Setting up an AWS nOps account for Clients

nOps requires safe, secure, AWS-approved, and read-only access to your AWS accounts to give you the analysis, dashboards, and reports that you need.

We only see what we need, no more. But we need you to give us permission first.

We try to make this as easy as possible for you while complying with AWS security best practices. You must have Admin role permissions before you can create a manual set up.

There are two ways to link your AWS accounts to nOps:

• Use the wizard pop-up

• Follow a manual set-up procedure (this document)

You can add multiple AWS accounts using the +Add New Account Button

Use the following steps to get to the Cloud Accounts dialog

  1. Login as an Admin User > From the Profile menu select Organization Settings

  2. From the left Settings pane select Cloud Accounts > Click +AddNew Account

  3. At the Cloud Platform page select the AWS Account and click Next
    At the Set up Method page select either nOps Wizard Setup or Manual Setup

  4. Click Next.

The manual procedure is used in complex environments by experienced AWS administrators.

Most customers opt to use the automated wizard procedure.

To use the manual set up for complex environments:

  • First add an nOps account to obtain an auto-generated External ID.

  • From the AWS dashboard configure a unique AWS S3 (storage) bucket to store billing files.

  • Create an AWS IAM Policy and configure an IAM Role.

    IMPORTANT: You will need to enter the nOps auto-generated ID for the IAM Role.

  • Return to the nOps dashboard to complete the setup.

This article provides detailed information for customers who need granular control and insight into the read-only access that nOps requires.

How to manually link AWS accounts to nOps

If the nOps wizard approach to link AWS accounts to nOps isn't possible, then use the following procedure to do it manually.

The instructions below are also useful for administrators in complex environments to embed nOps access into their automation.

Step 1. Use the nOps dashboard to select AWS Manual Configuration option to obtain an auto-generated External ID.

From the AWS Console:

Step 2. Create an S3 billing bucket

Step 3. Give nOps Permission and Create an IAM Policy - Must do from AWS

Step 4. Create an IAM Role - Must do from AWS

From nOps

Step 5. Return to nOps to complete Manual Setup

If you need any help with this process don't hesitate to contact help@nops.io

Important information to copy and save:

Note: Ensure that your AWS SCP configurations allow IAM administrators to make the changes.
During this process there is information that you should copy and and save as you will need to enter it later. This information will be used in AWS and in nOps in order to complete the process:

  • Copy the External ID auto-generated through nOps

  • Copy the ARN for IAM Policy that was created in the IAM Policy

  • Enter the External ID into the IAM Role

  • Copy Report name created for the Cost and Usage Report (CUR)

  • Copy Report path prefix from the S3 billing bucket creation

Step 1: Create an auto-generated External ID from nOps

If you are Partner or Client Admin:

  1. Log into the nOps application.

  2. Click on the User Dashboard.

  3. From your Profile name drop-down in the upper right select Organization Settings
    If you are a Partner Admin, select a client first, then select Organization Settings.

  4. At the dialog, click + Add Account.

  5. At the Cloud Account page, select AWS Account and click Next
    At the Setup Method page, select Manual Setup and click Next

  6. Enter an AWS Account Name for the new account (mandatory).
    An External ID is auto-generated for you.
    Do not exit this page, you will return to this page later to complete the account.

Step 2. Setup a S3 billing bucket for Cost & Usage Reports

Set up and create a Cost & Usage Report (also called Detailed Billing Reports or CUR) so that nOps can analyze your cost information.

  1. Login to your AWS Management Console account.

  2. Go to: Billing & Cost Management Dashboard
    On the left-hand side select Cost & Usage Report
    or,
    Go here: https://console.aws.amazon.com/billing/home?#/reports

  3. Click on Create Report

  4. Create a report name (such as: nopsbilling-daily-gzip)
    Check the box: To automatically refresh your Cost & Usage Report when charges are detected for previous months with closed bills.

  5. Check the Include resource IDs checkbox. (Mandatory).

Create the S3 billing bucket

AWS needs somewhere to save your cost and usage / detailed billing files that is safe for you. In this step, you create an S3 bucket that secures your information. In the next step, you'll give nOps the permission to read it.

  1. Click Configure

  2. From the dialog do one of the following:
    - Select an existing bucket: Use an existing bucket from your AWS Account
    or
    - Create a new bucket: Create a new S3 bucket to be used specifically for nOps

  3. Click Next to go to Verify Policy. Scroll to the bottom of the default policy and Copy and save the ARN as seen in the following graphic. This will be used later when you Create the IAM Policy.

  4. Check the"I have confirmed that this policy is correct" box.

  5. Click Save to save this policy.

  6. On the Create Report dialog enter the options as seen below:

    • Enter the S3 bucket to deliver the report. Click on verify. (Make sure the S3 bucket has an appropriate Policy for delivery report, check section 3. )

    • Enter the report path prefix (Optional) - Suggestion: nopsbilling

    • Choose Daily (mandatory) for Time granularity.

    • Select an option for Report versioning (Optional) - Suggestion: Overwrite existing report.

    • Select GZIP as Compression type (Required).
      Important: You will need the Report Path Prefix name later when you are adding the AWS Account in nOps

7. Click Next.

8. Then, click Review and Complete.

Step 3. Give nOps permission: Create the IAM policy

AWS has a sophisticated security system for Identity and Access Management (IAM). There are no short-cuts for this. The nOps wizard makes this easier with a CloudFormation Template, but the detail is provided here for AWS practitioners who need more information for their own automation or auditing purposes.

To manually configure IAM to allow nOps access:

  1. On the AWS Management Console, go to the ‘Identity and Access Management’ screen.

  2. From the left navigation panel choose ‘Policies’

  3. Click on ‘Create Policy’.

  4. Choose ‘JSON Tab’

    Replace the existing JSON script with the script shown below.

  5. Click on ‘Review Policy’.
    Make sure you replace [bucket_name] with your billing bucket name to ensure policy efficacy.

IAM policy for nOps Last Updated: 13, September 2021

JSON:

{"Version": "2012-10-17", 
"Statement": [
{
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"ce:GetCostAndUsage",
"ce:GetReservationPurchaseRecommendation", "ce:GetRightsizingRecommendation", "ce:GetSavingsPlansPurchaseRecommendation", "cloudformation:DescribeStackResources",
"cloudformation:DescribeStacks",
"cloudformation:GetTemplate",
"cloudfront:ListDistributions",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudtrail:LookupEvents",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"config:DescribeConfigurationRecorderStatus", "config:DescribeConfigurationRecorders", "config:DescribeDeliveryChannelStatus",
"config:DescribeDeliveryChannels",
"cur:DescribeReportDefinitions",
"cur:PutReportDefinition",
"dynamodb:DescribeContinuousBackups",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"ec2:DescribeAddresses",
"ec2:DescribeClientVpnConnections",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeFlowLogs",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeReservedInstances",
"ec2:DescribeReservedInstancesOfferings",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:DescribeVpcs",
"ecs:DescribeClusters",
"ecs:ListClusters",
"eks:ListClusters",
"elasticache:DescribeCacheClusters", "elasticache:DescribeCacheSubnetGroups", "elasticache:DescribeReplicationGroups", "elasticfilesystem:DescribeFileSystems", "elasticloadbalancing:DescribeLoadBalancers",
"es:DescribeElasticsearchDomains",
"guardduty:ListDetectors",
"iam:GetAccessKeyLastUsed",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetLoginProfile",
"iam:GetRole",
"iam:ListAccessKeys",
"iam:ListAccountAliases",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedUserPolicies",
"iam:ListGroupsForUser",
"iam:ListMFADevices",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:ListUsers",
"inspector:ListAssessmentRuns",
"kms:ListKeys",
"lambda:GetFunction",
"lambda:GetPolicy",
"lambda:ListFunctions",
"rds:DescribeDBInstances",
"rds:DescribeDBSnapshots",
"rds:DescribePendingMaintenanceActions",
"rds:ListTagsForResource",
"redshift:DescribeClusters",
"s3:GetBucketAcl",
"s3:GetBucketLogging",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketVersioning",
"s3:GetEncryptionConfiguration",
"s3:ListAllMyBuckets",
"ssm:ListComplianceSummaries",
"support:DescribeCases", "support:DescribeTrustedAdvisorCheckRefreshStatuses", "support:DescribeTrustedAdvisorCheckResult", "support:DescribeTrustedAdvisorChecks",
"tag:getResources",
"tag:getTagKeys",
"tag:getTagValues",
"wellarchitected:*",
"workspaces:DescribeWorkspaceDirectories",
"workspaces:DescribeWorkspaces"
],
"Effect": "Allow",
"Resource": "*"
}
]
}

Create another policy for the s3 bucket that houses the CUR file.

{
"Version": "2012-10-17",
"Statement": [
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::<paste-bucket-name-here>",
"arn:aws:s3:::<paste-bucket-name-here>/*"
]
}
]
}

This policy is for the ARN that was requested in the creation of the Cost and Usage Report S3 bucket. You will attach both policies to the IAM Role that is created for nOps.

6. Provide a name and description for the policy.

7. Click on ‘Create Policy’.

Step 4. Creating IAM roles

To allow the nOps SaaS application to use the IAM policy you have just created, which allows read-only access to the AWS resources, you need to create a role to link nOps to the IAM policy. If you have an existing role that provides read-only permission, you can assign that role to the policy. To create a new role:

  1. From the left navigation panel choose ‘Roles’

  2. Click on ‘Create Role’
    Select type of trusted identity: Choose

  3. Specify accounts that can use this role: AWS will ask for an Account ID and an External ID.
    - For Account ID enter the nOps account ID (202279780353) and f
    - For External ID, enter The string that was auto-generated for you by nOps in Step 1. The auto-generated External ID adds an extra level of security for you. Do not check ‘Require MFA’.

  4. Click ‘Next: Permissions’

  5. Click "Next:Tags" to add tags to be associated with this role.

  6. In the Next Step, we will attach the policy created in the earlier task and then click on ‘Next:Review’

  7. Enter a name and description for the role and click ‘Create Role’

You have now completed the Manual process in AWS console.

Step 5. Continue editing the manual AWS account in nOps:

Now that you have manually configured an IAM Role in your AWS account for read-only access to AWS resources, the last step is to link that account to nOps.

Since you have already generated an External ID for nOps, you must now add information from AWS to fetch CloudTrail and add a billing bucket to fetch billing data.

Note: If you do not add a billing bucket, your billing stats pages in nOps will not display any data.

  1. From the nOps New Account page that you opened in Step 1.

  2. Select: Yes, I have access.

  3. Select the Manual Setup method on the Setup nOps page.

  4. At the Setup nOps dialog enter the AWS Account Name.

    Enter: S3 bucket
    nameReport
    namePrefix path

  5. For role-based access, you need ARN of the IAM role that you copied earlier.

  6. The External ID is auto-generated.

  7. Add the billing bucket name. Make sure the billing bucket name is the same as the S3 bucket you created for billing in the AWS console.

    When adding the AWS account to nOps make sure you save the settings after filling all the fields as in the screenshot below.

Note: It can take up to 24 hours for data to populate. If you have any questions, please contact us at help@nops.io

Viewing Added AWS Accounts/ Projects:

You can view the list of all projects you added in your project settings. To view these:

Go to UserName Dropdown (Top right) → Settings → AWS Accounts where the name of the billing bucket [If added] is displayed, and also the “Last fetch” time of the billing bucket.

Editing an Existing AWS Account/Project:

Go to UserName Dropdown (Top right) → Settings → AWS Accounts

Click on any project to open the edit Account Details page.

You can make any changes you need. Ensure that you click the Update Account button in order to save the changes.

Note: Editing the billing bucket of an existing project can cause changes in cost data or undesired results.

Related Articles:

How Child Accounts Work in nOps

How to Add a Read Only IAM Policy

Did this answer your question?