Skip to main content

Organization Level Onboarding for AWS

CloudYali also supports onboarding your entire AWS Organization for seamless management of multiple AWS accounts. Using CloudFormation StackSets, you can onboard all member accounts in your AWS Organization, streamlining the process.

Overview

To onboard your AWS Organization, CloudYali uses Cross Account IAM Roles, which ensures secure cross-account interactions without needing direct access credentials like passwords or keys.

Prerequisites

Before onboarding, ensure that:

  • Service Control Policies (SCPs) are enabled in your AWS Organization.
  • You have access to the AWS Management Account.
  • You have the CloudFormation template URL: CloudFormation Template.

Onboarding Steps

Step 1: Add AWS Organization in CloudYali Console

  1. Log in to CloudYali and click on your username in the upper right corner of the console.
  2. From the dropdown menu, click on "Settings".
  3. Click on the Connect AWS Account button to launch the account onboarding wizard.
  4. Select to launch the onboarding wizard for your organization.

AWS Onboarding options

Step 2: Launch CloudFormation StackSets

  1. Copy the Generated Link: After initiating the onboarding wizard, CloudYali will generate a link for the CloudFormation StackSet.
  2. Log in to the AWS Management Console as the Management Account for your organization.
  3. Paste the Copied Link into another tab of the same browser window used for the AWS Console. This will open the CloudFormation StackSet Creation page.

Step 3: Configure StackSet Settings

  1. StackSet Permissions: Choose Service Managed Permissions if you want AWS to automatically manage permissions for new accounts in the organization.
  2. Specify Regions: Select the regions where you want the StackSet to be deployed. It is recommended to enable it in all the regions where your accounts are active.
  3. Verify the StackSet Details but do not modify anything on the page.
  4. Click "Create StackSet" to proceed.

Step 4: Deploy Stack Instances

  • Deploy the CloudFormation StackSet to all member accounts in your organization:
    • Target Organizational Units (OUs) to deploy the StackSet to specific parts of your AWS Organization.
    • Verify that the StackSet is deployed across all intended accounts and regions.

Step 5: Verify Onboarding Status

  1. Return to the CloudYali Console: CloudYali will attempt to detect the IAM role creation status across all accounts in your AWS Organization.
  2. Wait for Synchronization: Allow up to 10 minutes for all member accounts to appear in the CloudYali console.
  3. Once successfully onboarded, CloudYali will initiate a cloud discovery process for each account. You can navigate to the Inventory tab in the CloudYali console to view discovered assets.

Managing AWS Organization Accounts

  • View All Accounts: In the CloudYali console, click on "AWS Accounts" to view all member accounts that are onboarded.
  • Remove a Member Account: Select the AWS account from the list and click "Remove". Once removed, CloudYali will stop syncing with that account, and its data will be removed.

Security Considerations

  • No Write Permissions Required: CloudYali will never request write permissions for your AWS accounts.
  • Cross Account IAM Role: Ensures CloudYali has read-only access to AWS resources without requiring direct credentials, keeping your cloud environment secure.

© 2024 CloudYali. All rights reserved.

Last updated on by Nishant Thorat