Go to nOps
All Collections
Getting Started
Onboarding
Adding Multiple AWS Account to nOps with CloudFormation

Adding Multiple AWS Account to nOps with CloudFormation

J
Written by James Wilson. Updated over a week ago

nOps requires safe, secure, and AWS-approved access to your AWS accounts in order to give you the analysis, dashboards, and reports that you need. We only see what you want us to see in order to provide our services, no more, and we need you to give us permission first.

In order to credential and register multiple accounts, we leverage AWS Organizations, CloudFormation, Stack, StackSets, and Lambda.

For multi-account setup, nOps recommends that use CloudFormation (this setup) instead of Terraform (intended for advanced users with specific requirements).

In this CloudFormation setup, the S3 bucket with the CUR is only required with the Master Payer account.

For a Master Payer account or a single account, during this setup, you will use the same CloudFormation YAML template for both. In order to add Child accounts, you will use a different CloudFormation template. Thus, you will create two stacks, one for the Master Payer, and one for the Child accounts.

Prerequisites

  • You must have Admin role permissions in AWS before you can add multiple AWS accounts to nOps using CloudFormation.

  • Access to the nOps public Github repository nOps Cloud Account Registration.

Once you’ve taken care of the prerequisites, the next steps are simple and straightforward.

Adding Multiple AWS Accounts (CloudFormation)

When you log in to your nOps account for the first time, a pop-up screen will appear. This pop-up screen will guide you on how you can add your AWS account(s) to nOps. The screen consists of four distinct sections:

  1. Select Cloud Type

  2. Getting Started

  3. Link Cloud Accounts

  4. Fetching

After the Link Cloud Accounts section, in the case of Adding Multiple AWS Accounts (CloudFormation), you need to perform these extra steps on the AWS console:

  1. Enable Stackset in AWS Organizations and AWS CloudFormation.

  2. Go to AWS CloudFormation and create a Stack for the Master Payer account.

  3. Log in to the Master Payer account and create a Stackset for the child/member accounts.

To create the Master Payer account Stack and the child/member account stacksets, use the CloudFormation YAML templates from nOps Cloud Account Registration public GitHub repository.

Pull the nOps Cloud Account Registration public repository to your local machine before you continue with the setup. You will need the CloudFormation YAML templates in the repository while creating the stacksets. You will also need the nOps API key.

Select Cloud Type

On this page, select the type of cloud account that you want to onboard and click Next.

In the scope of this article, we are going to deal with the AWS Account setup process.

Getting Started

In this section, you need to select the account setup method. In the scope of this article, we will deal with the IaaC Multiple Accounts Setup. Select the IaaC Multiple Accounts Setup option and click Next.

Link Cloud Accounts

The first page in the Link Cloud Accounts section informs you of the prerequisites. If you are adding multiple accounts after you’ve already been onboarded into nOps, go to Create an API key to learn how you can get the API key.

If this is your first time onboarding accounts in nOps, click Proceed to Create API Key:

On the second page in the Link Cloud Accounts section, enter:

  • An API key name

  • API Key description

  • Signature verification (optional)

After you add all the information, click Create API Key:

Once you click Create API Key nOps will generate an API key for you. Copy and save the API key for future use, and click Next:

When you click next, nOps will start checking for its connectivity with your AWS accounts. In order for nOps to establish a connection with your accounts and start the data ingestion, you need to:

  1. Enable Stackset in AWS Organizations and AWS CloudFormation.

  2. Go to AWS CloudFormation and create a Stack for the Master Payer account.

  3. Log in to the Master Payer account and create a Stackset for the child/member accounts.

Once you complete these two steps, come back to the nOps setup, and you will see the following screen. Click Refresh.

Enable Stacksets

To enable CloudFormation StackSets in AWS Organizations, go to AWS Organizations > Services. If you see Access disabled against CloudFormation StackSets, enable it.

Once enabled, against CloudFormation StackSets, you should see Access enabled:

To enable StackSets in AWS CloudFormation, go to CloudFormation > StackSets. If there is no prompt to enable StackSets, then skip this step.

If you see an option to enable the StackSets, then enable it:

Create a Stack for the Master Payer Account

Stack is a regional service for single account deployment, which in this case, is the Master Payer account. First, we will deploy a Cloudformation Stack in the Master Payer Account. Then we will log into the Organization Master Account to create a Stackset for the Child Accounts (OUs).

Note: It is important to note that an Organization Master Account != Master Payer account. A child account can also be a Master Payer account, but a child account can never be an Organization Master Payer Account.

To create a stack for the Master Payer Account account, go to AWS Console > CloudFormation > Stacks page and click Create stack > With new resources (standard).

The creation of a stack is divided into 4 steps:

In Step 1 (Specify template)

  1. In the Specify template section, choose Upload a template file option.

  2. Click Choose file:

  3. When you click Choose file, AWS will open a navigation window for you to navigate and select the YAML template in your local machine. In your local copy of the repository navigate to nops-cloud-account-registration/nops-aws-account-register/cloudformation-single-acc-register/ and select the nops_register_aws_acc.yaml file.

  4. Click Next.

In Step 2 (Specify stack details)

  1. Provide a Stack name.

  2. Enter the account name to register in nOps.

  3. Provide the nOpsAPIKey.

  4. Enter nOpsPrivateKey with a single slash instead of a double slash since we are using CloudFormation directly.

  5. Click Next.

In Step 3 (Configure stack options) — leave every field to its default and click Next.

In Step 4 (Review)

  1. Review the stack details.

  2. Check the “I acknowledge that AWS CloudFormation might create IAM resources” checkbox (important).

  3. Click Create stack

Create a Stackset for the Child/Member Accounts

Stackset is multi-account and multi-region. To create and deploy a stackset for the Child accounts, make sure that you are logged into your Master Account.

To create a stackset for the Child/Member account, log in to AWS with your Master Payer Account, go to AWS Console > CloudFormation > Stacksets page, and click Create Stackset. The creation of a Stackset is divided into 5 steps:

In Step 1 (Choose a template)

  1. In the Specify template section, choose Upload a template file option.

  2. Click Choose file:

  3. When you click Choose file, AWS will open a navigation window for you to navigate and select the YAML template in your local machine. In your local copy of the repository navigate to nops-cloud-account-registration/nops-aws-account-register/cloudformation-org-member-accounts-register/ and select the member_consolidated_aws_acc_nops_register.yaml file.

  4. Click Next.

In Step 2 (Specify Stackset details)

  1. Provide a StackSet name.

  2. Enter the account name to register in nOps.

  3. Provide the nOpsAPIKey.

  4. Enter nOpsPrivateKey with a single slash instead of a double slash since we are using CloudFormation directly.

  5. Click Next.

In Step 3 (Configure Stackset options)

  1. In the Execution configuration section, select the Inactive option.

  2. Click Next.

In Step 4 (Set deployment options)

  1. In the Add stacks to stack set section, select the Deploy new stacks option.

  2. In the Deploy targets section, select the Deploy stacks in organizational units option.

  3. Provide the organizational unit ID.

  4. In the Specify regions section, select your desired region.

  5. In the Deployment options section, select the Parallel option (optional).

  6. Click Next

In Step 5 (Review), review and create the stackset.

Fetching

Once the stacksets are created and your AWS accounts are linked successfully, you will see the following screen:

It might take several hours for nOps to fetch the data from your AWS account.

After the data is fetched, the setup process is now complete.

Note: It can take up to 24 hours before you start seeing the different nOps dashboards and compliance views populated with data from your workload.

If you have any questions, please contact us at help@nops.io, or by phone at +1 866-673-9330.

On initial ingestion, nOps will pull the data from AWS accounts based on the following durations:

  • Cost data: 6 months look back + current month.

  • Rules: Current date.

  • CloudTrail Events: 14 days look back.

Did this answer your question?