Grant permissions to your accounts in your AWS Organization

Permissions

We will need to install 2 IAM roles to ensure DataCollection account can collect information accross all accounts in the AWS Organization.

  1. One Role WA-Lambda-Assume-Role-Management-Account for read only access from Data Collection account to the Management account.
  2. A second read only role must be installed in each Linked accout of Organization via a StackSet.

1/2 Role for Management Account

Some of the data needed for the modules is in the Management account we will now create a read only role to assume into that account to get the data.

  1. Log into your Management account then click Launch CloudFormation Template

  2. Call the Stack OptimizationManagementDataRoleStack

  3. In the Parameters section set CostAccountID as the ID of Cost Optimization Data Collection Accoint ( where you plan to deploy the OptimizationDataCollectionStack)

  4. Scroll to the bottom and click Next

  5. Tick the acknowledge boxes and click Create stack.

  6. You can see the role that was collected by clicking on Resources and clicking on the hyperlink under Physical ID. Images/Managment_CF_deployed.png

2/2 Read Only roles for Data Collector modules

Modules that we will deploy later OptimizationDataCollectionStack allow to collect data from all of the accounts in an AWS Organization. We will use a CloudFormation StackSet to deploy a single read only role to all accounts.

  1. Login to your Management account and search for Cloud Formation Images/cloudformation.png

  2. Click on the hamburger icon on the side panel on the left hand side of the screen and select StackSets. If you have not enabled this Click the button Enable trusted access. Images/Enable_trusted_accessed.png

  3. Once Successful or if you have it enabled already click Create StackSet.

  4. Keep all ticked boxes as default and past he follwing URL in Amazon S3 URL. Click Next.

https://aws-well-architected-labs.s3-us-west-2.amazonaws.com/Cost/Labs/300_Optimization_Data_Collection/optimisation_read_only_role.yaml

Images/ods_stackset_link.png

  1. Call the Stack OptimizationDataRoleStack. Images/ods_stackset_name.png

  2. In the Parameters section for CostAccountID use the Account ID that where you will deploy the OptimizationDataCollectionStack. Under available modules section select modules that you need. This CloudFormation StackSet will provision required roles for modules in linked accounts. Detailed description of each module can be found here

Images/SS_param.png

  1. Leave all as default and Click Next.

Images/ods_stackset_config.png

  1. Select the region you are currently deploying to.

Images/ods_stackset_region.png

  1. Tick the boxes and click Create stack. Images/Tick_Box.png

  2. This role will now be deployed to all linked accounts.

(Optional) Read Only roles in Management Account

If you wish to also access data in your management account, deploy the same CloudFormation stack as a normal stack in your management account as you did in the Role for Management Account step above.

To do this follow these instructions