topics

Configuring a GovCloud AWS Account

January 7, 2025

GovCloud accounts are inherently different from the other regular accounts. Configuring GovCloud accounts requires a second empty standard account to serve as the way billing information is reported. You can view the GovCloud account activity and usage information only through the standard AWS account and not from the AWS Management Console. CloudHealth uses the relationship between the two AWS accounts to populate cost and usage information within the platform.

To configure a GovCloud account, you will need to create two accounts in both the AWS management console and CloudHealth.

Create Accounts in AWS

GovCloud accounts must be associated with either a Consolidated or Standalone account. Therefore, you need to create two accounts within AWS.

Configure a Commercial account to receive the Detailed Billing Record/Cost and Usage Report. This configuration will be like any normal AWS account setup but should ideally be left empty and not used for any other purpose besides supporting GovClod Assets accounts.

The commercial account will act as a parent account to the actual GovCloud Asset account.
Configure an Assets account that contains the infrastructure of your organization. This is the actual GovCloud account that will reside within any of the special GovCloud AWS regions. This account holds the infrastructure, but reporting cannot be pulled directly from these accounts. Therefore, a separate Commercial account is required.

For more details, see https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/usage-and-payment.html.

Create Accounts in CloudHealth

You need to create two accounts within CloudHealth.

A commercial account that will be either Standalone or Consolidated - All billing and usage will appear as though it originated from the configured Commercial GovCloud account in AWS. This account should be set up in CloudHealth as a Standard account type.
An empty account that will be linked to the commercial account. This empty account will hold the infrastructure and will be linked to the Assets AWS account. This account should be set up in CloudHealth as a GovCloud account type.

If you are planning to have CloudHealth monitor a GovCloud account that will be linked into a consolidated bill, follow these guidelines:

Proactively set up an empty Amazon account for each GovCloud account.
Associate the GovCloud account with the empty account.
Link the empty account to your consolidated bill.

These steps enable the GovCloud activity to be reported within your consolidated billing records with a different account. Otherwise, activity is reported with the Account ID of the consolidated bill.

Complete the following steps to Set up a GovCloud Account in CloudHealth:

Configure a Commercial Account
Configure an Asset Account

Step 1 of 2

Configure a Commercial Account

AWS Standard Account

Add appropriate Account Name that is to be used for reporting or billing, and select Account Type as Standard. For the best security, the Authentication Type is selected as Role by default.
Click Save Account.

Billing settings can potentially be populated but will most likely be blank as this account will generally be linked to a consolidated account.

Step 2 of 2

Configure an Asset Account

Create a GovCloud Account in the CloudHealth platform

Add AWS Account

Enter a friendly account name that you can identify later in the CloudHealth platform. Select Account Type as GovCloud The Authentication Type is selected as User by default.
Click Generate Policy.

IAM Access Policy

In the IAM Access Policy dialog box, click Select All and copy the policy contents to the clipboard. Later, you will need to paste the policy into the JSON tab in the AWS console.

It is recommended not to use the default AWS Read-Only policy because it provides read access to data, such as S3 objects.

Click Close.

Create an IAM Policy in AWS Console

Log in to the AWS Console for the targeted account as a user who has permission to create an IAM user.
Navigate to Services > IAM. From the left menu, select Policies and click Create Policy.

Create Policy

Click the JSON tab and paste the IAM Access Policy you copied from the AWS account setup page in the CloudHealth platform.

JSON tab

Click Review Policy. Give it an appropriate Name and Description, and click Create Policy.

Create Policy

Add a Read-Only IAM User

If you are setting up a standard account, while both approaches are supported in the CloudHealth platform, a read-only IAM Role is recommended over a read-only IAM User. For GovCloud accounts, only a read-only IAM user is supported.

In the AWS Console, navigate to Services > IAM. From the left menu, select Users and click Add user.

Add User

Enter a User name (e.g., cloudhealth) and select the Programmatic access checkbox. Click Next: Permissions.

Add User 2

Click Attach existing policies directly, and select the policy that you just created.

Attach existing policies directly

Click Next: Tags. Optionally, you can add key-value pairs to your IAM user.

Add Tags

Click Next: Review. Review your changes and click Create user.
Click the user name from the list and navigate to the Security credentials tab.

Create Access Keys

Click Create access key, and click download .csv file to save the Access key and Secret key to a CSV file on your computer.

Store the access key .csv file in a secure location. Once the dialog box closes, you will not be able to access the secret access key again.

The newly created access key will be active by default.

Click Close.
Return to the AWS Account Setup page in the CloudHealth platform where you are configuring the GovCloud account.
Copy and paste the values of the Access Key and Secret Key from the .csv file that you stored previously.

Save GovCloud Account

Leave the billing settings blank.

Click Save Account.