Connecting Accounts with AWS CloudFormation

Jul 26, 2024

Introduction

Using AWS CloudFormation StackSets to deploy the CloudSaver connection CloudFormation template offers a swift method for linking your complete AWS Organization to CloudSaver. This article outlines distinct deployment approaches, as well as the essential prerequisites and configurations required for a successful deployment.

Logging into Your AWS Organization’s Management Account

Make sure that the account(s) you want to connect are part of an AWS Organization. To learn how to view AWS Organization details, refer to the AWS Documentation  AWS Documentation – Viewing details about your organization.
1. Go to AWS Organizations – Accounts.
2. If a tree of organizational units (OUs) and accounts is displayed, check if the account you are currently logged into is part of an AWS Organization.
Log in to the AWS Organization’s management account
1. From the AWS Organizations – Accounts  hierarchy view, take note of the ‘Management Account’ label and the associated 12-digit ID; this ID is your management account ID.
2. Compare the management account ID with the account ID under which you are currently logged in. You can check this by clicking the dropdown showing your username in the upper right-hand corner of the AWS Management Console.
If needed, log out of your current account and log in to the AWS Organization’s management account. Use the account ID identified in the first step.
1. If you lack the necessary credentials to log into the management account, identify an administrator or an Identity and Access Management (IAM) user with the required credentials. Invite them to proceed with connecting to CloudSaver on your behalf.

Downloading the CloudSaver Connection CloudFormation Template

When logged into CloudSaver, open the Connection Wizard for AWS through either:
1. The dashboard tile prompt to connect if not previously connected (Get started).
2. By navigating to Settings in the lower left-hand corner of the navigation pane, selecting Connections from the Settings submenu, then clicking Add Connection.
From the first step of the Connection Wizard, click Next.
Select  CloudFormation.
Enter your 12-digit AWS Organizations management account ID in the text box.
Download the CloudFormation template (Download YAML).
1. Note: The CloudFormation template is dynamically generated based on your management account ID and includes a unique STS external ID. This external ID establishes a trusted relationship with the CloudSaver AWS account. If you are connecting a new AWS Organization, a second organization, or a substantial amount of time has elapsed since you downloaded the CloudFormation template, it’s recommended to regenerate your template by following the steps provided here.

Note: You have the option of deploying self-service and service-managed stacksets. This guide will provide directions for both methods. Please keep in mind that each deployment method has prerequisites that must be completed for a successful deployment.

Service Managed StackSets (SMSS)

Prerequisites:

Enable all features in AWS Organizations.
Activate trusted access with AWS Organizations.
Serviced-Managed StackSets cannot deploy from the management account. A Stack must be created on the management account, first, before deploying a service-managed stackset.

SMSS – Creating a CloudFormation Stack on the Management Account

In the AWS Console go to the CloudFormation section.
Click the ‘Create Stack’ option.
Under ‘Specify Template’ click ‘Upload a template file’.
Upload the YAML file that was downloaded on the connection screen of the CloudSaver application.
Click ‘Choose file’ and select the file to upload.
Click ‘Next’.
On the ‘Specify Stack Details’ screen, enter the name of the stack in the following format:
1. CloudSaver-<AWSAccountID>.
2. Example: CloudSaver-0123456789101.
  1. This format helps ensure a CloudSaver script to remove the resources can be deployed if you choose to disconnect from the application.
Click ‘Next’.
All options on the ‘Configure Stack Options’ screen can remain at their default values.
Click ‘Next’.
All options on the ‘Review’ screen can remain at their default values.
At the bottom of the ‘Review’ screen check the ‘I acknowledge that AWS CloudFormation might create IAM resources with custom names’ box.
Click ‘Submit’.
Ensure that the status displays ‘Create_Complete’ on the Stacks screen. The creation process typically takes approximately one minute to finish.

Please confirm that the management account is now displayed as ‘Connected’ in the CloudSaver application. Furthermore, ensure that all member accounts under the management account are imported but marked as ‘Not Connected’. Step two, below, will lead you through the process of connecting the member accounts.

SMSS – Create Service-Managed StackSet

Now that a stack has been deployed on the management account, a service-managed stackset will be deployed on all the member accounts you wish to add.

In the AWS Console go to the CloudFormation section.
Click on the ‘StackSets’ hyperlink located in the left-hand column of the screen.
Click the ‘Create StackSet’ option.
On the ‘Choose a Template’ screen, make sure to select the ‘Service-managed permissions’ and ‘Template is ready’ options.
Scroll down to ‘Specify Template’ and select ‘Upload a template file’.
Under ‘Specify Template’ click ‘Upload a template file’.
Upload the YAML file that was downloaded on the connection screen of the CloudSaver application.
1. Note: The YAML file used to create the stack on the management account will also be used to create the stackset.
Click ‘Choose file’ and select the file to upload.
Click ‘Next’.
On the ‘Specify StackSet Details’ screen, enter the stackset name in the following format:
1. CloudSaver-StackSet
  1. This format helps ensure a CloudSaver script to remove the resources can be deployed if you choose to disconnect from the application.
Click ‘Next’.
On the ‘Configure StackSet Options’ screen, select ‘Active’ under the ‘Execution Configuration’ section. This will expedite the stackset deployment.
On the ‘Set Deployment Options” screen, ensure the following options are selected:
1. Deploy New StackSets
2. Deploy to Organization
3. Automatic Deployment – Activated
4. Account Removal Behavior – Delete Stacks
Specify the region(s) you wish to deploy the stacksets.
Under ‘Deployment Options”, the default values will work but you may want to adjust the values to fit your specific needs.
Click ‘Next’.
On the ‘Review’ screen, navigate to the bottom of the page and check the box that says ‘I acknowledge that AWS CloudFormation might create IAM resources with custom names’.
Click ‘Submit’.
Verify the stackset deployed successfully.

After deploying the stack and stackset, both the management account and all member accounts should now be connected. This will initiate the data download process, during which the CloudSaver application will begin pulling information from your AWS environment. If you need to connect multiple management accounts, you should repeat this process for each management account along with its associated member accounts.

Self-Service StackSets (SSSS)

Prerequisites: Before you create a stack set with self-service permissions, you need to establish a trust relationship between the managment and member accounts by creating IAM roles in each account.

Instructions for setting up the AWSCloudFormationStackSetAdministrationRole and the AWSCloudFormationStackSetExecutionRole can be found here.

If these roles are not established, it’s recommended that you deploy Service-Managed StackSets per the directions above.

SSSS – Create a Self-Service StackSet

In the AWS Console go to the CloudFormation section.
Click on the ‘StackSets’ hyperlink located in the left-hand column of the screen.
Click the ‘Create StackSet’ option.
On the ‘Choose a Template’ screen, make sure to select ‘Self-Service Permissions’.
Scroll down to ‘Specify Template’ and select ‘Upload a template file’.
Under ‘Specify Template’ click ‘Upload a template file’.
Upload the YAML file that was downloaded on the connection screen of the CloudSaver application.
Click ‘Next’.
On the ‘Specify StackSet Details’ screen, enter the stackset name in the following format:
1. CloudSaver-StackSet
  1. This format helps ensure a CloudSaver script to remove the resources can be deployed if you choose to disconnect from the application.
On the ‘Configure StackSet Options’ screen, select ‘Active’ under the ‘Execution Configuration’ section. This will expedite the stackset deployment.
On the ‘Set Deployment Options” screen, click ‘Deploy new stacksets’.
For Deployment Locations, choose to deploy the stacks to a specific group of accounts or to the entire organizational unit.
Specify the region(s) you wish to deploy the stacksets.
Under ‘Deployment Options”, the default values will work but you may want to adjust the values to fit your specific needs.
For ‘Region Concurrency’ click ‘Sequential’ if you are deploying to one region and ‘Parallel’ if you are deploying to multiple regions.
On the ‘Review’ screen, navigate to the bottom of the page and check the box that says ‘I acknowledge that AWS CloudFormation might create IAM resources with custom names’.
Click ‘Submit’.
Verify the stackset deployed successfully.

Comprehensive information about AWS CloudFormation can be found here.

In this article

Introduction
Logging into Your AWS Organization’s Management Account
Downloading the CloudSaver Connection CloudFormation Template
Service Managed StackSets (SMSS)
SMSS – Creating a CloudFormation Stack on the Management Account
SMSS – Create Service-Managed StackSet
Self-Service StackSets (SSSS)
SSSS – Create a Self-Service StackSet

FEATURE	BENEFIT
Tag Automation & Batch Tag Processing	Employ powerful automation to quickly and accurately tag cloud resources minimizing manual tasks and saving valuable time and effort. Reduce security vulnerabilities and human errors with accurate and swift tagging.
Real-time, Native Cloud Sync	Tag changes are reflected in real-time in native cloud service provider environments. Data is timely and accurate and can be leveraged with additional CloudSaver and third-party tools.
Tag Explorer Query Engine	Utilize our patented filtering and search technology for rapid and efficient location of client data across resources, zones, accounts, and service providers. This capability drastically reduces mean-time-to-resolution by quickly identifying key cloud data. Its deep dive, robust exploration enables you to “find anything.”
Tag Intelligence Dashboards & Tools	Benefit from a guided tag health experience that automatically delivers valuable insights without the need for customized reports or dashboards. These insights cover both your entire tag environment and also specific categories.
Customizable Dashboards	Create customized dashboards to display data according to your specific needs, offering real-time visibility into cloud resources, tags and spend. Obtain timely, accurate, and relevant data for insightful analysis and to identify tagging gaps.
Efficient Tag Remediation	Benefit from suggested, spell-checked tag keys and values – detect and batch merge tag variations.
Legacy Tagging Solutions	Retroactively tag or modify tags on existing legacy resources during cloud migration, either individually or in bulk and eliminate time-consuming manual efforts for smooth integration into your cloud environment.
Multi-Tenant & Multi-Cloud	Manage every cloud data set from a single screen across resources, zones, accounts, and cloud service providers (AWS and Azure).
Tag Policy Compliance Monitoring	Ingest tag policies from native cloud environments to ensure consistent tag syntax and taxonomy.
User Role & Permission Console	Enhance security with Identity and Access Management features contained in the permissions assigned through tagging.
Configuration Management Database (CMDB) Integration	The CloudSaver platform seamlessly incorporates CMDB data related to known cloud infrastructure, offering precise control, efficient tagging, and enhanced visibility by viewing, filtering, and sorting cloud resources based on CMDB data.