AWS Onboarding Process

​

Prerequisites

​

Opting in to AWS Compute Optimizer

To opt in to Compute Optimizer:

1. Open the Compute Optimizer console at https://console.aws.amazon.com/compute-optimizer/. If this is your first time using the Compute Optimizer console, the Compute Optimizer landing page is displayed.
2. Choose Get started.
3. On the Account setup page, review the Getting started and Setting up your account sections.
4. The following options are displayed if the account that you’re signed in to is the management account of your organization. Choose one before continuing to the next step.
5. Only this account - Choose this option to opt in only the account that you’re currently signed in to. If you choose this option, Compute Optimizer analyzes resources that are in the individual account, and generates optimization recommendations for those resources.
6. All accounts within this organization - Choose this option to opt in the account you’re currently signed in to, and all of its member accounts. If you choose this option, Compute Optimizer analyzes resources that are in all accounts in the organization, and generates optimization recommendations for those resources.
7. Choose Opt in. By opting in, you indicate that you agree to and understand the requirements to opt in to Compute Optimizer.
8. After you opt in, you’re redirected to the dashboard in the Compute Optimizer console. At the same time, the service immediately starts analyzing the configuration and utilization metrics of your AWS resources. For more information, see Metrics analyzed by AWS Compute Optimizer

​

Enabling Resource Costs

To enable Wiv to extract resource costs accurately, please enable resource-level data tracking at daily granularity by following these steps:

1. Navigate to Cost Management Preferences
2. Select the Cost Explorer Tab
3. Enable the “Resource-level data at daily granularity” option
4. Select “All Services” (Note: This feature is available at no additional cost)
5. Click “Save Preferences” to apply your changes

​

Activate trusted access for stack sets with AWS Organizations

1. Sign in to AWS as an administrator of the management account and open the CloudFormation console at https://console.aws.amazon.com/cloudformation.
2. From the navigation pane, choose StackSets. If trusted access is deactivated, a banner displays that prompts you to activate trusted access.

3. Choose Activate trusted access.

Trusted access is successfully activated when the following banner displays.

---

​

Wiv Onboarding Process - Payer

​

Description

​

Onboarding Process Overview

Welcome to the initial setup guide. This document outlines the necessary steps to integrate your AWS Account with our FinOps automation platform, thereby enhancing your financial operations through effective resource management.

​

Step 1: Establishing Connection with Org/Payer Account

To initiate, connect your Org/Payer account. This primary account holds exclusive information crucial for comprehensive cost and usage analysis. Our system leverages this data to facilitate robust financial optimization strategies.

​

Step 2: Configuration of Cost & Usage Report

We facilitate a detailed Cost & Usage Report (CUR) specific to your AWS environment. This report is pivotal in identifying unnecessary expenditures and uncovering potential savings. It includes:

• S3 Bucket Creation: A dedicated Amazon S3 bucket is created to house the CUR, ensuring your data is securely stored and readily accessible.
• Athena Table and Crawlers: We configure an Athena Table and deploy crawlers to replicate the CUR data to Athena. This setup enables you to execute tailored queries on your report via Wiv, providing insights into cost-saving opportunities.
• Lambda Invocation: An automated Lambda function is designed to trigger these crawlers, ensuring your data is regularly updated and accurate.

Our preliminary checks ensure these configurations are non-existent prior to setup and verify that they fall within the AWS Free Tier.

​

Step 3: Secure Access Configuration

For enhanced security, an IAM Role with an external ID is created at the payer level. This role is pivotal in establishing a secure connection to your AWS account, safeguarding your data and operations.

​

Step 4: Deployment of ‘WivAccessRole’

Upon successful connection with the payer account, deploy the ‘WivAccessRole’. This IAM role is instrumental in extending optimization capabilities to all linked accounts. The deployment is designed to be user-friendly and can be completed swiftly as per the instructions provided.

---

​

For fully automated onboarding process

1. Open your AWS payer account in a new tab
2. From Wiv console go to Integrations > AWS > New AWS integration
3. Add integration name and click “Connect via CloudFormation”

This will open the CloudFormation stack in a new tab in your payer account. No need to change anything, just mark the 2 checkboxes and click “Create stack”. The stack will run and you will see “Deployment in progress” until it’s done. For adding AWS linked accounts, scroll down to Adding AWS Organization Units/Linked Accounts to the StackSet.

---

For manual onboarding, please click on the “connect by entering your onboarding info manually” You can choose between 2 types of CUR: 2.0 or Legacy. Click on “Connect AWS account” which will open CloudFormation in a new tab. Leave all default values, check the boxes, then click “Create Stack”. It will take approximately 5 minutes to complete the installation of all stacks at the account. Wait until you see that all is completed: After the deployment was successful you will need to provide “Role ARN” and “External ID” from the nested stack WivOnBoarding-OrgRoleManagement-XXXXXXXXXXXX.

​

Adding AWS Organization Units/Linked Accounts to the StackSet

Go to “WivOrgStackSet” under “Actions” click on “Add stacks to StackSet”. Under “Set deployment options” choose “Deploy to organization” to deploy the role for all organization Linked accounts. Or “Deploy to organizational units (OUs)” to target specific OUs (you will need to provide “AWS OU ID”). Under “Specify regions” choose “us-east-1” (this is not important as the role is a Global resource and not regional). Leave all other options as default and run the stackset. You will see all your chosen Linked accounts under the “Stack instances” tab. The end result should be a “SUCCEEDED” message in the “Operations” tab. All resources that can be tagged have the following tags:

• Wiv: Wiv-infrastructure
• Wiv:Original:ResourceId: -Stack

The following are infrastructure resources created during the onboarding process: IAM Roles:

• WivAccessRole (in management and member accounts)
• Various Lambda execution roles

S3 Bucket:

• For storing Cost and Usage Reports (CUR)

Lambda Functions:

• PreCheck Lambda
• CUR Initializer Lambda
• S3 CUR Notification Lambda
• Cleanup Bucket Lambda

Glue Resources:

• Glue Crawler
• Glue Database

Athena Resources:

• Athena Database
• Athena Workgroup

CloudFormation StackSet:

• For deploying WivAccessRole to member accounts

CloudWatch Log Groups:

• For Lambda function logs

EventBridge Rules:

• For triggering Lambda functions based on S3 events