AWS GovCloud Quickstart Guide


AWS GovCloud Quickstart Guide

This guide is designed to walk you through the quickest way to configure Kion for AWS GovCloud deployments.

For the sake of brevity, we are assuming you have already installed Kion in your environment. Looking for a comprehensive guide for AWS deployment? See the AWS Deployment Guide.

Our application supports a wide range of configurations and customizations, but this guide focuses on the most common setup. If you find yourself with unique requirements, we will point you to other relevant documentation at critical points where alternatives exist.

After you have completed the steps in this guide, users will be able to log in and begin using Kion.

1. Setup AWS to Share Billing Data With Kion

In order for Kion to interpret and manage your AWS accounts, you must first enable access in AWS and add your AWS management account as the billing source in the Kion application.

This process requires both a GovCloud and commercial management account. Billing will be processed through your commercial account.

In the steps below, replace any instance of accountnumber with your commercial AWS management account number.

Closed1. Create an S3 billing bucket in AWS

Closed2. Enable monthly reports

Closed3. Enable cost and usage reports

Closed4. Add the "cloudtamer-service-role" IAM role

Closed5. Partition user setup

Closed6. Add a billing source to Kion

Closed7. Add your GovCloud organization master account

2. Import IAM Policies into Kion

IAM policies are the permission building blocks used to create cloud rules and cloud access roles. Kion uses native IAM policies within AWS and also allows you to create and manage your own custom policies.

ClosedImport AWS managed policies

3. Add Users

We recommend tying to an Identity Management System (IDMS) if you have a large number of user accounts to create, but you can add users one by one. The steps to add an IDMS to Kion depend on what type of IDMS you use.

You’ll want at least one user added in addition to your root account to be able to log in and start using the application, so that’s what we’ll do here.

Closed1. Add a user

Closed2. (Optional) Add a user group

For information about adding an IDMS, see Identity Management.

4. Define Permissions for Users

Permission roles define what a user is allowed to do within the Kion application. Permission schemes are how those roles apply to objects (OUs, projects, funding sources) within Kion.

Closed1. Add a permission role

Closed2. Assign a permission role to a permissions scheme

For more information, see Getting Started with Permissions

5. Build Organizational Hierarchy with OUs

We organize hierarchy within Kion using organizational units (OUs). You can apply funding, cloud rules, and permission schemes to OUs. We recommend structuring your organization’s hierarchy around where funds originate.

Child OUs are defined as any OU that falls below a top-level OU. Child OUs can hold projects and are used to define funding paths. We will create a project and add it to an OU later on in this guide.

ClosedAdd an OU

For more information, see What is an OU?

6. Set Limits on User Access

Cloud rules limit the services that are accessible by users. These limits ensure your users remain compliant with whichever universal rules you have in place. Cloud rules apply to all users at the level they are placed in the OU hierarchy along with any descendant resources. 

Before creating cloud rules, consider what universal limits you want to place on users. For best practice suggestions, see What is a Cloud Rule?

Closed1. Create a cloud rule

Closed2. Assign a cloud rule to an OU

7. Create a Funding Source and Allocate Funds

Funding sources are used to allocate funding to specific OUs and projects. Funding sources represent a single deposit of funds and must be associated with a top-level OU.

After creating a funding source, funds can be disseminated down to destination OUs. A destination OU can be any child OU below the source OU.  

Closed1. Add a funding source

Closed2. Allocate funds to a child OU

For more information, see Financial Management Methods.

8. Create Projects and Assign Users and Groups

Projects provide the most granular level of organization in Kion. Permissions are organized at the project level, so, although we support multi-account projects, we recommend a 1:1 ratio between projects and individual cloud accounts for maximum flexibility and control. 

ClosedAdd a new project

For more information, see What is a Project? and What is a Project Spend Plan?

9. Set Budget Enforcement Actions on Project

Enforcement actions control how much money each of your cloud accounts spend. You can set enforcement actions at the funding source level, but we recommend setting them at the project level for more control. You can set triggers to run a cloud rule when significant events occur. Cloud rules triggered by enforcements can do things like pause funding or lock accounts to prevent further spending.

ClosedCreate a budget enforcement action

For more information, see What is a Financial Enforcement Action?

10. Attach AWS Accounts to Kion Projects

Now we can link the projects you’ve created to existing AWS accounts. Once an account is added, Kion will be able to perform actions inside the account, including accessing billing data, roles, policies, and permissions.

Before you can create accounts via Kion, you must enable account creation for GovCloud. However, accounts created in AWS can be imported into Kion without enabling this feature. For more information, see Enabling AWS GovCloud Account Creation.

ClosedAttach an AWS GovCloud account to a project

For more information, see Getting Started with Account Management.

11. Import Existing Policies from AWS

IAM policies are the permission building blocks used to create cloud rules and cloud access roles. Kion uses native IAM policies within AWS and also allows you to create and manage your own custom policies.

ClosedImport your own AWS IAM policies

12. Create Cloud Access Roles for Users

The last step is to create cloud access roles for users. These allow users to access the AWS console or provision AWS API access keys.

Cloud access roles can be applied to OUs to be inherited by multiple projects, or they can be applied to individual projects.

We will create a cloud access role on a project to get you started, but you may want to consider creating cloud access roles on OUs for system administrators, network engineers, or billing managers that need access to the same services in every account.

ClosedCreate a cloud access role in a project

For more information, see What is a Cloud Access Role?