29Jul

Create AWS cloud credential

Cloud account is sometimes called as cloud credential. You need to initiate cloud credentials to access some information from your cloud resources. For example, Amazon Web Services (AWS), requires access keys and secret keys, Azure requires app registration, GCP requires service account.

To create AWS cloud credential, we need to setup and collect the following information:

AWS Cloud Credential parameters

Account ID
Access key / Secret key

AWS Cloud Credential's policy

Cloud Expense: Cost & Billing policy, Report Name (Cost & Usage report)
Cloud Safe: Security Auditing policy
Cloud Ops: Resource policy

Normally, it costs you when calling AWS Cost Explorer API. No API cost on Azure subscription and GCP project.
For the current version, we use the Cost & Usage report to fetch data on Cost dashboard / trending which avoids API fee. It only costs about $20 per month for fetching data on Forecast & Reserved Instance.

1. Create AWS Cloud Credential

Creating IAM user

Click link to Sign In: https://aws.amazon.com/

Click to AWS IAM console to create IAM user with name CloudSuite_{application} or any name that you want (eg. CloudSuite_expense)

Select Programmatic access to avoid any unexpected access from Console.

Add tag to user (optional)

Owner: your_account (eg. hadd7)
Purpose: CloudSuite_{Application}_Credential (eg. CloudSuite-Credential)

2. Attach the policy

We provide you the policy of Cloud Credential according to the least privileges to avoid any security issue.

Cloud Apps	Policy
Cloud Safe	SecurityAudit, CloudSafeCustomPolicy
Cloud Expense	CostExpenseCustomPolicy (For CostExplorer), CostExpenseServicesCustomPolicy (For CostSaving) ReadOnlyAccess
Cloud Ops	ReadOnlyAccess or Administration if enabling the Service Catalog

Attach the AWS pre-defined policies which is associated with your application such as Security Audit of Cloud Safe, Read-Only of Cloud Expense, Administrator of Cloud Ops.