AWS Organizations helps you centrally manage and govern your environment as you grow and scale your AWS resources. AWS Organizations lets you programmatically create new AWS accounts to allocate resources, group accounts to organize your workflows, apply policies to accounts or groups for governance, and simplify billing by utilizing a single payment method for every account.

AWS Control Tower provides the easiest way to set up and govern a secure, multi-account AWS environment, called a landing zone. AWS Control Tower creates your landing zone using AWS Organizations, bringing ongoing account management and governance as well as implementation best practices based on AWS’s experience working with thousands of customers as they move to the cloud. With AWS Control Tower, builders can provision new AWS accounts in a few clicks, while you have peace of mind knowing that your accounts conform to company-wide policies.

AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS. These IT services can include everything from virtual machine images, servers, software, and databases to complete multi-tier application architectures. AWS Service Catalog allows you to centrally manage deployed IT services and your applications, resources, and metadata. This helps you achieve consistent governance and meet your compliance requirements, while enabling users to quickly deploy only the approved IT services they need. With AWS Service Catalog AppRegistry, organizations can understand the application context of their AWS resources. You can define and manage your applications and their metadata, to keep track of cost, performance, security, compliance and operational status at the application level.

CloudCheckr is a cloud management platform for cost, security, utilization, and inventory management. CloudCheckr is a comprehensive cloud management and governance platform that sits on top of AWS environments to provide customers with complete visibility and control over siloed data across AWS infrastructure. As organizations transform their business by leveraging the power of AWS they require total visibility, actionable intelligence, self-healing automation, and business accountability to make the most of their cloud investments. With CloudCheckr, enterprises, service providers, and government agencies can manage a hyper-dynamic, ephemeral, and elastic cloud environment as usage and demand grows. CloudCheckr transforms complexity into clarity, delivering actionable insights and automation in order to mitigate security risks, optimize cloud spend, and increase operational efficiencies.

As more AWS customers adopt a multi-account strategy, they’re utilizing AWS Control Tower to build their landing zones. This strategy incorporates the best practices and recommendations from AWS to secure, segregate, and manage your workloads. In order to support the account adoption and proliferation, CloudCheckr has developed an integration with AWS Control Tower to enable the onboarding of new AWS accounts into CloudCheckr. CloudCheckr utilizes automation to integrate with AWS Control Tower lifecycle events. Check this blog post for integrating CloudCheckr cloud management platform with AWS Control Tower.

In this blog, we will demonstrate how to leverage AWS Service Catalog to provision a managed account in an AWS Organization with CloudCheckr integration. This will allow you to benefit from automation to integrate with CloudCheckr in cases where your organization has not yet migrated to using an AWS Control Tower landing zone solution. Our Service Catalog integration also provides standardization for using CloudCheckr and a prescriptive approach for CloudCheckr integration.

We will provide a step-by-step walkthrough of the solution along with necessary templates and snippets to achieve a complete automation.

Architecture

The figure below illustrates the overall architecture of automating account provisioning with CloudCheckr integration

The overall architecture highlights the process of automating account provisioning from the management account, along with integration to a third party software such as CloudCheckr for Cloud financial management for a multi account AWS environment with AWS organizations.

Figure 1: Architecture of automating account provisioning with CloudCheckr integration

Prerequisites

To run this solution, you must have the following prerequisites:

  • AWS Organizations within your AWS environment. If you have not already created AWS Organizations for your AWS account, follow this tutorial.
  • A CloudCheckr subscription and Admin Access API Key, which you can procure Once logged in, click on the Admin Functions (on the top right) → Admin API Keys → + New Admin Access Key. In the Create new Access Key screen, type in a description Test_Key, and click Create. Save the 64 byte API Key for further steps.
  • AWS CLI version 2

Solution Walkthrough

This walkthrough provides step-by-step instructions for deploying the account provisioning automation along with integration to CloudCheckr in a multi-account environment with AWS Organizations.

Step 1: Clone GitLab repo and set environment variables

First, let’s clone the Github to download code related to this automation process and set a few environment variables using the commands below. The snippets are available in this Github repo.

git clone https://github.com/aws-samples/amazon-account-automation-cloudchekr.git
cd amazon-account-automation-cloudchekr
AWS_DEFAULT_REGION=us-east-1
AAP_AWS_REGION=us-east-1 <-- Change this to match your region
AAP_ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text)
AAP_USER_ARN=$(aws sts get-caller-identity --query 'Arn' --output text)
AAP_CLOUDCHECKR_API_KEY=<<64 byte CloudCheckr Admin Access API Key saved above>>
AAP_SUPPORT_EMAIL=<<Your Email to Contact for Support>>

Step 2: Create Amazon S3 Buckets and load artifacts from Github

Next, lets create the S3 buckets required to run this solution on your AWS Account.

## Artifact S3 Bucket
aws s3api create-bucket \ --bucket "config-${AAP_ACCOUNT_ID}" ## Cloud Checker Cloud Trail S3 Bucket
aws s3api create-bucket \
--bucket "cloudtrailbucket-${AAP_ACCOUNT_ID}" ## Cloud Checker Current Billing S3 Bucket
aws s3api create-bucket \ --bucket "curbucket-${AAP_ACCOUNT_ID}" ## Cloud Checker Dbr Billing S3 Bucket
aws s3api create-bucket \
--bucket "dbrbucket-${AAP_ACCOUNT_ID}" ## Config and Logs S3 Bucket
aws s3api create-bucket \
--bucket "configbucket-${AAP_ACCOUNT_ID}" 

Use the command below to upload each file downloaded from the github repo to the newly created S3 bucket config-${AAP_ACCOUNT_ID}.

aws s3 sync . s3://config-${AAP_ACCOUNT_ID}

Step 3: Account provisioning baseline setup

In this step, you will utilize the AccountCreationLambdaSetup-cfn.yaml CloudFormation template to deploy a base infrastructure for this solution. This includes a self-service AWS Service Catalog model for deploying member accounts. Here’s the AWS CLI command to deploy this base infrastructure using AWS CloudFormation:

 aws cloudformation create-stack \ --stack-name account-builder-stack \ --template-body file://AccountCreationLambdaSetup-cfn.yaml \ --parameters ParameterKey=UserRoleARN,ParameterValue=$AAP_USER_ARN \ ParameterKey=ArtifactBucketName,ParameterValue="config-${AAP_ACCOUNT_ID}" \ ParameterKey=CloudCheckrApiKey,ParameterValue=$AAP_CLOUDCHECKR_API_KEY \ ParameterKey=AccountVendingMachineSupportEmail,ParameterValue=$AAP_SUPPORT_EMAIL \ --capabilities CAPABILITY_IAM

The following resources are provisioned by this AWS CloudFormation template:

  • An AWS Lambda function on the management AWS account, which performs the member AWS account creation and CloudCheckr integration.
  • An AWS Service Catalog Portfolio to which the account vending AWS Service Catalog Product will be tagged. Check this documentation for getting started with the AWS Service Catalog.
  • An AWS Service Catalog Product. The AWS Service Catalog launch constraint will be utilized for account vending by triggering the account creation Lambda function deployed as part of this step

Finally, the template outputs the ARN of the Lambda function, which will be used by Service Catalog Product.

Solution Components

Deeper look into the provisioned Service Catalog Product

Let’s look into the AWS Service Catalog product step created in the previous step. The AWS Service Catalog product invokes the accountbuilder.yml in the config-${AAP_ACCOUNT_ID} S3 bucket. This Cloud Formation script will be running in the background when Service Catalog Product is invoked. It does the following:

  • Takes the following parameters as input:
    • MasterLambdaArn: ARN of the Lambda created by AccountCreationLambdaSetup-cfn.yaml
    • AccountEmail:The root email for the member AWS Account.
    • OrganizationUnitName:The name of the Organizational Unit to hold the account. This can be None by default. Please check this documentation to learn about AWS Organizational Unit.
    • AccountName: Name for new member AWS account.
    • StackRegion: us-east-1
    • SourceBucket: Config-<AccountID>. Replace the AccountID with management AWS Account.
    • BaselineTemplate: AccountBaseline.yml
    • AccountBilling : Invoicing (Value Invoicing or Direct Pay and will be used for Tags in the AWS account).
    • SkipCloudCheckr: false (This should be set to “false” for enabling CloudCheckr integration).
    • CloudCheckrApiSecret: ARN of the Secret containing the API key for accessing CloudCheckr (can be retrieved from the Outputs section of CloudFormation stack deployment).
    • CloudTrailBucket: CloudTrailBucket-<AccountID>
    • CurBucket: CurBucket-<AccountID>
    • DbrBucket: DbrBucket-<AccountID>
    • ConfigBucket: ConfigBucket-<AccountID>

Note: <AccountID> in the above parameters should be replaced with the AWS account id of the management account.

  • Triggers the Lambda function created in step 3 which conducts the member AWS account creation and CloudCheckr integration.

Deeper look into Account Creation and CloudCheckr Integration Lambda

Let’s look into the lambda function created from AccountCreationLambda.py and AccountCreationLambda.zip in the config-${AAP_ACCOUNT_ID} S3 bucket created as part of step 3. This lambda function is the heart of the automation and does the following:

  • Received the inputs from Cloud formation script accountbuilder.yml.
  • Calls the create_account function with input parameters in order to create the member AWS account under the AWS Organization.
  • Creates an OrgAccessRole in the member AWS account that can be assumed by the management AWS account for subsequent processes.
  • Deploys a stack based on Cloud formation script AccountBaseline.yml in the newly created member account. This will run a CloudFormation script on the member account for creating an Amazon S3 bucket. This baseline script can be modified for any initial/optional resource provisioning in the member AWS account.
  • From a CloudCheckr Integration standpoint, it first calls the add_account_v3 CloudCheckr public API to create an account in CloudCheckr as an empty slate and return and external_id.
  • Next, the cc_aws_cfn_iam_stack.template.json CloudFormation stack is run on the created member AWS account which will create the required roles in the member account for CloudCheckr to assume for Cloud Financial Management.
  • Finally, it calls the CloudCheckr edit_credential public API which uses the cross-account role created by the cloud formation stack in the previous step and adds it to CloudCheckr.

Note: We will retain creation behaviors on the CloudFormation stack for delete and update operations for account creation and CloudCheckr Integration Lambda.

Test and Run

Testing the Account Provisioning with CloudCheckr Integration

Since the setup is complete, let’s test this member AWS account provisioning with CloudCheck Integration via the AWS Service Catalog console.

  • To provision a new member AWS account, navigate to the AWS Service Catalog Products section to pick the “Account Vending Machine” Product and click Launch Product.

AWS Service Catalog console showing the “Account Vending Machine” Product.

Figure 2: Products page of AWS Service Catalog console

  • In the next screen, select the latest version of the service catalog product and specify the product name. Refer to the Deeper look on to the created Service Catalog Product section above in order to fill the relevant values, click the next button, and then the launch button in the final screen to initiate the service catalog product.
  • Once the AWS Service Catalog product launch completes, you will see a new account provisioned under the AWS Organization. You can also navigate to the AWS CloudFormation for CloudFormation outputs and AWS Lambda console to check on logs generated from the lambda trigger for AWS account creation and CloudChekr integration.

Verifying account provisioning

Next, verify that the account was provisioned in CloudCheckr by logging in to the CloudCheckr console. You will see the below screen showing the list of AWS accounts integrated with CloudCheckr. Click on to the recently provisioned AWS account for a detailed view of the cloud management platform for Cost, Security, Utilization, and Inventory.

CloudCheckr console showing the list of list of AWS accounts integrated with CloudCheckr

Figure 3: CloudCheckr Home Page

Clean-up

  1. Under the Actions drop down in AWS Service Catalog Provisioned products, choose “Terminate”. Provide confirmation in the following screen.
  2. Once your provisioned products are successfully terminated, run
aws cloudformation delete-stack --stack-name account-builder-stack

  1. Clean up S3 buckets
aws s3 rm s3://"config-${AAP_ACCOUNT_ID}" --recursive aws s3api delete-bucket \ --bucket "config-${AAP_ACCOUNT_ID}" aws s3 rm s3://"cloudtrailbucket-${AAP_ACCOUNT_ID}" --recursive aws s3api delete-bucket \
--bucket "cloudtrailbucket-${AAP_ACCOUNT_ID}" aws s3 rm s3://"curbucket-${AAP_ACCOUNT_ID}" --recursive aws s3api delete-bucket \ --bucket "curbucket-${AAP_ACCOUNT_ID}" aws s3 rm s3://"dbrbucket-${AAP_ACCOUNT_ID}" --recursive aws s3api delete-bucket \
--bucket "dbrbucket-${AAP_ACCOUNT_ID}" aws s3 rm s3://"configbucket-${AAP_ACCOUNT_ID}" --recursive aws s3api delete-bucket \
--bucket "configbucket-${AAP_ACCOUNT_ID}" 

  1. Ensure that the member account(s) created has every resource terminated prior to closing the account.

Note: Every user/group or launch constraint added to the AVM product in the AWS Service Catalog product must be removed before the account-builder-stack can be deleted, otherwise it will fail due to an error removing the AVM product.

Conclusion

This post demonstrated how to automate member account provisioning along with integration to a third-party software such as CloudCheckr for Cloud Financial Manager in a multi-account AWS environment with AWS Organizations and AWS Service Catalog.

The code and contents of this post were validated to work on the publishing date.

About the authors

Elamaran Shanmugam Profile

Elamaran Shanmugam

Elamaran (Ela) Shanmugam is a Cloud Architect with Amazon Web Services Professional Services. Ela is a Container and Multi-Account Architecture SME and helps AWS customers to design and build scalable, secure and optimized container workloads on AWS. His passion is building and automating Infrastructure to allow customers to focus more on their business. He is based out of Tampa, Florida and you can reach him on twitter @IamElaShan

Kishore Damodhar Profile

Kishore Dhamodaran

Kishore Dhamodaran is a Senior Cloud Consultant with Amazon Web Services Professional Services. Kishore helps customers with their cloud enterprise strategy and migration journey, leveraging his years of industry and cloud experience.