Grant permissions to your accounts in your AWS Organization

Role for Management Account

Some of the data needed for the modules is in the Management account we will now create a read only role to assume into that account to get the data.

  1. Log into your Management account then click Launch CloudFormation Template

  2. Call the Stack OptimizationManagementDataRoleStack

  3. In the Parameters section use the Cost Optimization Account ID that you deployed the OptimizationDataCollectionStack into for CostAccountID

  4. Scroll to the bottom and click Next

  5. Tick the box ‘I acknowledge that AWS CloudFormation might create IAM resources with custom names.' and click Create stack. Images/Tick_Box.png

  6. You can see the role that was collected by clicking on Resources and clicking on the hyperlink under Physical ID. Images/Managment_CF_deployed.png

Role for Read Only Data Collector

Some of the data needed for these modules is in all of the accounts in an AWS Organization we will use a CloudFormation StackSet to deploy a single read only role to all accounts. If you already have a role which can read into your accounts then please skip this section and use this as your MultiAccountRoleName parameter later

  1. Download CloudFormation by clicking here. This will be the foundation of the rest of the lab and we will add to this to build out the modules so please store somewhere safely as there is not designer in StackSets.

  2. Login via SSO in your Management account and search for Cloud Formation Images/cloudformation.png

  3. Click on the hamburger icon on the side panel on the left hand side of the screen and select StackSets. If you have not enabled this Click the button Enable trusted access. Images/Enable_trusted_accessed.png

  4. Once Successful or if you have it enabled already click Create StackSet.

  5. Choose Template is ready and Upload a template file and upload the optimisation_read_only_role.yaml file you downloaded from above. Click Next.

  6. Call the Stack OptimizationDataRoleStack. In the Parameters section use the Cost Optimization Account ID that you deployed the OptimizationDataCollectionStack into for CostAccountID Images/SS_param.png

  7. Leave all as default and Click Next.

Images/SS_permission.png

  1. Select Deploy to accounts into then scroll down and Click Next.

Images/SS_account.png

If your console does not look the same as above open here
  1. Tick the box ‘I acknowledge that AWS CloudFormation might create IAM resources with custom names.' and click Create stack. Images/Tick_Box.png

  2. This role will now be deployed to all linked accounts. If you wish to also access data in your management account, deploy the same CloudFormation stack as a normal stack in your management account as you did in the Role for Management Account step above.

Note this role will not be deployed into the management account so if you wish to read data from this account too, deploy as a normal CloudFormation stack.