AWS Account Setup (Manual)

Overview

This guide outlines the steps to link AWS accounts with OpenGovernance using a CloudFormation stack, enabling effective management and visibility of your AWS resources.

Prerequisites

  • AWS CLI Installed and Configured: Ensure the AWS CLI is installed and configured with administrative privileges.

  • Git Installed: Make sure Git is installed on your machine.

Steps

  1. Clone the Automation Repository

    git clone https://github.com/opengovern/integration-automation.git
cd integration-automation/aws-accounts

  2. Deploy the CloudFormation Stack 

    ROOT_ID=$(aws organizations list-roots --output=text --query='Roots[0].Id' --no-cli-pager)

aws cloudformation create-stack \
  --stack-name OpenGovernance-Deploy \
  --template-body file://./AWSOrganizationDeployment.yml \
  --capabilities CAPABILITY_NAMED_IAM \
  --parameters ParameterKey=OrganizationUnitList,ParameterValue=$ROOT_ID

  3. Monitor Stack Deployment Wait until the stack status is CREATE_COMPLETE.

    aws cloudformation describe-stacks \
  --stack-name OpenGovernance-Deploy \
  --query "Stacks[0].StackStatus" \
  --output text

  4. Generate IAM Access Keys for OpenGovernanceIAMUser Retrieve the IAM username from the CloudFormation stack outputs and create access keys.

    IAM_USER=$(aws cloudformation describe-stacks \
  --stack-name OpenGovernance-Deploy \
  --query "Stacks[0].Outputs[?OutputKey=='IAMUserNameInMasterAccount'].OutputValue" \
  --output text)

aws iam create-access-key --user-name $IAM_USER

    Store the AccessKeyId and SecretAccessKey from the output securely.

  5. Navigate to the OpenGovernance dashboard:

    • Go to Integrations -> AWS -> Add AWS Account.

    • Enter the following details in the wizard:

      • AccessKeyID: (Use the AccessKeyId from Step 4)

      • SecretAccessKey: (Use the SecretAccessKey from Step 4)

      • IAM Role Name: OpenGovernanceReadOnly

Appendix

Access Architecture

The above picture captures the Cross Account/Role pattern utilized to access multiple accounts.

OpenGovernance employs a structured approach to manage resources across multiple AWS accounts using IAM users and roles, coupled with CloudFormation for automated setup.

We'll deploy a CloudFormation template in a designated "organization" or "management" account within your organization:

  1. IAM User Creation:Create an IAM user in the Organization Admin account within AWS to allow OpenGovernance to perform actions across the AWS environment.

  2. Member Accounts Configuration:

    Configure each member account with an IAM role that grants the OpenGovernance service account the necessary permissions to inventory and manage resources.

Notes

  • Security: Store IAM access keys securely and rotate them regularly.

  • Permissions: The CloudFormation stack automatically creates the OpenGovernanceIAMUser and attaches the necessary policies, as well as creates roles in target accounts.

  • Support: Refer to the AWS CloudFormation Documentation for assistance.

Last updated