Setting up nOps (Manual Setup)

nOps requires safe, secure, AWS-approved, and read-only access to your AWS accounts to give you the analysis, dashboards, and reports that you need.

We only see what we need, no more, but we need you to give us permission first. This article explains how.

We try to make this as easy as possible for you while complying with AWS security best practices.

There are two ways to link your AWS accounts to nOps:

• Use the wizard pop-up

• Follow a manual set-up procedure (this document)

Most customers use the simple wizard account procedure.

This manual procedure is used in more complex environments by experienced AWS practitioners, in more complex environments.

• They need to configure a unique AWS S3 (storage) bucket to store their billing files.

• They need to explore the nOps IAM access before approval.

We have written this article to provide more detailed information for people who need more granular control and insight into the read-only access that nOps requires.

How to manually link AWS accounts to nOps

If the nOps wizard approach to link AWS accounts to nOps isn't possible, then the following procedure is a guide for AWS architects to do it manually.

The instructions below are also useful for automation practitioners in complex environments to embed nOps access into their automation.

Preparing to manually link AWS accounts to nOps

The following AWS actions are required before you can link the AWS account to nOps. The nOps account onboarding wizard manages these, but in some cases, customers wish to manually do these or automated the steps in their own tools.

Step 1. Create S3 billing bucket

Step 2. Create IAM Policy

Step 3. Create IAM Role

Step 4. Go to nOps to complete Manual Setup

If you need any help with this process don't hesitate to contact help@nops.io

Important AWS information to record

Before you start, there are things you will want to make a note of that will be used in nOps to finish the process while creating the IAM Policy and S3 billing bucket:

• ARN for IAM Policy that was created in IAM Policy

• External ID in the IAM Role

• Report name created for the Cost and Usage Report

• Report path prefix in the S3 billing bucket creation

Step 1. Setup Cost & Report Usage

You need to tell AWS to start creating Cost & Usage Reports (also called Detailed Billing Reports) so that we can analyze your cost information.

Login to your AWS Management Console account.

Go to: Billing & Cost Management Dashboard

On the left-hand side select Cost & Usage Report

or,

Go here: https://console.aws.amazon.com/billing/home?#/reports

Click on Create Report

Create a report name

Tick the Include resource IDs checkbox. (required)

Suggestion:
Report name: nopsbilling-daily-gzip
Tick: Automatically refresh your Cost & Usage Report when charges are detected for previous months with closed bills.

Create the S3 billing bucket

AWS needs somewhere to write your cost and usage / detailed billing files that is safe for you. In this step, you create an S3 bucket that secures your information and in the next step, you'll give nOps the permission to read.

Click Configure

Select existing bucket: Choose an existing bucket in your AWS Account to use

Create a bucket: Create a new S3 bucket to be specifically used for nOps

Click Next

On this page scroll to the bottom of the default policy

Copy the ARN this will be used later for the IAM Policy creation

Check the "I have confirmed that this policy is correct"

Click Save

  • Enter the S3 bucket to deliver the report. Click on verify. (Make sure the S3 bucket has an appropriate Policy for delivery report, check section II. )

  • Enter the report path prefix (Optional) - Suggestion: nopsbilling

  • Choose Daily (required) for Time granularity

  • Choose the Report versioning (Optional) - Suggestion: Overwrite existing report

  • Choose GZIP as Compression type (Required)

    Important: You will need the Report Path Prefix name later when you are adding the AWS Account in nOps

Click Next

Then, Click Review and Complete

Step 2. Give nOps permission: Creating the IAM policy

AWS has a sophisticated security system for Identity and Access Management (IAM). There is no way to short-cut this. The nOps wizard makes this easier with a CloudFormation Template, but the detail is provided here for AWS practitioners who need more detail, perhaps for their own automation or auditing purposes.

To manually configure IAM to allow nOps access:

  1. On the AWS Management Console, go to the ‘Identity and Access Management’ screen.

  2. From the left navigation panel choose ‘Policies’

  3. Click on ‘Create Policy’.

  4. Choose ‘Json Tab’

  5. Replace the existing Json script with the script given below and click on ‘Review Policy’. Make sure you replace [bucket_name] with your billing bucket name to ensure policy efficacy.

IAM policy for nOps Last Updated: 13, September 2021

JSON:

{"Version": "2012-10-17", 
"Statement": [
{
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"ce:GetCostAndUsage",
"ce:GetReservationPurchaseRecommendation", "ce:GetRightsizingRecommendation", "ce:GetSavingsPlansPurchaseRecommendation", "cloudformation:DescribeStackResources",
"cloudformation:DescribeStacks",
"cloudformation:GetTemplate",
"cloudfront:ListDistributions",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudtrail:LookupEvents",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"config:DescribeConfigurationRecorderStatus", "config:DescribeConfigurationRecorders", "config:DescribeDeliveryChannelStatus",
"config:DescribeDeliveryChannels",
"cur:DescribeReportDefinitions",
"cur:PutReportDefinition",
"dynamodb:DescribeContinuousBackups",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"ec2:DescribeAddresses",
"ec2:DescribeClientVpnConnections",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeFlowLogs",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeReservedInstancesOfferings",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:DescribeVpcs",
"ecs:DescribeClusters",
"ecs:ListClusters",
"eks:ListClusters",
"elasticache:DescribeCacheClusters", "elasticache:DescribeCacheSubnetGroups", "elasticache:DescribeReplicationGroups", "elasticfilesystem:DescribeFileSystems", "elasticloadbalancing:DescribeLoadBalancers",
"elb:DescribeLoadBalancers",
"es:DescribeElasticsearchDomains",
"guardduty:ListDetectors",
"iam:GetAccessKeyLastUsed",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetLoginProfile",
"iam:GetRole",
"iam:ListAccessKeys",
"iam:ListAccountAliases",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedUserPolicies",
"iam:ListGroupsForUser",
"iam:ListMFADevices",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:ListUsers",
"inspector:ListAssessmentRuns",
"kms:ListKeys",
"lambda:GetFunction",
"lambda:GetPolicy",
"lambda:ListFunctions",
"rds:DescribeDBInstances",
"rds:DescribeDBSnapshots",
"rds:DescribePendingMaintenanceActions",
"rds:ListTagsForResource",
"redshift:DescribeClusters",
"s3:GetBucketAcl",
"s3:GetBucketLogging",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketVersioning",
"s3:GetEncryptionConfiguration",
"s3:ListAllMyBuckets",
"ssm:ListComplianceSummaries",
"support:DescribeCases", "support:DescribeTrustedAdvisorCheckRefreshStatuses", "support:DescribeTrustedAdvisorCheckResult", "support:DescribeTrustedAdvisorChecks",
"tag:getResources",
"tag:getTagKeys",
"tag:getTagValues",
"wellarchitected:*",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaces"
],
"Effect": "Allow",
"Resource": "*"
}
]
}

At the bottom of the JSON, there is a section for the S3 Bucket permissions

This is for the ARN that was requested above in the creation of the Cost and Usage Report S3 bucket. You will need to replace the JSON with the S3 ARN.

Provide a name and description of the policy.

Click on ‘Create Policy’.

Step 3. Creating IAM roles

To allow the nOps SaaS application to use the IAM policy you have just created, which allows read-only access to the AWS resources it needs, you need to create a role to link nOps to the IAM policy.

From the left navigation panel choose ‘Roles’

Click on ‘Create Role’

Select type of trusted identity: Choose

Specify accounts that can use this role: AWS will ask for Account ID and External ID. For Account ID enter the nOps account ID (202279780353) and for External ID, enter any unique string. The External ID adds an extra level of security for you. Please do not check ‘Require MFA’. Please save the External ID, you will have to use it while adding the project in nOps.

Click on ‘Next: Permissions’

Click on "Next:Tags" Add tags to be associated with this role.

On Next Step, we will attach the policy created in the earlier task and then click on ‘Next:Review’

Provide some name and description to the role and click on ‘Create Role’

You have now completed the Manual process in AWS console.

Step 4. Adding AWS account manually in nOps:

Now you have manually configured your AWS account for read-only access to AWS resources, the last step is to link that account to nOps.

Setting up the AWS account is a 2-step process:

  1. Add AWS account details to fetch CloudTrail data and the other is adding a billing bucket to fetch billing data, you can add both at the same time (recommended).

Note: If you don’t add a billing bucket your billing stats pages in nOps will not show any data.

Select: Yes, I have access

Select the Manual Setup method on the Setup nOps page.

Add AWS Account Name.

Enter:

S3 bucket

nameReport

namePrefix path

For role-based access, we need ARN of the IAM role.

For External ID, use the same one you used when created the role earlier.

Add billing bucket name. Make sure the billing bucket name is the same as the S3 bucket you created for billing.

When adding the AWS account to nOps make sure you save the settings after filling all the fields as in the screenshot below.

Note: It’ll take about a day for billing data to populate and a couple of hours for CloudTrail data to populate. If you have any questions, please contact us at help@nops.io

Viewing Added AWS Accounts/ Projects:

You can view the list of all added projects in your project settings. To view go to UserName Dropdown (Top right) → Settings → AWS Accounts. where it shows the name of the billing bucket [If added] and also the “Last fetch” time of the billing bucket.

Editing an Existing AWS Account/Project:

Go to UserName Dropdown (Top right) → Settings → AWS Accounts

Click on any project you want to edit and it will open the edit “Account Details” page.

You can do changes as per your requirements and make sure to click the Update Account button in order to save changes.

Note: If you try to edit the billing bucket of an existing project it can cause changes in cost pages data or undesired results.

Related Articles:

How Child Accounts Work in nOps

Did this answer your question?