Setting Up your AWS Organization

To use your AWS Master Partner account with AWS Consolidated, you must first create an AWS Organization and enable all features for this organization.

Note: This step is only necessary the first time you need to configure the AWS Master Partner Account for use wwith the AWS Consolidated package.

Important: The customer's name in AWS will follow this format: Connect_Asset_ID + CBC_Account_ID + CBC_Account_Name. Please note that the account name in CloudBlue Commerce may only contain alphanumeric characters and the following special characters: ().,-&_: If the account name in CloudBlue Commerce contains characters outside of this set (e.g., letters with accents), those characters will not be displayed in AWS.

Create AWS Organization

  1. Log in to the AWS Management Console and click Organization.

  2. On the introduction page, choose Create organization.
  3. Enable All Features for the AWS Organization.

  4. Confirm the creation.

    Note: Please refer to AWS Organizations documentation for more information.

Enable All Features in Existing AWS Organization

If you already have an AWS Organization created and you want to provision, suspend or unprovision policies in the application settings, it will be necessary to verify that it has all features enabled. To do it, please follow these steps:

  1. Log in to the AWS Management Console and click My Organization.

  2. On the top-right side, select Settings.
  3. Click Begin process to enable all features.

  4. Confirm the action.

    Note: Please refer to the AWS Organizations documentation for more information.

Verify your master account email address

Before you can invite existing AWS accounts to join your organization, you must verify your email address.

Note: Please refer to the AWS Organizations documentation for more information.

To do so, please follow these steps:

  1. Log in to the AWS Management Console and click Organization.

  2. On the top-left side, click Send verification request.
  3. Verify your email address within 24 hours.

Enable Service Control Policy Type for Organization’s Root

If you need to provision, suspend or unprovision policies in the application settings, it is important to make sure that Service Control Policy type is enabled on the AWS Organization’s root. To do so, please follow these steps:

  1. Log in to the AWS Management Console and click Organization.

  2. On the top-right hand side, choose Organize accounts.
  3. Click Root to open the organization’s root object.

  4. Click Enable under the ENABLE / DISABLE POLICY TYPES section.

How to create a Service Control Policy inside the AWS Organization

An AWS Organization allows you to apply specific Service Control Policies at the organizational, helping you manage permissions and enforce governance across all member accounts. To create a new Service Control Policy for your organization, please follow these steps:

  1. Log in to the AWS Management Console and click Organization.

  2. Select Policies in the left-hand navigation menu.
  3. Click Service Control Policies.
  4. Click Create policy.
  5. Configure the access restrictions as required.

  6. Click Create policy to complete the action.

    Note: Please refer to the AWS documentation for detailed information on how to configure policies in the AWS Organizations Management Console.

How to Obtain an AWS Access Key ID and a Secret Access Key

When configuring AWS settings and credentials, you will be required to enter an AWS Access Key ID and a Secret Access Key. This section outlines the steps to help you obtain these credentials:

  1. Log in to the AWS Management Console and click Security Credentials.

  2. In the left-hand navigation menu, click Policies and then select Create Policy.

  3. Switch to the Json policy editor and specify the following policy:

    Copy 
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "organizations:CreateAccount",
                    "organizations:ListAccounts",
                    "organizations:DescribeCreateAccountStatus",
                    "organizations:ListRoots",
                    "organizations:ListOrganizationalUnitsForParent",
                    "organizations:MoveAccount",
                    "organizations:CreateOrganizationalUnit",
                    "organizations:ListAccountsForParent",
                    "organizations:InviteAccountToOrganization",
                    "organizations:DescribeHandshake",
                    "organizations:DescribeAccount",
    "organizations:AttachPolicy",
    "organizations:ListPolicies"

                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "athena:StartQueryExecution",
                    "athena:GetQueryResults",
                    "athena:GetQueryExecution",
                    "athena:StopQueryExecution",
                    "athena:ListWorkGroups",
                    "athena:GetWorkGroup"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "s3:GetBucketLocation",
                    "s3:ListBucket",
                    "s3:GetObject",
                    "s3:PutObject",
                    "s3:ListBucketMultipartUploads",
                    "s3:ListMultipartUploadParts",
                    "s3:AbortMultipartUpload",
                    "s3:CreateBucket"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "glue:GetDatabase",
                    "glue:GetTable",
                    "glue:GetTableVersion",
                    "glue:GetTableVersions",
                    "glue:GetPartition",
                    "glue:GetPartitions"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "iam:CreateUser",
                    "iam:ListUsers"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": "sts:AssumeRole",
                "Resource": "*"
            }
        ]
    }

  4. Provide a name for the policy and click Create Policy.

  5. Click Users on the left-hand navigation menu.


  6. Click Create User and enter the user name "API CloudBlue USER".

  7. Select the Attach policies directly option.

  8. Search for the policy you created previously and select the corresponding checkbox.

  9. Confirm the data and click Create User.

  10. Setting up Athena and Creating Cost Usage Reports in AWS

    Before configuring the corresponding parameters in the Distributor Portal, it is necessary to complete the following steps:

    1. Create Cost and Usage Reports in AWS: To obtain information on how to create and set up cost and usage reports, refer to AWS documentation.

      1. For time granularity, select Hourly or Daily from the options. This enables the line items in the report to be aggregated by the hour.

      2. Select the Parquet format.

      Note: Refer to Analyze Cost and Usage Reports using Amazon Athena for more information.

    2. Set up Athena using AWS CloudFormation templates.

      Note: To obtain information on how to set up Athena, refer to AWS documentation.

Related Topics

Configuring Parameters in the Connect Distributor Portal

Back to top

© 2025 Ingram Micro, Inc. All Rights Reserved. Privacy Policy, Terms of Use and Legal

CloudBlue, an Ingram Micro business, uses cookies to improve the usability of our site. By continuing to use this site and/or logging in you are accepting the use of these cookies. For more information, visit our Privacy Policy.
I accept