Onboarding Multiple AWS Linked Accounts to nOps with CloudFormation
nOps requires safe, secure, and AWS-approved access to your AWS accounts in order to give you the analysis, dashboards, and reports that you need. We only see what you want us to see in order to provide our services, no more, and we need you to give us permission first.
In order to credential and register multiple accounts, we leverage AWS Organizations, CloudFormation, Stack, StackSets, and Lambda.
For multi-account setup, nOps recommends the use of CloudFormation (this setup) instead of Terraform (intended for advanced users with specific requirements).
Watch the video on how to configure linked accounts with CloudFormation:
You must have Admin role permissions in AWS before you can add multiple AWS accounts to nOps using CloudFormation.
Access to the nOps public Github repository nOps Cloud Account Registration.
You have configured your Payer account.
Enable Stackset in AWS Organizations and AWS CloudFormation within AWS.
Once you’ve taken care of the prerequisites, the next steps are simple and straightforward.
Adding Multiple AWS Accounts (CloudFormation)
Pull the nOps Member Account Registration YAML file down as a local YAML file. You will need this CloudFormation YAML file as a template for your StackSet. You will also need the nOps API key.
Generate your API key
To generate your API key for use with CloudFormation Stacksets, log into the nOps platform.
- Click on your email address to the top right of the platform
- Navigate to Organization Settings > API Key
- Click “Let’s Generate Your API Key”
- Enter a key name and a description.
- When you click Save a pop-up box will display with a 1 time key. Copy the key to a notepad/text editor.
To enable CloudFormation StackSets in AWS Organizations, go to AWS Organizations > Services. If you see Access disabled for CloudFormation StackSets, you will need to enable it.
Once enabled, you should see Access enabled:
Also ensure Trusted Access is enabled for CloudFormation > StackSets.
Create a Stackset for the Linked Accounts
CloudFormation Stacksets can be multi-account and multi-regional. To create and deploy a stackset for the linked accounts, make sure that you are logged into your Management Account.
From within AWS Console > CloudFormation > Stacksets page, click Create Stackset.
The creation of a Stackset is divided into 5 steps:
Step 1 (Choose a template)
In the Specify template section, choose Upload a template file option.
Click Choose file.
AWS will open a navigation window for you to navigate and select the YAML template in your local machine. In your local copy of the repository navigate to nops-cloud-account-registration/nops-aws-account-register/cloudformation-org-member-accounts-register/ and select the member_consolidated_aws_acc_nops_register.yaml file.
Step 2 (Specify Stackset details)
Provide a StackSet name.
(Optional) Add a Description for the StackSet.
Provide the nOpsAPIKey you copied earlier.
Step 3 (Configure Stackset options)
(Optional) enter any tags for the StackSet.
In the Execution configuration section, leave the Inactive option selected.
Step 4 (Set deployment options)
In the Add stacks to stack set section, select the Deploy new stacks option.
In the Deploy targets section, select the Deploy stacks in organizational units option.
Provide the organizational unit ID.
In the Specify regions section, select your desired region.
In the Deployment options section, select the Parallel option (optional).
Step 5 (Review), review and create the stackset.
It might take several hours for nOps to fetch the data from your AWS accounts.
After the data is fetched, the setup process is now complete.
Note: It can take up to 24 hours before you start seeing the different nOps dashboards and compliance views populated with data from your workloads.
If you have any questions, please contact us at firstname.lastname@example.org.
On initial ingestion, nOps will pull the data from AWS accounts based on the following durations:
Cost data: 6 months look back + current month.
Rules: Current date.
CloudTrail Events: 14 day look back.
|Service Control Policies|
|Onboarding AWS with Automatic Setup|