For Admins
To provision AWS resources in Cloud Labs, you will need to grant Vocareum permission to manage relevant aspects of your AWS account. Permission is configured using AWS Identity and Access Management (IAM).
Please refer to the following AWS documentation for further context: Access to AWS accounts owned by third parties.
AWS BYO Account Checklist
In your Payer account,
Enable Service control policies (SCPs) in your AWS Organization.
Create the Vocareum Administrator IAM Role in your Payer account.
Enable Billing Reports in your Payer account settings.
Request AWS increase to the linked accounts quota for your Payer account.
Add your AWS Payer to Vocareum through the Vocareum Control Center.
Vocareum will perform the following steps after your payer account is added:
Apply a set of protective SCPs to your Root and the new OU.
Create 9 test accounts and verify. You can use the newly created accounts for testing.
Create new accounts up to the approved linked account quota.
Note: Alternative Guide for Advanced Setup
Note: Alternative Guide for Advanced Setup
For most organizations, we recommend the process outlined in this standard guide. However, if your internal security policies require to limit the organization permissions, we can also support a process where you perform additional setup steps to reduce the AWS permissions needed by Vocareum. You can find details on that process here: Cloud Labs: Bring Your Own AWS Account—Advanced Flow.
Set up your AWS Payer account
Create an AWS Payer Account, Organization, and billing bucket
For data and billing isolation purposes, we recommend creating a new, standalone AWS account for Vocareum rather than using an existing account. This new AWS account will serve as your AWS Payer.
Create a standalone AWS account. AWS guide: Create an AWS account
Create an administrator user to manage your Payer account, so that you do not need to use the Root user in the Payer account for day-to-day operations. AWS guide: Create an administrator user
In your AWS Payer account, go to the AWS Organization console and create an Organization Root. Your AWS Payer Account will serve as the management account for the organization. AWS guide: Creating an organization with AWS Organizations
In the AWS Organization console, create an Organizational Unit (OU) under the Organization Root. AWS guide: Creating an organizational unit (OU) with AWS Organizations
Navigate to the S3 service and create a new S3 bucket in the us-east-1 region. Vocareum will perform the remaining configuration to make this the AWS billing bucket for your AWS Payer. AWS guide: Creating a general purpose bucket
Enable Service control policies (SCPs)
Create the Vocareum Administrator IAM Role
1. Starting with an unused AWS payer account, navigate to IAM roles in the AWS console and create a new role.
2. Choose Another AWS account from the four options presented. In the Account ID field, please enter 117530877863 and verify that the number was entered correctly before proceeding. Optionally, you can check the option 'Require external ID' and enter a string in the field.
Click 'Next'.
3. We will add the permission after the role is created. Skip Add permission for now and click 'Next' at the end of the page.
4. Please enter vocareumadmin as the Role name. The role name must be entered correctly for us to assume the role. You may enter 'Admin Access for Vocareum' in the Description but this is not required.
Again we do not add the permission in this step. You may add tags if needed.
Click 'Create role' to finish creating the role.
5. After the role is created. In the Permission tab, click 'Add permissions' and select 'Select inline policy'.
Choose JSON format and cut and paste the following policy into the policy editor:
Please replace the my-billing-bucket with the name of your billing bucket name.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"organizations:Describe*",
"organizations:List*",
"organizations:MoveAccount",
"organizations:CreateAccount",
"organizations:CreatePolicy",
"organizations:UpdatePolicy",
"organizations:AttachPolicy",
"organizations:DetachPolicy"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": "arn:aws:s3:::<<my-billing-bucket>>"
},
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::*:role/vocareum",
"arn:aws:iam::*:role/voclabs"
]
}
]
}
Click 'Next'.
Enter 'vocareumadmin-policy' as the policy name. (the name is not critical).
Then click 'Create policy' to create the policy.
6. Back to the 'vocareumadmin' role page, edit the maximum session duration from 1 hour to 12 hours.
Click 'Edit'.
Set the duration to 12 hours, then click 'Save changes'.
The 'vocareumadmin' role setup is completed.
Please proceed to the section: Enable Billing Reports.
Enable Billing Reports
1. Click on your account name in the navigation bar to open the drop-down menu. Then, click My Account to navigate to the account settings page.
2. Scroll down to the IAM User and Role Access to Billing Information section.
Check the box next to Activate IAM Access and then click Update.
3. In the Billing and Cost Management Console, choose 'Billing Preferences' from the left panel.
Click' Edit' to configure your billing bucket to receive the bill files.
4. In the S3 Console, enable the vocareumadmin role to retrieve bill files from you billing bucket by doing the following:
Choose your billing bucket from the S3 console, then choose the 'Permissions' tab and scroll to the Bucket policy section.
Click 'Edit' the edit the bucket policy, add the following statement to the policy
{
"Sid": "StmtPayerAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<<you payer account id>>:role/vocareumadmin"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<<your billing bucket>>/*"
}
Save the changes to update the policy.
Request AWS increase to linked accounts quota
By default an AWS Organization can have up to 9 linked accounts. You will need to open a support ticket from your payer account to request an increase in linked account quota. The maximum of account quota in an organization is 5000.
Here is an sample ticket request:
Dear Support,
We need to increase the Organization linked member account quota to 5000 (or a number you see fit).
We are teaching students how to use AWS services through the AWS console. Each student requires an AWS linked account and there will be quite a few enrolled at once, that is why we need an increase to 5000 now. Due to the increase in online education we need to have 5k accounts available as we need to complete additional setup for the lab use after accounts are created.
Add your AWS Payer to Vocareum
1. Go to the Vocareum Control Center and select AWS from the sidebar.
2. Open the AWS Payers page.
3. Click the '+ Add payer' button to open the Add Payer form.
4. Complete the fields in the Add Payer form, including:
Account ID: input your AWS Payer account ID
Access Type: Select 'IAM Role' in the Access selection
External ID (Optional): Enter a string that Vocareum will pass to AWS when assuming the vocareumadmin role for additional security.
Billing bucket: Input the name of the S3 bucket you created in us-east-1 for billing reports.
Root ID: Enter the root ID of your Payer account.
Organization Unit ID: Input the ID of the OU you created in your Payer account.
Linked member account quota: Enter the number of accounts currently available from your Payer account quota. The quota is typically 9 for new accounts. If AWS has approved your account quota increase request, your quota may be higher.
5. Click 'Save' at the end of the Add Payer form.
Once you have completed all the steps in this guide, please email support@vocareum.com with your AWS Payer account number so we can validate the integration.