Configuring a Standalone AWS Account

A billing bucket is essential for providing the CloudHealth platform access to detailed cost and usage information from your accounts. Create and enable a billing bucket for each account.

Best Practice: Create a new bucket for holding Amazon billing reports instead of reusing an existing bucket. In addition, the bucket must be unique within the region you select later, so choose a non-obvious name.

Create S3 Bucket

1. Login to the AWS Console as an administrator.
2. Click your profile name at the top right corner and select Account from the dropdown.
3. From the left menu, click Billing Preferences.
4. Expand the Detailed Billing Reports [Legacy] dropdown and click Configure to set up an S3 bucket to receive billing reports.

5. In the S3 configuration dialog box create a new bucket.

   

6. Enter a unique Bucket Name and Region.

7. On the next page, review the policy that is generated for the bucket and click Save.

Copy the name of the S3 billing bucket to the clipboard as displayed in the Save to S3 Bucket field.

Skip this step if you have migrated from DBR (Detailed Billing report) to CUR(Cost and Usage report).

1. After creating the S3 bucket, in the Report table, select the check boxes for the required reports.

2. Click Save Preferences.

Create CUR in AWS Console

AWS Cost and Usage Reports (CUR) provide comprehensive data about your costs, including those related to product, pricing, and usage. For more information, see AWS Cost and Usage Reports.

In order to take advantage of these new features, configure your AWS account to create a CUR and make it available for consumption by the CloudHealth platform.

1. In the AWS Console navigate to your profile name and click Account.

2. From the left menu, select Cost & Usage Reports and click Create report.

3. Navigate the configuration wizard, ensuring that you make the following entries and selections.

   • Report Name: Use an easily identifiable name, for example, cloudhealth-hourly-cur.
   • Check the box next to Include Resource ID.
   • Check the box next to Automatically refresh your Cost & Usage Report when charges are detected for previous months with closed bills.
   • S3 Bucket: Enter the name of the S3 bucket you created above.
   • Report path prefix: Enter a unique prefix.
   • Time granularity: Select Hourly.
   • Report versioning: Select Create new report version.
   • Compression: Select GZIP.

   

4. Click Review and Complete.

Configure Cost Allocation Tags

CloudHealth extracts the tags and resource IDs from your billing artifact and automatically allocates costs for your taggable AWS services. To support the derivation of asset and tag data from the CUR, you must configure the AWS Account to include Cost Allocation Tags in the CUR artifacts.

CloudHealth recommends adding each tag key you use for perspective grouping as a Cost Allocation Tag. For more information, see Using Cost Allocation Tags

1. In the AWS Console, navigate to the AWS Billing dashboard.
2. From the left menu, choose Cost Allocation Tags.
3. Select the tags that you want to activate.
4. Click Activate.

It can take up to 24 hours for activation of the selected tags.

Enable the CUR in CloudHealth

1. In the CloudHealth platform, from the menu, select Setup > Accounts > AWS and edit the AWS account for which the CUR should be enabled.

   Enable the CUR only for Consolidated or Standalone accounts.

2. In the Cost and Usage Report section, enter the following information.

   • Bucket Name: Name of S3 bucket that stores the hourly CUR data.
   • Report Path: The path to the CUR, and the name of the CUR, separated by a slash.

   

   CloudHealth uses the information you provide in these fields to access your CUR. Inaccuracies in these values can cause errors when CloudHealth attempts to access the reports.

   To locate accurate values for these fields, navigate to the Billing & Cost Management Dashboard in the AWS Console. From the left menu, select Cost & Usage Reports. Click the name of the report to view the bucket name and report path.

   

3. Update the policy associated with the IAM role for this account to grant permission to access and read the CUR. Click Generate Policy to produce a new IAM policy.

   If the policy is not updated, CloudHealth will be unable to access the bucket and read the CUR reports stored inside it.

4. In the IAM Access Policy dialog box, click Select All and copy the contents to the clipboard.

5. Switch to the AWS Console and navigate to Services > Security, Identity & Compliance > IAM. From the left menu, select Policies and locate the IAM Access Policy you are using for the CloudHealth platform.

6. In the Permissions tab, click JSON and click Edit policy.

7. Paste the policy you copied from the CloudHealth platform into the editor, and Save the policy.

8. In the CloudHealth platform, return to the AWS account you were editing and click Save Account.

You can set up the IAM permissions through one of the following configurations:

• Option 1: Via CloudFormation template
• Option 2: Via IAM role

Option 1: Create IAM Permissions via CloudFormation

Download and Modify CloudFormation Templates

1. Download the following CloudFormation templates:

   • Read Only: Account with read-only access
   • Automated: Account with automated permissions

2. Optionally, edit each template to modify the permissions as needed for your customers.

3. Save each template with unique names.

Upload CloudFormation Templates to S3 Buckets

1. In the AWS Console, go to Services > Storage > S3. You can either:

   • Create a new bucket for CloudFormation templates by selecting Create Bucket (recommended). For more information on how to create an S3 bucket, see Creating a bucket.
   • Open an existing bucket.

2. Click the bucket name, and select Upload.

3. Click Add files and add the saved CloudFormation templates.

4. Expand the Permissions section, and select the Grant public read access option.

5. Expand the Properties section and configure the storage properties.

6. Click Upload.

Create a New Stack in CloudFormation

This section is typically performed by the customer account administrator.

1. In the CloudHealth Platform, go to Setup > Accounts > AWS and open the AWS account you created in the previous step. Copy the uniquely generated External ID into a text document.
2. In the AWS Console, go to Services > Storage > S3.
3. Open the S3 bucket where you have uploaded the CloudFormation templates and select the appropriate CloudFormation template for the customer's AWS account.
4. From Properties > Object Overview, copy the Object URL link.

5. Go to Services > Management & Governance > CloudFormation and select Create Stack - With new resources (standard).
6. In the Amazon S3 URL field, enter the Object URL link you copied in step 4.

7. On the next page, enter a unique Stack Name.

8. In the Parameters section, enter the following details

   • CURBucketName- the S3 bucket name you created in previous step .
   • CustomerExternalID- the external ID you copied in step 1.

   

9. Optionally, configure tags and rollback triggers. Click Next.

10. Click Create Stack.

11. Verify that the newly created stack reaches a status of Create_Complete. This process should take less than a minute.

12. Open the newly created stack, and from the Outputs tab, copy the RoleARN number into a text document.

Update CloudHealth Account

1. In the CloudHealth Platform, return to the AWS account you copied the external ID from (Setup > Accounts > AWS).
2. Enter the Role ARN you copied from the CloudFormation stack.

3. If you are using the Automated CloudFormation template, select the Automation dropdown to open the list of automation permissions. For each service you included as automated in your saved copy of the template, switch the permission to On.

   

   If you do not manually switch on a service's permission, CloudHealth won't be able to automate that service even if you included that service in the Automated CloudFormation template.

4. By default, CloudHealth validates the read-only IAM policy with the us-east-1 AWS region. If you do not have access to the us-east-1 region, you must select a different region for validation. Under Optional, select the desired region from the Primary AWS Region Override dropdown.

5. Click Save Account.

Option 2: Create IAM Permissions via IAM Role

Create a read-only IAM role within the AWS Console for the target account. Then add these credentials to the CloudHealth platform.

The default AWS Read-Only policy provides read access to data, such as S3 objects, and is therefore discouraged from being used.

1. Log in to the AWS Console for the targeted account as a user who has permission to create an IAM role.

2. Navigate to Services > Security, Identity, & Compliance > IAM. From the left menu, select Policies and click Create Policy.

3. Switch to the JSON tab.

4. In a separate browser window, log in to the CloudHealth platform. From the menu, select Setup > Accounts > AWS and open the AWS account you created previously.

5. Enter the name of the billing bucket you created and click Generate Policy. The bucket name is included in the resulting policy.

6. The IAM Access Policy dialog box appears. Click Select All and copy the contents to the clipboard.

7. Return to the AWS Console and paste the policy into the JSON tab. Then click Review Policy.

8. Name the policy (e.g., CHTPolicy), provide a description, and click Create policy.

9. In the AWS Console, from the left menu, select Roles and click Create role.

10. On the Select trusted entity page, choose AWS account.

11. Select Another AWS account. In the Account ID field, enter 454464851268, which is the ID of the secure CloudHealth-managed account.

12. Select the Require external ID Option. From the CloudHealth platform, copy the CloudHealth generated External ID from the account setup form. This ID is unique for each CloudHealth customer so that you can reuse it across all your accounts.

14. Paste this copied ID in the External ID field in the AWS Console.
15. Leave the checkbox for Require MFA cleared because the IAM role will be used to provide programmatic access to the CloudHealth platform. Click Next.
16. On the Add Permissions page, set the filter to customer managed and choose the CloudHealth policy you created. Click Next.
17. Enter a name and description for the role and click Create Role.
18. From the IAM > Roles page, select the role you just created. Copy the value of RoleARN to the clipboard.

19. Return to the AWS Account Setup page in the CloudHealth platform. In the API section, paste the Role ARN value.

20. By default, CloudHealth validates the read-only IAM policy with the us-east-1 AWS region. If you do not have access to the us-east-1 region, you must select a different region for validation. Under Optional, select the desired region from the Primary AWS Region Override dropdown.

21. Click Save Account.

CloudHealth validates your account and begins collecting data. If there are issues with any information you provided, an error message appears.

In the CloudHealth platform, instances have links that allow you to view them in the AWS Console.

These links are set up by enabling AWS Console integration from the CloudHealth platform.

1. In the CloudHealth platform, from the menu, select Setup > Accounts > AWS.

2. From the list of AWS accounts, edit the account for which you want to add AWS Console integration.

3. In a separate browser window, login to the AWS Console.

4. From the menu, select Security, Identity, & Compliance > IAM.

5. From IAM Dashboard > AWS Account, copy the IAM User Sign-In URL into the clipboard.

6. Back in the CloudHealth platform, expand the Optional section of the account setup form. Paste the URL in the Signin URL field.

5. Click Save Account to enable AWS Console integration.

Repeat the following steps for each account you want to enable CloudWatch metrics for.

1. Follow the instructions in AWS documentation to install and configure the AWS CloudWatch Agent in your EC2 Instances so that the agent can start collecting metrics from those instances. This process comprises the following high-level steps.

   • Installing and configuring the CloudWatch Agent
   • Creating IAM roles and users for use with the CloudWatch Agent
   • Creating a CloudWatch Agent configuration file

   For detailed instructions, see AWS documentation on Collecting Metrics and Logs from Amazon EC2 Instances and On-Premises Servers with the CloudWatch Agent.

2. Log in to the CloudHealth Platform. From the left menu, select Setup > AWS Accounts and edit each account for which you want to enable CloudWatch metrics collection.

3. Expand the Optional section of the account setup form and switch on the CloudWatch option.

   

4. Select the frequency at which the CloudWatch Runtime Cycle should run. Higher frequencies will incur greater cost due to increased API calls.

5. In order to enable CloudHealth to collect CloudWatch metrics from additional namespaces, select one or more namespaces from the list. Namespaces allow you to organize your CloudWatch metrics, which you can utilize for rightsizing your EC2 Instances using the CloudHealth Platform.

6. Update the policy associated with the IAM role for this account to grant CloudHealth permission to read your CloudWatch metrics. Click Generate Policy to produce a new IAM policy.

7. In the IAM Access Policy dialog box, click Select All and copy the contents to the clipboard.

8. In a separate browser window, log in to the AWS Console as an administrator and navigate to Services > Security, Identity, & Compliance > IAM. From the left menu, select Policies and locate the IAM Access Policy you are using for the CloudHealth Platform.

9. In the Permissions tab, click JSON and paste the policy you copied from the CloudHealth platform into the editor. Then click Save.

   

10. In the CloudHealth Platform, return to the AWS account you were editing and click Save Account.

CloudHealth validates the account and starts collecting data. If there are issues, a warning message appears. AWS CloudWatch metrics begin appearing in the CloudHealth platform after about 24 hours.

The spend-based asset collection feature considerably changes the initial asset collection time for a newly added account and service. Once a new asset or service is billed, it could take a minimum of 24 hours to appear in the CloudHealth reports. After the initial delay, the platform continues to update the asset or service details as per the standard collection frequency. For more information, see Spend-based Asset Collection.

CloudTrail is a service that provides an audit log for all API access to AWS. CloudHealth can collect CloudTrail data to help you identify who launched or shut down infrastructure or made security changes across your infrastructure.

Typically, a single CloudTrail bucket collects logs for multiple accounts. Here are two scenarios to consider:

• If each of your accounts has its own bucket, enable CloudTrail for each account.
• If multiple accounts are feeding a single bucket, first enable CloudTrail for the account containing the bucket, and then enable CloudTrail for each account that feeds into the bucket.

Enable an AWS Account for a CloudTrail Bucket

1. In the AWS Console, navigate to the CloudTrail service. In Dashboard, click the trail name to find the Name and Prefix for the S3 bucket configured to store the CloudTrail logs.

2. In the General details section, click Edit . The dialog box shows the name of the S3 bucket and any custom Log file prefix that is configured.

CloudHealth does not support creating trails for an organization, and therefore, each account needs to be configured independently.

3. In a separate browser window, log in to the CloudHealth platform. From the menu, select Setup > AWS Accounts and edit each account that contains a CloudTrail bucket.

4. Expand the Optional section of the account setup form and switch on the CloudTrail option.

5. Enter the CloudTrail Bucket Name and CloudTrail Account Prefix (if you configured a custom prefix).

6. Update the policy associated with the IAM role for this account to grant permission to read from the CloudTrail bucket. Click Generate Policy to produce a new IAM policy that grants access to the bucket entered in the previous step.

7. In the IAM Access Policy dialog box, click Select All and copy the contents to the clipboard.

8. Switch to the AWS Console and paste the policy in the Policy Document field. Then click Apply Policy.

9. Switch back to the CloudHealth platform and click Save Account.

CloudHealth validates the account and starts collecting data. If there are issues, a warning message appears. CloudTrail events begin appearing in the CloudHealth platform after about 15-30 minutes. More stable accounts tend to have few events.

• CloudHealth collects all events from 12:00 GMT on the day when the account is configured.
• If each of your AWS accounts has its own CloudTrail bucket, repeat steps 1-9 for each AWS account. If each of your AWS accounts feeds into a single bucket, proceed to the next section.

CloudTrail Setup for Additional AWS Accounts

Typically, CloudTrail is set up in AWS with multiple accounts feeding a single S3 CloudTrail bucket. You can think about the bucket as a file tree. Each account has a root location in the tree that is designated by the AWS Account ID. Beneath the root is the folder structure that contains the CloudTrail log files organized by date.

CloudHealth uses the AWS Account ID to scan the known CloudTrail bucket for the events for each account.

1. In the CloudHealth platform, from the menu, select Setup > AWS Accounts and edit the additional AWS account for which CloudTrail logs are being collected.

2. Expand the Optional section of the account setup form and switch on the CloudTrail option.

3. Enter the CloudTrail Bucket Name. You do not need to update the IAM policy for accounts other than the ones where CloudTrail buckets are located.

4. Click Save Account.

CloudHealth validates the account and starts collecting data. If there are issues, a warning message appears. CloudTrail events begin appearing in the CloudHealth platform after about 15-30 minutes. More stable accounts tend to have few events.

CloudHealth collects all events from 12:00 GMT on the day when the account is configured.