Amazon Web Services Configuration | Binadox - SaaS management

Amazon Web Services Configuration

This guide provides information on how to integrate an AWS environment with the Binadox multi-cloud cost management and optimization platform to plan, analyze and reduce infrastructure costs.

To successfully integrate Binadox with an AWS account, it is required to create a new IAM user with access to the AWS API, read-only access to billing data and Cost Explorer as well as to certain AWS services for drill-down analysis.

Contents
1. Delegate Access to the AWS Billing and Cost Management Console
1.1 Enable Access to Billing Data
1.2 Create an IAM Policy that Grants Permissions to Billing Data
2. Create an IAM Policy that Grants Permissions to AWS Cost Explorer
3. Add a New IAM User
4. Locate an AWS Account ID
5. Create New Connection for AWS in Binadox


1. Delegate Access to the AWS Billing and Cost Management Console

PREREQUISITES:
IAM user access to the Billing and Cost Management Console is activated in the root user account only.

Before you add a new IAM user to represent Binadox, it is required to enable billing access on your AWS account and create an IAM policy that will allow Binadox to view billing data for cost optimization.


1.1 Enable Access to Billing Data

By default, IAM user access to the Billing and Cost Management Console is disabled. Enable it for an IAM billing policy to take effect.

1. Sign into the AWS Management Console with root account credentials.

2. In the top right corner of the console, click on the profile (account) name or number. Select My Account in the drop-down list.

fig.1-My-Account-AWS

3. You will be redirected to the Billing and Cost Management Console. Scroll down to the IAM User and Role Access to Billing Information section. Click Edit.

fig.2-Edit-Billing-Access-AWS

4. Put a tick mark against Activate IAM Access. Click Update to activate access to the Billing and Cost Management Console pages.

fig.3-Activate-Billing-Access-AWS



1.2 Create an IAM Policy that Grants Permissions to Billing Data

After enabling billing access on your AWS account, you need to explicitly grant Binadox permission to view the Billing and Cost Management Console pages with a customer managed policy.

1. To adhere to IAM best practices, you may sign into the AWS Management Console with administrator credentials. Go to the IAM Console. It can be found by clicking on Services on the menu bar at the top. Type in “IAM” in the search bar or select it in the Security, Identity, & Compliance group.

fig.1-IAM-AWS

2. In the navigation pane on the left, choose Policies. Click the Create policy button at the top.

fig.2-Create-Policy-Billing-AWS

3. You will be redirected to the Create Policy view. On the Visual Editor tab, click Choose a service.

fig.3-Service-Billing-AWS

4. Select Billing in the list of services. Use a search bar, if necessary.

fig.4-Billing-AWS

5. In the Actions section, click Read under Access Level to expand actions and select the ViewBilling checkbox. Click Review policy.

fig.5-Access-Level-Billing-AWS

6. In the Review policy view, indicate a policy name and description (optional). Click Create policy (see Clause 3 on how to attach this policy while creating a new IAM user).

fig.6-Review-Policy-Billing-AWS



2. Create an IAM Policy that Grants Permissions to AWS Cost Explorer

As part of configuration, it is required to create a customer managed policy that gives access to read resource content in AWS Cost Explorer, an AWS costs and usage analysis tool. This policy will be attached to a new IAM user to represent Binadox.

1. Go to the Identity and Access Management (IAM) Console.

2. In the navigation pane on the left, choose Policies. Click the Create policy button at the top.

fig.1-Create-Policy-CE-AWS

2. You will be redirected to the Create policy view. Click the JSON tab and paste the following JSON syntax:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ce:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Click Review policy.

fig.2-JSON-CE-AWS

4. In the Review policy view, indicate a policy name and description (optional). Click Create policy (see Clause 3 on how to attach this policy while creating a new user).

fig.3-Review-Policy-CE-AWS



3. Add a New IAM User

For Binadox usage monitoring and cost optimization, it is required to create a new IAM user and grant this user permissions to the AWS API, billing data and Cost Explorer as well as to certain AWS services for drill-down analysis.

1. To add a new IAM user in the AWS Management Console, go to the Identity and Access Management (IAM) Console.

2. In the navigation pane on the left, go to Users. Click on the Add user button at the top.

fig.1-Users-AWS

3. Fill in user details and indicate an AWS access type:

– In the Set user details section, type in a user name in the User name field (e.g. Binadox).

– In the Select AWS access type section, select both the Programmatic access and AWS Management Console access checkboxes.

– In the Console password list, select either the Autogenerated or Custom password radio button.

– Leave the Require password reset checkbox not selected.

Click Next: Permissions.

fig.2-AWS-Access-Type-AWS

4. In the Set permissions section, click Attach existing policies directly.
– Select newly created IAM policies that grant Binadox permissions to billing data and Cost Explorer (see Clause 1 on how to create an IAM policy that grants permissions to billing data and Clause 2 on how to create an IAM Policy that grants permissions to AWS Cost Explorer).

– Select AWS managed policies that specify permissions to required AWS services for Binadox usage monitoring and cost optimization.

IMPORTANT:
For drill-down analysis, make sure to grant Binadox access to the following services:

– Amazon S3: AmazonS3FullAccess
– Amazon EC2: AmazonEC2FullAccess
– Amazon EC2 Container Registry: AmazonEC2ContainerRegistryFullAccess
– Amazon DynamoDB: AmazonDynamoDBFullAccess
– AWS Lambda: AWSLambdaFullAccess

Click Next: Tags.

fig.3-AWS-Managed-Policies-AWS

5. On the Add tags (optional) tab, add metadata to the new user by attaching tags if necessary or skip it. Click Next: Review.

fig.4-Add-Tags-AWS

6. On the Review tab, check user details and permissions. Click Create user.

fig.5-Add-User-Review-AWS

7. Copy security credentials. You will not be able to see these credentials again. However, you can create new credentials for this user at any time, if necessary (see AWS Documentation on how to generate new security credentials). Click Close.

fig.6-Security-Credentials-AWS



4. Locate an AWS Account ID

To integrate an AWS account with Binadox, it is required to specify an AWS account ID. Go to the IAM Console. An AWS account ID is located at the bottom of the navigation pane on the left. Copy it to the clipboard.

fig.1-Account-ID-AWS



5. Create New Connection for AWS in Binadox

1. Log into your Binadox account.

2. In the navigation pane on the left, click Integrations. Proceed to the IaaS tab. Click on the Amazon Web Services icon.

fig.1-Integrations-AWS

3. Indicate a unique connection instance name for further differentiation. Click Continue.

fig.2-Instance-Name-AWS

4. Enter security credentials (an access key ID, a secret access key, a username and a console password) of a newly created user into the corresponding fields (see Clause 3 on how to create a new IAM user and grant him required permissions). Indicate an AWS account ID (see Clause 4 on how to locate an account ID). Click Connect.

fig.3-Connection-Properties-AWS

5. Upon successful AWS integration with Binadox, the connection status will switch into Connected.

fig.4-Status-Connected-AWS



Try for free for 30 days

You will be redirected to the registration form