Pre-Installation Setup for Amazon Web Services > Link AWS Accounts for Collection of Consolidated Billing Data
  
Version 10.2.01P10
Link AWS Accounts for Collection of Consolidated Billing Data
Some large organizations create separate AWS accounts for different cost centers and then link these accounts to a Payer Account. In this case, the billing records for all of these accounts are accumulated in the billing records for the Payer Account. If you want to have a single AWS IAM user to collect these billing records and all other information about EC2 and S3 buckets, you will need to grant the user cross-account API access. By linking accounts, you establish a trust relationship between the accounts.
Create a Role for IT Analytics Data Collection
1. Log in to the AWS account that is not the Payer Account.
2. In the AWS IAM window, select Roles.
3. Enter a role name that identifies it as the role specifically for data collection, such as readOnlyAccessForCollection. The name you enter cannot be changed once the role is created.
4. Select the Role Type: Role for Cross-Account Access > Provide access between AWS accounts you own.
5. Establish Trust using the Account ID of the Payer Account, but do not require the MFA.
6. Attach the AWS-supplied ReadOnlyAccess policy.
7. Before creating the role, review the role information to ensure that the following information is correct:
Role Name: Role named specifically for IT Analytics data collection.
Trusted Entity: ID of the Payer Account.
Policy: ReadOnlyAccess.
8. Copy the Role ARN to the clipboard. You will use this copied ARN (Amazon Resource Name) when you Add the Role to the IAM User.
9. Click Create Role to link the accounts.
10. Proceed with the next set of steps in Add the Role to the IAM User.
Add the Role to the IAM User
The role that was created in Create a Role for IT Analytics Data Collection, must now be added to the IAM User that you created in Create an AWS IAM User.
1. Log in to the AWS Payer Account.
2. In the AWS IAM window, select the User that you created in Create an AWS IAM User.
3. Under the user’s permissions, in addition to the ReadOnlyAccess policy that is listed, create an Inline Policy.
4. Select Custom Policy and enter a Policy Name.
5. Customize permissions by editing the policy, replacing the Resource example (shown in red below) with the Role ARN that you copied to the clipboard, enclosed in straight quotes.
{"Statement":[
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::123456789012:role/accessForAPTARECollector"
}
]
}
6. The AWS configuration is now complete. Proceed with the Data Collection Configuration, beginning with Installation Overview (Amazon Web Services - AWS).