Guides
Getting Started
Important Concepts
Implementation overview
Acronyms
FAQ
Categories
AWS Connect
CloudThrottle Integration - Prerequisites
CloudThrottle Actions and Permissions Requirements
CloudThrottle Overview Integrating
CloudThrottle Detail Integrating Instruction
CloudThrottle - Configuring RBAC for an EKS
General Setup
Global Settings
Cloud Account Setup
Vendor Setup
Product Setup
Cloud Account Setup
Map Vendor and Product to Account
Cost Optimization
Resource Schedule Concept
Resource Scheduling Steps
Holiday Schedule
Preset Schedule
Resource Level Scheduler
Cost Management
Budget Concept
Budget Overview
Budget Setup
Budget Override and Add Funds
Financial Management
Charge Code Concept (PPA)
Charge Code Setup
Master Mapping
User Setup
User Setup
Cloud Cost Modeler
Cloud cost Modeler
Cloud Cost Modeler's Default Reports
Knowledge Center
AWS Connect
CloudThrottle Detail Integrating Instruction

CloudThrottle Detail Integrating Instruction

step-by-step approach for tenants to configure their AWS infrastructure to integrate with the CloudThrottle SaaS platform

CloudThrottle Integration Insstep-by-step approach for tenants to configure their AWS infrastructure to integrate with the CloudThrottle SaaS platformtruction for AWS Tenant Setup:

This guide provides a complete, step-by-step approach for tenants to configure their AWS infrastructure to integrate with the CloudThrottle SaaS platform for comprehensive resource management, budget control, and monitoring.

Definitions and Prerequisites

  1. Tenant Root/Master Account: The main AWS account in the tenant's infrastructure, primarily used for organizational management and budget control.
  2. Tenant Management Account (CT7_Mng): A dedicated management account that acts as a "jump" account, securely linking CloudThrottle with the tenant’s AWS environment.
  3. CloudThrottle SaaS Account: The CloudThrottle account that facilitates communication with and management of tenant resources.
  4. Child Accounts: Sub-accounts within the AWS Organization (e.g., Dev, Prod, Test) that CloudThrottle will manage.
  5. Note: CT7 is the alias for CloudThrottle used in account, role, and permission prefixes. For security, the following are placeholders; please contact CloudThrottle Support for the actual account IDs.
  6. Assumptions: For security purposes, the following account IDs are provided as placeholders; please contact CloudThrottle support for the exact CloudThrottle SaaS Account ID.
    • Tenant Root/Master Account ID: 555555555
    • Tenant Management Account (CT7_Mng): 222222222
    • CloudThrottle SaaS Account: 777777777

1. Set Up Organizational Structure

Navigation & Validation Checklist

Where to Navigate?

  • AWS Management Console > AWS Organizations

What to Check?

  • Ensure all relevant accounts that CloudThrottle will manage are included.
  • Optional: Create Organizational Units (OUs) for different environments (Dev, Prod, Test).

Why This is Important?

  • Helps CloudThrottle apply policies consistently across different environments.
  • Standardized OU names improve manageability.
  1. If you have an existing AWS Organization: Ensure it includes all relevant accounts that CloudThrottle will manage.
  2. Optional: Create identifiable organizational units (OUs) within AWS Organization to represent various environments, such as:
    • Dev – Development environment
    • Prod – Production environment
    • Test – Testing environment
  3. Naming Conventions: Standardize OU names to maintain a clear and manageable structure.

2. Configure Roles and Permissions for CloudThrottle Access

2.1 Create the Tenant Management Account (CT7_Mng)

Navigation & Validation Checklist

Where to Navigate?

  • AWS Management Console > AWS Organizations > Accounts

What to Check?

  • Confirm that a dedicated CT7_Mng account exists.
  • Ensure the account is under the correct OU (e.g., CT7_Org).

Why This is Important?

  • A separate management account secures access control and facilitates streamlined integration with CloudThrottle.
  1. Log in to the Master Account and create a new account (if not already existing) designated as the Tenant Management Account (CT7_Mng).
  2. Move this account under the appropriate OU, such as CT7_Org (or another chosen OU based on your organizational structure).

2.2 Create the ct7-cross-account-role in the Tenant Management Account

Navigation & Validation Checklist

Where to Navigate?

  • AWS Management Console > IAM > Roles

What to Check?

  • Role name: ct7-cross-account-role
  • Trust Policy: Allow only CloudThrottle SaaS Account (777777777) to assume this role.

Why This is Important?

  • Restricts access and ensures secure cross-account operations.

This role will enable CloudThrottle to assume control of resources within the tenant’s AWS infrastructure securely.

Steps:

  1. In the Tenant Management Account (CT7_Mng), create a role named ct7-cross-account-role.
  2. Set up the Trust Policy for the role to allow only the CloudThrottle SaaS Account (777777777) to assume this role:
  3. No specific permissions need to be attached, as this role is intended solely as a trust-based gateway.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": { "AWS": "arn:aws:iam::777777777:role/CloudThrottleRole" },
      "Action": "sts:AssumeRole"
    }
  ]
}

3. Create and Deploy StackSet for CT7MemberExecutionRole in Child Accounts

This StackSet will automatically create and manage the CT7MemberExecutionRole in each child account as they are added under the specified organizational unit (CT7_Org). The role will allow CloudThrottle to manage resources in each account.

Navigation & Validation Checklist

Where to Navigate?

  • AWS Management Console > CloudFormation > StackSets

What to Check?

  • StackSet Name: CT7MemberExecutionRoleStackSet
  • Target OU: CT7_Org
  • Regions: Select AWS regions where your resources are hosted.
  • Deployment in parallel for efficiency.

Why This is Important?

  • Automates role creation in child accounts, reducing manual work.
  • Ensures CloudThrottle can manage resources in each child account.

3.1 Steps for StackSet Creation

  1. Log into the AWS Management Console as the Master Account.
  2. Navigate to CloudFormation:
    • Go to Services > CloudFormation.
  3. Create a New StackSet:
    • Click on StackSets in the left-hand menu.
    • Choose Create StackSet.
  4. Specify StackSet Details:
    • StackSet Name: Enter a descriptive name, like CT7MemberExecutionRoleStackSet.
    • Template Source: Select Upload a template file.
      • Upload the "ct7-stackset- v1.00.yml" file (download link provided below), which includes the configurations for CT7MemberExecutionRole.
  5. Configure StackSet Parameters:
    • Management Account ID: Enter the Tenant Management Account ID (222222222) in the ManagementPrincipal parameter.
    • Leave other parameters as default unless specified otherwise by CloudThrottle.
  6. Execution Options:
    • Under Administration Role, use the default settings if creating this StackSet in the Master Account.
    • Ensure Self-managed permissions is selected.
  7. Set Deployment Options:
    • Deployment Targets: Choose Organizational units (OUs) and specify CT7_Org as the target OU.
    • Regions: Select the AWS regions where the role should be created (typically where your resources are hosted).
    • Deployment Options: Choose Deploy stacks in parallel.
  8. Permissions:
    • Verify that the Master Account has the necessary permissions to create the StackSet and deploy resources across target accounts.
  9. Review and Acknowledge:
    • Review all configurations, confirm deployment targets and parameters.
    • Check the box to Acknowledge that AWS CloudFormation might create IAM resources.
  10. Create StackSet:
    • Click Submit to create the StackSet.
    • CloudFormation will now deploy the CT7MemberExecutionRole across all child accounts in the specified OU (CT7_Org).
Download Required Permissions

Download ct7-stackset-v1.yml

Sample StackSet Template for CT7MemberExecutionRole


Resources:
  CT7MemberExecutionRole:
    Type: "AWS::IAM::Role"
    Properties:
      RoleName: "CT7MemberExecutionRole"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              AWS: "arn:aws:iam::222222222:role/ct7-cross-account-role"
            Action: "sts:AssumeRole"
      Policies:
        - PolicyName: "CT7MemberPolicy"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: "Allow"
                Action:
                  - "ec2:DescribeInstances"
                  - "rds:DescribeDBInstances"
                  - "ecs:DescribeClusters"
                Resource: "*"

Note: Customize actions based on the resources CloudThrottle needs to manage within each child account.

4. Create CT7OrganizationsRole in the Master Account

This role enables CloudThrottle to interact with AWS Organizations for account and budget management.

Navigation & Validation Checklist

Where to Navigate?

  • AWS Management Console > IAM > Roles

What to Check?

  • Role name: CT7OrganizationsRole
  • Trust Policy: Allows only CT7_Mng to assume this role.
  • Permissions: organizations:ListAccounts, organizations:CreateAccount, organizations:MoveAccount.

Why This is Important?

  • Allows CloudThrottle to manage AWS Organizations efficiently.

Steps:

  1. In the Master Account, create a role named CT7OrganizationsRole.
  2. Attach the below Trust Policy:
  3. Permissions Policy for CT7OrganizationsRole:
    • Actions: organizations:ListAccounts, organizations:CreateAccount, organizations:MoveAccount, etc.
    • Resource Scope: Only organizational resources within the tenant's AWS environment.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": { "AWS": "arn:aws:iam::222222222:role/ct7-cross-account-role" },
      "Action": "sts:AssumeRole"
    }
  ]
}

5. Verification and Testing

Navigation & Validation Checklist

Where to Navigate?

  • AWS Management Console > CloudFormation > StackSets
  • AWS Management Console > IAM > Roles

What to Check?

  • Ensure StackSet deployment is successful in CloudFormation.
  • Verify that CT7MemberExecutionRole exists in each child account.
  • Test access by assuming CT7MemberExecutionRole in each child account and listing EC2 instances.

Why This is Important?

  • Ensures integration is working correctly before CloudThrottle begins managing resources.
  • Identifies any permission or setup issues early on.
  1. Verify StackSet Deployment:
    • Monitor the StackSet status in CloudFormation to ensure it’s successfully deployed across all targeted child accounts.
  2. Check Role in Child Accounts:
    • Verify that the CT7MemberExecutionRole is created in each child account with correct permissions.
  3. Testing Access:
    • Confirm that the Tenant Management Account (CT7_Mng) can assume the CT7MemberExecutionRole in each child account and perform necessary actions, such as listing EC2 instances.

Permissions Summary Table

Role Location Purpose Permissions Required
ct7-cross-account-role Tenant Management Account (CT7_Mng) Allows CloudThrottle SaaS to assume this role to access the Jump Account, through which it can then assume the CT7MemberExecutionRole in child accounts for resource management
  • sts:AssumeRole - Trust policy allowing only CloudThrottle SaaS account
CT7OrganizationsRole Master Account Used only for account creation, moving accounts, and listing organizational details
  • organizations:CreateAccount - Create new accounts
  • organizations:MoveAccount - Move accounts between OUs
  • organizations:List* - List organization resources
CT7MemberExecutionRole Child Accounts Enables CloudThrottle to manage resources within child accounts
  • ec2:StartInstances, ec2:StopInstances - EC2 management
  • rds:StartDBInstance, rds:StopDBInstance - RDS management
  • ecs:StartTask, ecs:StopTask - ECS management
  • s3:ListBucket, s3:GetObject, s3:PutObject - S3 access
  • sns:Publish - Sending alerts and notifications
  • budgets:ViewBudget, budgets:UpdateBudget - Manage budgets in child accounts
CloudFormation StackSet Master Account Automates the creation of roles (such as CT7MemberExecutionRole) in child accounts under the CT7_Org OU and deploys them to specific regions
  • cloudformation:CreateStackSet - Create StackSets
  • cloudformation:UpdateStackSet - Update StackSets
  • cloudformation:DeleteStackSet - Delete StackSets
  • cloudformation:CreateStackInstances - Create stack instances
  • cloudformation:DeleteStackInstances - Remove stack instances
  • organizations:ListOrganizationalUnitsForParent - Deploy stacks across specified OUs
In this category

Budget Override and Add Funds

Instructions on how to set up a budget Override amount and Add funds to the existing budget.

Read article
In this category

Vendor Setup

This instruction will help you setup Vendor aka Cloud Service Provider/Reseller/CSP Channel Partner information in the CloudThrottle

Read article
Looking for assistance with this template or custom Webflow development? Kickstart Studio has you covered.
Visit website
Guides
Implementation overview
Important Concepts
FAQ
Acronyms
Getting Started
Categories
AWS Connect
User Setup
General Setup
Financial Management
Cost Optimization
Cost Management
© 2023 CloudThrottle