For Admins
To provision AWS resources in Cloud Labs, you will need to grant Vocareum permission to manage relevant aspects of your AWS account. Permission is configured using AWS Identity and Access Management (IAM).
Please refer to the following AWS documentation for further context: Access to AWS accounts owned by third parties.
AWS BYO Account Checklist:
In your Payer account,
Create AWS an Organization Root and OU. This OU will be used to contain all your linked accounts.
Enable Service control policies (SCPs) in your Organization.
Create the Vocareum Administrator IAM Role in your Payer account.
Create the Billing bucket in us-east-1 region.
Go to Vocareum AWS ControlCenter Payers page to add your payer information.
Vocareum will perform the following steps after your payer account is added:
Apply a set of protective SCPs to your Root and the new OU.
Create 9 test accounts and verify. You can use the newly created accounts for testing.
Create new accounts up to the approved linked account quota.
Note: Alternative Guide for Advanced Setup
Note: Alternative Guide for Advanced Setup
For most organizations, we recommend the process outlined in this standard guide. However, if your internal security policies require to limit the organization permissions, we can also support a process where you perform additional setup steps to reduce the AWS permissions needed by Vocareum. You can find details on that process here: Cloud Labs: Bring Your Own AWS Account—Advanced.
Enable Service control policies (SCPs)
Create the Vocareum Administrator IAM Role
1. Starting with an unused AWS payer account, navigate to IAM roles in the AWS console and create a new role.
2. Choose Another AWS account from the four options presented. In the Account ID field, please enter 117530877863 and verify that the number was entered correctly before proceeding. Optionally, you can check the option 'Require external ID' and enter a string in the field.
Click 'Next'.
3. We will add the permission after the role is created. Skip Add permission for now and click 'Next' at the end of the page.
4. Please enter vocareumadmin as the Role name. The role name must be entered correctly for us to assume the role. You may enter 'Admin Access for Vocareum' in the Description but this is not required.
Again we do not add the permission in this step. You may add tags if needed.
Click 'Create role' to finish creating the role.
5. After the role is created. In the Permission tab, click 'Add permissions' and select 'Select inline policy'.
Choose JSON format and cut and paste the following policy into the policy editor:
Please replace the my-billing-bucket with the name of your billing bucket name.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"organizations:Describe*",
"organizations:List*",
"organizations:MoveAccount",
"organizations:CreateAccount",
"organizations:CreatePolicy",
"organizations:UpdatePolicy",
"organizations:AttachPolicy",
"organizations:DetachPolicy"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": "arn:aws:s3:::<<my-billing-bucket>>"
},
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::*:role/vocareum",
"arn:aws:iam::*:role/voclabs"
]
}
]
}
Click 'Next'.
Enter 'vocareumadmin-policy' as the policy name. (the name is not critical).
Then click 'Create policy' to create the policy.
6. Back to the 'vocareumadmin' role page, edit the maximum session duration from 1 hour to 12 hours.
Click 'Edit'.
Set the duration to 12 hours, then click 'Save changes'.
The 'vocareumadmin' role setup is completed.
7. Go to the Vocareum Control Center Payers page. Click '+ Add payer' to add your new BYO payer.
Enter the payer account id, select 'IAM Role' in the Access selection, enter the optional 'External Id' (a string that Vocareum can pass in when assuming the vocareumadmin role for additional security) and other required information. Click 'Save' .
The 'IAM Role' setup is completed.
Please proceed to the section: Enable Billing Reports.
Enable Billing Reports
1. Click on your account name in the navigation bar to open the drop-down menu. Then, click My Account to navigate to the account settings page.
2. Scroll down to the IAM User and Role Access to Billing Information section.
Check the box next to Activate IAM Access and then click Update.
3. In the Billing and Cost Management Console, choose 'Billing Preferences' from the left panel.
Click' Edit' to configure your billing bucket to receive the bill files.
4. In the S3 Console, enable the vocareumadmin role to retrieve bill files from you billing bucket by doing the following:
Choose your billing bucket from the S3 console, then choose the 'Permissions' tab and scroll to the Bucket policy section.
Click 'Edit' the edit the bucket policy, add the following statement to the policy
{
"Sid": "StmtPayerAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<<you payer account id>>:role/vocareumadmin"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<<your billing bucket>>/*"
}
Save the changes to update the policy.
Request AWS to increase the linked accounts quota
By default an AWS Organization can have up to 9 linked accounts. You will need to open a support ticket from your payer account to request an increase in linked account quota. The maximum of account quota in an organization is 5000.
Here is an sample ticket request:
Dear Support,
We need to increase the Organization linked member account quota to 5000 (or a number you see fit).
We are teaching students how to use AWS services through the AWS console. Each student requires an AWS linked account and there will be quite a few enrolled at once, that is why we need an increase to 5000 now. Due to the increase in online education we need to have 5k accounts available as we need to complete additional setup for the lab use after accounts are created.
When you have completed these steps, please send an email to support@vocareum.com with the account number of your AWS payer account.