Administrators of the MontyCloud DAY2 Platform can connect AWS accounts to the platform one-at-a-time, or they can onboard multiple accounts that are part of an AWS Organization.  This method of onboarding uses a CloudFormation StackSet launched in the Management Account to easily push permissions for MontyCloud DAY2 down to Member Accounts of the Organization.  This article will describe prerequisites to using this onboarding method, the process of onboarding the Management Account of an Organization, and the process of onboarding Member Accounts within that Organization.


Prerequisites


To use Organizational Onboarding, there are a few basic prerequisites:


  1. The user must have appropriate permissions in DAY2 to add new Accounts to their tenant. Users with the Cloud Admin role will be able to perform this function.
  2. The user must have appropriate permissions in AWS to launch a CloudFormation StackSet that creates IAM resources.  Root access is not required.
  3. In the AWS Organizations Service, the "Trusted Access" setting must be enabled for CloudFormation StackSets.  This enables the ability to push a StackSet created in the Management Account down to a Member Account.  If this is not enabled, follow the steps below to enable it:
    1. Navigate to the Organizations Service in the AWS Console in the target Management Account.  Select the "Services" option in the navigation blade on the left-hand side.
    2. Scroll down to the "CloudFormation StackSets" option.
    3. If the field on the right reads "Access Disabled" for CloudFormation StackSets, click on the Service name, then click the "Enable Trusted Access" button.


Onboarding your Management Account


  1. From the Settings section in the top right of the MontyCloud DAY2 UI, navigate to the Accounts Page.  Click the "Connect Account" button in the top right to connect a new AWS Account.
  2. In the "Select Account Type" page, select the "AWS Organization Account" option.  Then click the "Next: Configure Access" button.
  3. On the next page, you'll click the "Configure Access" button to launch a CloudFormation Stack in your AWS Account.  You can either log in to the Console of your AWS Management Account prior to hitting the "Configure Access" button to bring you directly to the CloudFormation Service in your Console, or after hitting the "Configure Access" button when you are brought to your log in page.  The page should route you to CloudFormation after logging in.  You may need to enable Cost Insights in Cost Explorer to get the full set of cost optimization features from CloudCheckr.  
  4. When the "Configure Access" button routes you to the AWS Management Console, check the two boxes at the bottom of the page and click the "Create Stack" button.
  5. After hitting the "Create Stack" button, return to MontyCloud while the platform begins its initial authentication into the AWS Account.  The page will automatically advance to a prompt for a friendly name for the account when it is ready to proceed.  Once the Friendly Name is set, the page will validate that the name is unique, and you'll get the option to advance to the next page. 
  6. On the Select Regions screen, you can select which regions you would like MontyCloud to be able to operate within.  This serves as an opportunity to reduce the scope of MontyCloud's visibility and permissions within the account.  It is recommended to select any region within which resources are actively deployed and maintained.  US East (N. Virginia) is selected by default and cannot be deselected.
  7. The "Discover" page shows the progress of the tool as it performs its initial discovery of resources, but the user does not need to wait until it completes to advance to the next page and complete the onboarding.
  8. Advance to the Finish page and complete the account setup.



Onboarding your Member Accounts


  1. Navigate to the Accounts page in the Settings.  Now that your Management Account has been connected, you should see it listed in the table under "Management Accounts".
  2. Click on the name of your Management Account.  In the "AWS Organization Hierarchy" tab, you will see either a tree view of your organization or an expandable list view.
  3. To onboard a Member Account in your Organization, press the blue "Connect Account" button under the account of your choice.  The screen will display a popup confirming your choice.  Click the Connect button.
  4. After clicking the Connect button, you will get a popup confirming the onboarding for the account has begun, and a link back to the Accounts page to track progress.
  5. When the new account completes onboarding, it will be displayed in the "Linked Accounts" table in the Accounts page, and the Connection Status will be "Connected".
  6. Onboarding additional Member Accounts can be performed by repeating steps 3 and 4 in this process.