project. Navigate to the project details page of the project you want to add the account to. Select the Accounts tab and click Add. Select whether you want to add new accounts or existing accounts. This brings up the account wizard.
-
The Quick Connect menu. The Quick Connect button is always available at the top of your screen next to the global search. Click the Quick Connect button. Click Accounts. Select whether you want to add new accounts or external accounts. This brings up the account wizard.
To add an account:
- Navigate to the account wizard using one of the methods above.
- Select Amazon Web Services.
- Select AWS GovCloud.
- Select whether you want to add one account or multiple accounts.
- Select the billing source for the account.
- The account wizard will walk you through the remaining steps that are specific to the type of account you are adding. Below are some recommended configurations:
-
Skip account access checking. Enable this if you don't want Kion to verify the role is available. This allows you to preload accounts without having access to them.
-
Add to cache or add to existing project. Add accounts to the Account Cache if you want to preload your accounts and attach them to projects later on.
-
Linked Role. Leave this as
OrganizationAccountAccessRole
unless you changed the organization role during initial AWS account creation.
-
Include spend from linked GovCloud/Commercial account. Enable this to include the spend data from a linked GovCloud or commercial account. This lets you create combined financial reports without adding the linked account directly to Kion. For more information, see Reporting AWS GovCloud Spend.
-
Sync account information with AWS Organizations. Enable this if you would like to keep the account name and account email updated with those specified in AWS Organizations. You need to ensure the IAM role in the management account has access to Organizations for this to work properly.
-
Add to AWS Organizational Unit. Enable this to add the account to an existing or new AWS organizational unit. This won't affect the account's placement within Kion OUs.
For more information, see Getting Started with Account Management.
11. Import Existing Policies from AWS
IAM policies are the permission building blocks used to create cloud rules and cloud access roles. Kion uses native IAM policies within AWS and also allows you to create and manage your own custom policies.
Import your own AWS IAM policies
- Navigate to Settings > System Settings.
- Expand the AWS Settings section and select Import AWS Policies.
- Select Customer Managed IAM Policies.
- Click Import Policies.
- Select the account to import the IAM policies from.
- Enable the option to Replace Partition and Account IDs with Application Variables. This replaces any account IDs and partitions found within the IAM policy's text with application variables (i.e.,
{{CT::AWSAccountId}}
and {{CT::AWSPartition}}
). This ensures that policies that are account-specific or partition-specific in AWS can be applied across resources in Kion.
- Click Import.
This process may take a minute or two. Leaving the page will not prevent the policies from loading. Kion will notify you when the import is complete.
12. Create Cloud Access Roles for Users
The last step is to create cloud access roles for users. These allow users to access the AWS console or provision AWS API access keys.
Cloud access roles can be applied to OUs to be inherited by multiple projects, or they can be applied to individual projects.
We will create a cloud access role on a project to get you started, but you may want to consider creating cloud access roles on OUs for system administrators, network engineers, or billing managers that need access to the same services in every account.
Create a cloud access role in a project
- In the left navigation menu, click Projects > All Projects.
- Click the name of the project to which you will add a cloud access role.
- Click the Cloud Management tab.
- Click the Cloud Access Roles subtab.
- Click Add.
- In the Cloud Access Role Name field, enter a name to identify it on the project.
- In the Access Type dropdown, select one or more types of access you wish to grant. The options are:
-
Web Access. Provides the user access to log in to the cloud console/portal.
-
Short Term Access Key. Provides the user the ability to generate temporary access keys that expire after a certain period of time.
-
Long Term Access Key. Provides the user the ability to generate long-term access keys that may or may not expire depending on the settings defined at a global level. No matter the settings at the global level, if the user is disabled, the LTAKs will be disabled as well.
- Select the users and groups that will have access to use this role.
- Select an account to apply the role to.
- (Optional) Check the Also apply to all future accounts to automatically apply this cloud access role to accounts that are added to this project in the future.
- Enter the name of the AWS IAM role that will be created in the AWS accounts attached to the project.
This is the name of the role that displays in the top right of the AWS console. It displays as: rolename/username. Any value in the gray box is a prefix that is set at the global level and cannot be edited here. For information on changing this prefix, see AWS Access.
- Select AWS IAM policies to associate with this role. These allow console access for AWS.
- Select AWS permissions boundaries to associate with this role.
For more information, see What is a Cloud Access Role?