AWS Management Console
Preparing Your AWS Organization
In order to use your AWS Master Partner account with AWS Consolidated, it is required to create an AWS Organization and to enable all features for this organization.
Note: This step is only necessary the first time you need to configure the AWS Master Partner Account in order to make it work with the AWS Consolidated package.
Important: The customer's name in AWS will have the following format: Connect_Asset_ID + CBC_Account_ID + CBC_Account_Name. However, it is important to note that the account name in CloudBlue Commerce may only contain alphanumeric characters and the following special characters: ().,-&_: If the account name in CBC contains letters with special characters different from the ones specified (for example, letters with accents), such letters will not be displayed in AWS.
Create AWS Organization
-
Log in to the AWS Management Console and click My Organization.
- On the introduction page, choose Create organization.
- Enable all features for the AWS Organization.
-
Confirm the creation.
Note: Please refer to AWS Organizations documentation for more information.
Enable All Features in Existing AWS Organization
If you already have an AWS Organization created and you want to provision, suspend or unprovision policies in the application settings, it will be necessary to verify that it has all features enabled. To do it, please follow these steps:
-
Log in to the AWS Management Console and click My Organization.
- On the top-right side, select Settings.
- Click Begin process to enable all features.
-
Confirm the action.
Note: Please refer to the AWS Organizations documentation for more information.
Verify your master account email address
Before you can invite existing AWS accounts to join your organization, you must verify your email address.
Note: Please refer to the AWS Organizations documentation for more information.
To do so, please follow these steps:
-
Log in to the AWS Management Console and click My Organization.
- On the top-left side, click Send verification request.
- Verify your email address within 24 hours.
Enable Service Control Policy Type for Organization’s Root
In case you want to provision, suspend or unprovision policies in the application settings, it is important to make sure that Service Control Policy type is enabled on the AWS Organization’s root. To do so, please follow these steps:
-
Log in to the AWS Management Console and click My Organization.
- On the top-right hand side, choose Organize accounts.
- Click Root to open the organization’s root object.
-
Click Enable under the ENABLE / DISABLE POLICY TYPES section.
How to create Service Control Policy inside the AWS Organization
An AWS Organization provides a way to apply specific Service Control Policies on the organization level to the organization members. To create a new Organization’s Service Control Policy, please follow these steps:
-
Log in to the AWS Management Console and click My Organization.
- Select Policies in the tab bar.
- Click Create policy.
- Configure the access restrictions as required.
-
Click Create policy to complete the action.
Note: Please refer to the AWS documentation for detailed information on how to configure policies in the AWS Organizations Management Console.
How to Obtain an AWS Access Key ID and a Secret Access Key
When configuring AWS settings and credentials, you will be asked to provide an AWS Access Key ID and a Secret Access Key. In this section, you will find the steps to obtain this information:
-
Log in to the AWS Management Console and click My Security Credentials.
-
Click Users.
-
Click Add User, enter the user name "API APS USER" and select the Programmatic access checkbox.
-
Now click Create policy to add the permissions specified below for the user.
Copy{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"organizations:CreateAccount",
"organizations:ListAccounts",
"organizations:DescribeCreateAccountStatus",
"organizations:ListRoots",
"organizations:ListOrganizationalUnitsForParent",
"organizations:MoveAccount",
"organizations:CreateOrganizationalUnit",
"organizations:ListAccountsForParent",
"organizations:InviteAccountToOrganization",
"organizations:DescribeHandshake",
"organizations:DescribeAccount"
],
"Resource": ""
},
{
"Effect": "Allow",
"Action": [
"athena:StartQueryExecution",
"athena:GetQueryResults",
"athena:GetQueryExecution",
"athena:StopQueryExecution",
"athena:ListWorkGroups",
"athena:GetWorkGroup"
],
"Resource": ""
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload",
"s3:CreateBucket"
],
"Resource": ""
},
{
"Effect": "Allow",
"Action": [
"glue:GetDatabase",
"glue:GetTable",
"glue:GetTableVersion",
"glue:GetTableVersions",
"glue:GetPartition",
"glue:GetPartitions"
],
"Resource": ""
},
{
"Effect": "Allow",
"Action": [
"iam:CreateUser",
"iam:ListUsers"
],
"Resource": ""
},
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": ""
}
]
} -
Now, review the options you selected and click Create User.
Setting up Athena and Creating Cost Usage Reports in AWS
Before configuring the corresponding parameters in the Distributor Portal, it is necessary to complete the following steps:
-
Create Cost and Usage Reports in AWS: To obtain information on how to set up create cost and usage reports, refer to AWS documentation.
- For time granularity, select Hourly from the options. This enables the line items in the report to be aggregated by the hour.
-
Select the Parquet format.
Note: Refer to Analyze Cost and Usage Reports using Amazon Athena for more information.
-
Set up Athena using AWS CloudFormation templates.
Note: To obtain information on how to set up set up Athena, refer to AWS documentation.
-
Related Topics