nOps requires safe, secure, and AWS-approved access to your AWS accounts in order to give you the analysis, dashboards, and reports that you need. We only see what you want us to see in order to provide our services, no more, and we need you to give us permission first.
In order to get started with nOps, the first step is to set up an AWS account for nOps via the Wizard/Automatic Setup or this Manual Setup. We made the setup process as easy as possible for you while complying with AWS security best practices.
This Manual Setup is used in complex environments by experienced AWS administrators who need granular control and insight into the read-only access that nOps requires.
The Manual Setup approach is also useful for administrators who want to embed nOps access into their automation. Most customers opt to use the automated wizard procedure.
You must have Admin role permissions in AWS before you can set up an AWS nOps account with Manual Setup.
Adding AWS account (Manual Setup)
There are two ways to add your AWS accounts to nOps:
Use the wizard pop-up (Automatic Setup). To learn more about the Automatic Setup, see Adding AWS account to nOps with Automatic Setup.
Follow this manual set-up procedure (Manual Setup).
To use the Manual Setup for complex environments, follow these steps, in this order:
Note: If you need any help with this process don't hesitate to contact firstname.lastname@example.org
Important information to copy and save
During this process, you should copy and save some information as you will need to enter it later. This information will be used in AWS and in nOps in order to complete the process:
Copy the External ID auto-generated through nOps.
Copy the ARN for IAM Policy that was created in the IAM Policy.
Copy Report name created for the Cost and Usage Report (CUR).
Copy Report path prefix from the S3 billing bucket creation.
Create an auto-generated External ID in nOps
To create an auto-generated External ID in nOps:
Log into the nOps application.
From your Profile name drop-down, in the top-right, click Organization Settings. If you are a Partner or Client Admin, select a client first, then click Organization Settings.
In the Settings page, click + Add New Account, this will take you to the Cloud Account page.
In the Cloud Account page, select AWS Account and click Next. This will take you to the Setup Method page.
In the Setup Method page, select Manual Setup and click Next. This will take you to the Account Details (Manual Setup) page.
In the Account Details (Manual Setup) page, enter an AWS Account Name for the new account (mandatory). An External ID is auto-generated for you, and prefilled in the External ID field. Copy the External ID and save it, you will need it later on.
Important: Do not exit this page, you will return to this page later to complete the account setup.
Setup a S3 billing bucket for Cost & Usage Reports
This section is divided into two steps, in the first step you will create the Cost & Usage Report, in the second step you will create/select an S3 bucket for the Cost & Usage Report.
Note: Ensure that your AWS SCP configurations allow IAM administrators to make the changes.
Create the Cost & Usage Report
In this step you will create a Cost & Usage Report (also called Detailed Billing Reports or CUR) so that nOps can analyze your cost information:
Login to your AWS Management Console account.
Go to: Billing & Cost Management Dashboard
On the left-hand side select Cost & Usage Report
or, go to: https://console.aws.amazon.com/billing/home?#/reports
Click on Create Report:
Create a report name (such as: nopsbilling-daily-gzip).
In Additional report details, check the Include resource IDs checkbox (mandatory).
In the Data refresh settings, check the Automatically refresh your Cost & Usage Report when charges are detected for previous months with closed bills checkbox.
When you click Next, it will take you to the Delivery options page where you will create the S3 billing bucket.
Create/Select the S3 billing bucket
AWS needs a place to save your cost and usage/detailed billing files, a place that is safe for you. In this step, you will create an S3 bucket that secures your information:
In the Delivery options (the page you reached at the end of the last section), click Configure. This will open the Configure S3 Bucket dialog box.
In the dialog box, do one of the following:
- Select an existing bucket: Use an existing bucket from your AWS Account.
- Create a new bucket: Create a new S3 bucket to be used specifically for nOps.
Click Next to go to Verify Policy.
Check the "I have confirmed that this policy is correct" checkbox.
Click Save to save this policy. When the policy is saved, you will return to the Delivery options page.
In the Delivery options page:
Click the Verify button to make sure the S3 bucket has an appropriate policy for delivery report (step 3).
Enter the report path prefix (required) - Suggestion: nopsbilling
Choose Daily (mandatory) for Time granularity.
Select an option for Report versioning (optional) — Suggestion: Overwrite existing report.
Select GZIP as Compression type (mandatory).
Important: You will need the Report Path Prefix name later when you are adding the AWS Account in nOps
7. Click Next.
8. Then, click Review and Complete.
Give nOps permission: Create the IAM policy
In this step, you'll give nOps the permission to read the Cost & Usage Report in the S3 bucket.
AWS has a sophisticated security system for Identity and Access Management (IAM). There are no short-cuts for this. The nOps Wizard/Automatic Setup makes this easier with a CloudFormation Template, but the details provided in this article are for AWS practitioners who need more information for their own automation or auditing purposes.
To manually create the IAM policy in order to allow nOps access:
On the AWS Management Console, go to the Identity and Access Management screen.
From the left navigation panel, click Policies.
Click Create Policy.
Switch to the 'JSON' tab and replace the existing JSON script with the script provided in nOps IAM Policy (click this link to get the script).
Click Next: Tags (optional).
Click Next: Review.
Click on ‘Review Policy’.
Copy and save the ARN of the IAM role. This will be used later when you create the IAM Policy.
Provide a name and description for the policy.
Click on ‘Create Policy’.
Now, follow the same steps above to create another policy, this time for the S3 bucket that houses the Cost & Usage Report.
To create this policy, follow all the steps as is except for step 4. In step 4 use the following script:
Make sure you replace <paste-bucket-name-here> with the name of the S3 bucket that houses the Cost & Usage Report to ensure policy efficacy.
You will attach both above policies to the IAM Role that you will create for nOps in the next step.
Creating IAM roles
IMPORTANT: You will need to enter the nOps auto-generated ID to create the IAM Role.
In order to allow the nOps SaaS application to use the IAM policy you just created, you need to create an IAM role.
To create a new role:
On the AWS Management Console, go to the Identity and Access Management screen.
From the left navigation panel, click Roles.
Click Create Role.
On Select trusted entity page, select AWS account.
Click Another AWS account.
For Account ID enter the nOps account ID (202279780353).
Click Require external ID.
For External ID, enter the string that was auto-generated for you by nOps in Step. The auto-generated External ID adds an extra level of security for you.
In Add permissions, select the two IAM policies you created in Give nOps permission: Create the IAM policy.
Enter a name and description for the role.
Click Add tags, in order to add tags to be associated with this role (optional).
Click Create Role.
You have now completed the first part of the Manual Setup related to the AWS console.
Continue the Manual Setup of AWS account in nOps:
Now that you have manually configured an IAM Role in your AWS account for access to AWS resources, the last step is to add that account to nOps.
Since you have already generated an External ID for nOps in Create an auto-generated External ID from nOps, you must now add information about the AWS role you created for nOps to fetch CloudTrail. You also need to add the S3 bucket so that nOps can fetch the billing data including the Cost & Usage Report.
Note: If you do not add a S3 bucket, your billing stats pages in nOps will not display any data.
Start from where you left off in Create an auto-generated External ID from nOps section:
In the Account Details (Manual Setup) page, enter a name for the AWS account you are adding to nOps.
The External ID is auto-generated.
Enter ARN of the IAM role that you copied earlier in step 8 ofGive nOps permission: Create the IAM policy section.
Add the S3 bucket name. Make sure the S3 bucket name is the same as the S3 bucket you created for Cost & Usage Report in the AWS console.
Enter the name of the Cost & Usage Report you created in step 4 of Create the Cost & Usage Report section.
Enter the report prefix path that you created in step 6 of Create/Select the S3 billing bucket.
When adding the AWS account to nOps make sure you save the settings after filling all the fields.
The Manual Setup is now complete.
Note: It can take up to 24 hours for data to populate. If you have any questions, please contact us at email@example.com
Viewing Added AWS Accounts:
In nOps, you can view the list of all cloud accounts that you add to nOps.
To view the cloud accounts, go to UserName Dropdown (Top right) > Organization Settings > Cloud Accounts where:
For AWS accounts, the name of the S3 bucket [If added] is displayed, and also the “Last fetch” time of the S3 bucket.
For Azure accounts, the name of the account is displayed.
To edit an existing cloud account:
Go to UserName Dropdown (Top right) > Organization Settings > Cloud Accounts
Click the Edit button.
You can make any changes you need. Ensure that, when you are done making the changes, you click the Update Account button in order to save the changes.
Note: Editing the S3 bucket, for an AWS account, of an existing project can cause changes in cost data or undesired results.