Connecting Accounts with AWS CloudFormation

Jul 26, 2024

Introduction

Using AWS CloudFormation StackSets to deploy the CloudSaver connection CloudFormation template offers a swift method for linking your complete AWS Organization to CloudSaver. This article outlines distinct deployment approaches, as well as the essential prerequisites and configurations required for a successful deployment. 

Logging into Your AWS Organization’s Management Account

  1. Make sure that the account(s) you want to connect are part of an AWS Organization. To learn how to view AWS Organization details, refer to the AWS Documentation  AWS Documentation – Viewing details about your organization.
    1. Go to AWS Organizations – Accounts.
    2. If a tree of organizational units (OUs) and accounts is displayed, check if the account you are currently logged into is part of an AWS Organization.
  2. Log in to the AWS Organization’s management account
    1. From the AWS Organizations – Accounts  hierarchy view, take note of the ‘Management Account’ label and the associated 12-digit ID; this ID is your management account ID.
    2. Compare the management account ID with the account ID under which you are currently logged in. You can check this by clicking the dropdown showing your username in the upper right-hand corner of the AWS Management Console. 
  3. If needed, log out of your current account and log in to the AWS Organization’s management account. Use the account ID identified in the first step.
    1. If you lack the necessary credentials to log into the management account, identify an administrator or an Identity and Access Management (IAM) user with the required credentials. Invite them to proceed with connecting to CloudSaver on your behalf. 

Downloading the CloudSaver Connection CloudFormation Template

  1. When logged into CloudSaver, open the Connection Wizard for AWS through either:
    1. The dashboard tile prompt to connect if not previously connected (Get started).
    2. By navigating to Settings in the lower left-hand corner of the navigation pane, selecting Connections from the Settings submenu, then clicking Add Connection. 
  2. From the first step of the Connection Wizard, click Next.
  3. Select  CloudFormation. 
  4. Enter your 12-digit AWS Organizations management account ID in the text box. 
  5. Download the CloudFormation template (Download YAML).
    1. Note: The CloudFormation template is dynamically generated based on your management account ID and includes a unique STS external ID. This external ID establishes a trusted relationship with the CloudSaver AWS account. If you are connecting a new AWS Organization, a second organization, or a substantial amount of time has elapsed since you downloaded the CloudFormation template, it’s recommended to regenerate your template by following the steps provided here. 

Note:  You have the option of deploying self-service and service-managed stacksets.  This guide will provide directions for both methods.  Please keep in mind that each deployment method has prerequisites that must be completed for a successful deployment. 

Service Managed StackSets (SMSS)

Prerequisites: 

  • Enable all features in AWS Organizations.
  • Activate trusted access with AWS Organizations.
  • Serviced-Managed StackSets cannot deploy from the management account.  A Stack must be created on the management account, first, before deploying a service-managed stackset. 

SMSS – Creating a CloudFormation Stack on the Management Account

  1. In the AWS Console go to the CloudFormation section.
  2. Click the ‘Create Stack’ option.
  3. Under ‘Specify Template’ click ‘Upload a template file’.
  4. Upload the YAML file that was downloaded on the connection screen of the CloudSaver application.
  5. Click ‘Choose file’ and select the file to upload.
  6. Click ‘Next’.
  7. On the ‘Specify Stack Details’ screen, enter the name of the stack in the following format:
    1. CloudSaver-<AWSAccountID>.
    2. Example:  CloudSaver-0123456789101.
      1. This format helps ensure a CloudSaver script to remove the resources can be deployed if you choose to disconnect from the application.
  8. Click ‘Next’. 
  9. All options on the ‘Configure Stack Options’ screen can remain at their default values. 
  10. Click ‘Next’.
  11. All options on the ‘Review’ screen can remain at their default values.
  12. At the bottom of the ‘Review’ screen check the ‘I acknowledge that AWS CloudFormation might create IAM resources with custom names’ box.
  13. Click ‘Submit’.
  14. Ensure that the status displays ‘Create_Complete’ on the Stacks screen. The creation process typically takes approximately one minute to finish.

Please confirm that the management account is now displayed as ‘Connected’ in the CloudSaver application. Furthermore, ensure that all member accounts under the management account are imported but marked as ‘Not Connected’.  Step two, below, will lead you through the process of connecting the member accounts. 

SMSS – Create Service-Managed StackSet

Now that a stack has been deployed on the management account, a service-managed stackset will be deployed on all the member accounts you wish to add. 

  1. In the AWS Console go to the CloudFormation section.
  2. Click on the ‘StackSets’ hyperlink located in the left-hand column of the screen. 
  3. Click the ‘Create StackSet’ option. 
  4. On the ‘Choose a Template’ screen, make sure to select the ‘Service-managed permissions’ and ‘Template is ready’ options. 
  5. Scroll down to ‘Specify Template’ and select ‘Upload a template file’. 
  6. Under ‘Specify Template’ click ‘Upload a template file’.
  7. Upload the YAML file that was downloaded on the connection screen of the CloudSaver application.
    1. Note:  The YAML file used to create the stack on the management account will also be used to create the stackset.  
  8. Click ‘Choose file’ and select the file to upload. 
  9. Click ‘Next’. 
  10. On the ‘Specify StackSet Details’ screen, enter the stackset name in the following format:
    1. CloudSaver-StackSet
      1. This format helps ensure a CloudSaver script to remove the resources can be deployed if you choose to disconnect from the application. 
  11. Click ‘Next’.  
  12. On the ‘Configure StackSet Options’ screen, select ‘Active’ under the ‘Execution Configuration’ section. This will expedite the stackset deployment. 
  13. On the ‘Set Deployment Options” screen, ensure the following options are selected:
    1. Deploy New StackSets 
    2. Deploy to Organization 
    3. Automatic Deployment – Activated 
    4. Account Removal Behavior – Delete Stacks 
  14. Specify the region(s) you wish to deploy the stacksets. 
  15. Under ‘Deployment Options”, the default values will work but you may want to adjust the values to fit your specific needs. 
  16. Click ‘Next’. 
  17. On the ‘Review’ screen, navigate to the bottom of the page and check the box that says ‘I acknowledge that AWS CloudFormation might create IAM resources with custom names’.
  18. Click ‘Submit’. 
  19. Verify the stackset deployed successfully.   

After deploying the stack and stackset, both the management account and all member accounts should now be connected. This will initiate the data download process, during which the CloudSaver application will begin pulling information from your AWS environment. If you need to connect multiple management accounts, you should repeat this process for each management account along with its associated member accounts. 

Self-Service StackSets (SSSS)

Prerequisites:  Before you create a stack set with self-service permissions, you need to establish a trust relationship between the managment and member accounts by creating IAM roles in each account. 

Instructions for setting up the AWSCloudFormationStackSetAdministrationRole and the AWSCloudFormationStackSetExecutionRole can be found here

If these roles are not established, it’s recommended that you deploy Service-Managed StackSets per the directions above. 

SSSS – Create a Self-Service StackSet

  1. In the AWS Console go to the CloudFormation section
  2. Click on the ‘StackSets’ hyperlink located in the left-hand column of the screen. 
  3. Click the ‘Create StackSet’ option. 
  4. On the ‘Choose a Template’ screen, make sure to select ‘Self-Service Permissions’. 
  5. Scroll down to ‘Specify Template’ and select ‘Upload a template file’.
  6. Under ‘Specify Template’ click ‘Upload a template file’. 
  7. Upload the YAML file that was downloaded on the connection screen of the CloudSaver application. 
  8. Click ‘Next’. 
  9. On the ‘Specify StackSet Details’ screen, enter the stackset name in the following format:
    1. CloudSaver-StackSet
      1. This format helps ensure a CloudSaver script to remove the resources can be deployed if you choose to disconnect from the application. 
  10. On the ‘Configure StackSet Options’ screen, select ‘Active’ under the ‘Execution Configuration’ section. This will expedite the stackset deployment. 
  11. On the ‘Set Deployment Options” screen, click ‘Deploy new stacksets’.
  12. For Deployment Locations, choose to deploy the stacks to a specific group of accounts or to the entire organizational unit. 
  13. Specify the region(s) you wish to deploy the stacksets. 
  14. Under ‘Deployment Options”, the default values will work but you may want to adjust the values to fit your specific needs. 
  15. For ‘Region Concurrency’ click ‘Sequential’ if you are deploying to one region and ‘Parallel’ if you are deploying to multiple regions. 
  16. On the ‘Review’ screen, navigate to the bottom of the page and check the box that says ‘I acknowledge that AWS CloudFormation might create IAM resources with custom names’. 
  17. Click ‘Submit’. 
  18. Verify the stackset deployed successfully. 

Comprehensive information about AWS CloudFormation can be found here