User profile configuration

Use the steps below to configure AWS account
How to configure AWS in totalcloud? 

- Login to the totalcloud app using your totalcloud user credentials. - - Click ‘Live’ button to configure your AWS account (If you have already configured your AWS account then you won’t be able to view this screen)

You can also change your configurations at a later stage.

For Cross Account Access
- Select Cross Account Access
- Enter the ARN(mandatory) and S3 billing bucket(if needed)
- Click on SAVE

For Key Based Access
- Select Key Based Access.
- Enter Access Key, Secret Key and S3 billing bucket(if needed).
- Click on SAVE

Refer the below section to create an ARN and S3 billing bucket. If you have already created S3 billing bucket, please specify the same name.

How to create a cross account role in AWS console?

Login to AWS console

- Login into your AWS console

- Select Services -> IAM -> Roles in AWS user console

- Click Create new role

Provide access to the role

- Select Role for cross-account access

- Select Provide access between your AWS account and a 3rd party AWS accont

- Copy the External ID and Account ID from totalcloud's user configuration page

- No need to enable Require MFA

Attach ReadOnlyAccess

- Search for ReadOnlyAccess in the search bar, select and press next.

ReadOnlyAccess policy provides totalcloud the read access to all your resources. With this policy, totalcloud will not be able to make any changes to your current infrastructure.

ReadOnlyAccess policy will enable Monitoring, Cost Analyzer(if S3 billing bucket is configured), Insights and Security compliance features of totalcloud. Automation and Operations will require additional permissions(optional).

Please check below for configuring policy for automation and operations

Set the Role

- Set the Role name, description and click Create role

- Copy the Role ARN and paste the same in user configuration panel as shown in the Login step above.


How to configure policy for Operations and Automation features?

Create Policy

- Select Services-> IAM-> Policies in AWS console

- Click Create policy 

You can either use totalcloud's recommended policy as defined below

or

Select Policy Generator to create your own policy by selecting Service and Actions based on your requirement. This option allows user to control the actions that are allowed for each of the resources.

Note: If relevent permissions for resources are not enabled then corresponding operations will not be supported by the tool.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1493631443000",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:AddTags",
                "elasticloadbalancing:AttachLoadBalancerToSubnets",
                "elasticloadbalancing:ConfigureHealthCheck",
                "elasticloadbalancing:CreateListener",
                "elasticloadbalancing:DeleteListener",
                "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
                "elasticloadbalancing:RemoveTags",
                "elasticloadbalancing:SetLoadBalancerListenerSSLCertificate"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1493631556000",
            "Effect": "Allow",
            "Action": [
                "elasticmapreduce:AddTags",
                "elasticmapreduce:AddJobFlowSteps",
                "elasticmapreduce:RemoveTags",
                "elasticmapreduce:SetTerminationProtection",
                "elasticmapreduce:SetVisibleToAllUsers",
                "elasticmapreduce:TerminateJobFlows"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1493631625000",
            "Effect": "Allow",
            "Action": [
                "elasticache:AddTagsToResource",
                "elasticache:CopySnapshot",
                "elasticache:CreateSnapshot",
                "elasticache:DeleteSnapshot",
                "elasticache:RebootCacheCluster",
                "elasticache:RemoveTagsFromResource"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1493631693000",
            "Effect": "Allow",
            "Action": [
                "rds:AddTagsToResource",
                "rds:RebootDBInstance",
                "rds:RemoveTagsFromResource"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1493631776000",
            "Effect": "Allow",
            "Action": [
                "cloudfront:DeleteCloudFrontOriginAccessIdentity",
                "cloudfront:DeleteDistribution",
                "cloudfront:UpdateCloudFrontOriginAccessIdentity"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1493631881000",
            "Effect": "Allow",
            "Action": [
                "ecs:CreateService",
                "ecs:DeleteCluster",
                "ecs:DeleteService",
                "ecs:RunTask",
                "ecs:StartTask",
                "ecs:StopTask",
                "ecs:UpdateService"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1493631976000",
            "Effect": "Allow",
            "Action": [
                "s3:DeleteBucket",
                "s3:DeleteBucketPolicy",
                "s3:DeleteBucketWebsite",
                "s3:GetAccelerateConfiguration",
                "s3:GetBucketCORS",
                "s3:GetBucketPolicy",
                "s3:GetBucketTagging",
                "s3:GetLifecycleConfiguration",
                "s3:GetObjectTagging",
                "s3:GetReplicationConfiguration",
                "s3:PutAccelerateConfiguration",
                "s3:PutBucketCORS",
                "s3:PutBucketPolicy",
                "s3:PutBucketTagging",
                "s3:PutLifecycleConfiguration",
                "s3:PutReplicationConfiguration",
                "s3:PutObjectTagging"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1493635821000",
            "Effect": "Allow",
            "Action": [
                "ec2:AttachVolume",
                "ec2:CreateImage",
                "ec2:CreateSnapshot",
                "ec2:CreateTags",
                "ec2:DeleteTags",
                "ec2:DetachVolume",
                "ec2:EnableVolumeIO",
                "ec2:ModifyVolumeAttribute",
                "ec2:RebootInstances",
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Add the created Policy

- Select Create Your Own Policy as shown in previous step

- Paste either the totalcloud's recommended Policy or Custom policy generated using policy generator in the previous step in policy document section and click Create Policy

- Select IAM -> Roles -> Totalcloud (select the new role created as defined in step 5 above) 

- Click Attach Policy

Attach Policy

- Select the newly created policy based on your naming

- Click Attach Policy

You should be able to see two policies attached to the role post the above step.
1. ReadOnlyAccess
2. Newly created custom policy.

How to Configure S3 billing bucket in AWS Console?

Create S3 bucket, if already not created

- Select Services-> S3-> Create Bucket

- Provide name and relevant details to configure your bucket 

Edit Preferences

- Select Your Account -> My billing Dashboard

- Select Preferences

- Enable Receive Billing Reports

- Type your newly created billing bucket name. Before verifying, copy the sample policy and paste it in billing permissions as shown in next step

Set Permissions

- Select Services- > S3

- Select Billing bucket -> Permissions-> Bucket Policy

- Paste the sample policy copied in the previous step and save.

- Once you save, click the verify button as shown in the step 3

- Copy the same billing bucket name to user profile configuration as shown in Login step

Common issues while configuring user

Account Number & External Id are wrongly configured

- Go to IAM->Roles -> "Newly created role" -> Trush Relationships.

- Check if both Account Number & ExternalID are same or not as in user profile configuration form in the totalcloud App.



ARN in totalcloud app does not match with newly created role ARN

- Go to IAM->Roles->"Newly created role" in AWS console.

- Check if the ARN in the AWS console is same in totalcloud's user configuration form.


Access Key and Secret Key are not correct

- Go to IAM->Users->"Newly created user"-> Security Credentials.

- Check if the access key and secret key are same as in user configuration window in totalcloud app.

Note: Cross account access method has precedence over key based access when both details are entered in the user configuration form in Totalcloud application