AWS Automatic and Manual Onboarding – Cloud Cost

This article describes how to get started with onboarding with AWS.
Before starting the flow ensure that:
- You have AWS Organizations permissions to create IAM roles
- The account you want to onboard is a payer account (not a linked account)

From the Accounts dropdown list, click Add account and then click the AWS icon.
Choose who you would like to complete the onboarding:
- Automatically (recommended )
- Manually
- Using API

Automatically AWS Onboarding

The Automatic Onboarding process simplifies the onboarding process by running a script that validates the process, and automates the setup of AWS permissions, policies, and data collection configurations.

Automatic Onboarding Process:

The automatic onboarding script:

Creates an IAM role in the payer account, allowing Anodot to access cost data securely.
Accatched required Policy to Role, to grant the necessary permissions.
Configured Cost and Usage Report (CUR) with the proper configuration.
Create an S3 bucket to host the CURs and configure Anodot's access to it (SNS notification).
(Optional) Connecting Linked Accounts to Anodot:
- A CloudFormation stack will create an IAM Policy and Role for each linked account in your organization, allowing Anodot to provide recommendations for every linked account.
- The setup also includes automatic detection of future linked accounts, ensuring roles and policies are created for them automatically.
- Up to one hour after onboarding is complete, we’ll validate the linked accounts automatically. No action is needed on the platform- after validation, the linked accounts will appear as connected on the Linked Accounts page.

Validations in the Script:

To ensure a smooth onboarding experience, the script performs multiple validations:

Ensures onboarding is performed on a payer account, not a linked account.
Validates that Cost & Usage Reports (CUR) are enabled, correctly configured, and stored in an accessible S3 bucket.
Check if Anodot's IAM Role already exists.
Ensures the provided S3 bucket name is valid/ already exists.
Check if the required Lambda/Stack already exists.

1. AWS Details

Enter the Payer account ID, the account name of the account as it will appear in Anodot, and the desired bucket name we will create during this flow, and click Next.
Note: We will create the bucket that will host the CUR files in us-east-1 region by default.

2. Validate Access

Download the files:

deploy_anodot.sh - The main deployment script to automate onboarding.
AnodotPayer.yaml - Deploys Anodot-related AWS resources for the payer account.
AnodotLinkedAccounts.yaml - Deploys StackSets to onboard linked accounts. will be visible only if the connecting linked account option is selected.

There are two common options to run the script:
- Using AWS CloudShell ( recommended).
- Preferred workspace such as Terminal.

Automatic onboarding using CloudShell

1. In the AWS console navigate to CloudShell.
2. Click on Action > Upload file, and upload the file AnodotPayer.yaml you just downloaded.
3. Repeat step #2 for the file AnodotLinkedAccounts.yaml (If you selected the option to connect linked accounts).
4. Repeat step #2 for the file deploy_anodot.sh.
  Note: The files should be named as indicated above, avoiding duplicates such as AnodotPayer(1).yaml, AnodotPayer(2).yaml.
5. Run the command bash ./deploy_anodot.sh (this will run the script).
6. Go to AWS CloudFormation page.
7. When the status of the Stack Anodot-Onboarding changes to CREATE_COMPLETE, it means the process is complete. You can now return to the Anodot console and click Next to continue.
  
  Note: If you selected the option to connect linked accounts, you will see two stacks. There is no need to wait for the linked accounts stack to complete before continuing the onboarding process in the Anodot console.

Automatic onboarding general flow

Prepare the AWS profile for your management account in AWS. If you do not have it, you can run the following command to see it: cat ~/.aws/config
To verify that this is the account you want to onboard, run the following commands:
1. export AWS_PROFILE=<profile-name>
2. aws sts get-caller-identity
Run the script by running the command: bash ./deploy_anodot.sh
Go to the Anodot platform, and click Next.

3. Validate Account

In this step, Anodot validates all your AWS details. This step can take up to 1 hour.
We will inform you once the validation is done so that you will be able to connect your linked account.
Note: In case you do not want to connect your linked accounts you can ignore the email and we will notify you again after the entire process is done and you can see data in your account.

4. (Optional) Linked Account Status

Connect your linked accounts to Anodot to see recommendations.
- If you connected your linked accounts automatically as part of the onboarding automation, skip this step.
- If not, for guidance on how to connect your linked accounts click here.

5. Process Data

This step can take up to 48 hours (depending on when we will receive your files from AWS).
We will notify you by email once it is done and you can see data in your account.

Manually Onboarding with AWS

1. Create a CUR file and activate tag allocation.

Connect the AWS portal for your payer account.
Navigate to Billing and Cost Management > Data Export page.
Click on Create
Choose Legacy CUR Export
Enter the any Exprot name (we recommend using AnodotCUR.
Define the following in the export detilas:
- Under the Additional export content choose Include resource IDs.
- Choose hourly time granularity.
- Under Report versioning choose Overwrite existing report option.
- Make sure that the Compression type is ZIP
Under Data export storage settings choose the option to configure S3 bucket.
Click on creating a new bucket and name it as you like (we recommend AnodotCUR).
Note the region of the bucket as you will have to enter it in the Anodot platform, and click on Create Bucket.
In the S3 path prefix enter the value: Pileus
Click on Create Report

In order to see the Tag values in the CUR follow the below steps:

From the left menu click on Cost allocation tags.
Select all the tags and click Activate.

2. AWS Details

Enter the account ID, bucket name, and bucket region from the previous step.
Enter the Display Account Name shown in Anodot and click Next.

3. Grant Access

Grant access to Anodot using AWS CLI or manual flow.

AWS CLI:

Step A- Download all the JSON files from step.
Step B- Navigate to the AWS portal, open the AWS CLI, and copy and run the commands.
Step C- Copy the Role ARN from the CLI and paste it in step C in Anodot. Then, click on Next.

Manual flow:

Download all the JSON files from step A (as shown in the screenshot above). Then, create in the AWS console Policy, Role, and Event Notification.

Create Policy:

Navigate to the AWS portal IAM > Policies page, and click Create policy.
Switch to the JSON editor, delete the template policy, and paste the text from the PileusPolicy.json file you downloaded. Then click Next.
Set the policy name to PileusPolicy, and click Create policy.

Create Role

1. Navigate to the AWS portal IAM > Roles page, and click Create role.
2. Select the Another AWS account option, enter Anodot account ID (932213950603), and click Next.
3. In the search bar, select PileusPolicy (created in the previous step), and click Next.
4. Set the policy name to PileusRole.
5. In the Trust policy section, click Edit and paste the text from the file PileusRole.json you downloaded, then click Create role.
6. Navigate to the AWS Roles page, search for PileusRole, and click on it.
7. Copy the ARN value from the top of the page, and paste it into Anodot.

Create Event Notification

In AWS, navigate to the dedicated S3 bucket you created and click Properties.
Scroll down and click Create Events Notifications.
Enter an Event name and ensure the All object create events checkbox is selected.
In the Destination section, select the SNS Topic option and Enter SNS topic ARN.
Then, under the SNS topic paste the TopicArn value from the NewInvoiceTopicConfiguration.json file that you downloaded from Anodot at the beginning of this step. Then, click Save Changes.

4. Validate Access

Download the file from step A and paste it into the dedicated bucket you created from Anodot. Then click Next.
This will allow Anodot access to download the files from this bucket.