Amazon Web Services

AWS Organization

For Organization setup, a single CloudFormation template is deployed into the payer account(s) account . The template is configured to leverage CloudFormation StackSets to propagate the requisite configurations to member accounts within the organization, including future accounts that are added. The permissions are locked down so that Heeler can only access metadata and configuration information about customer cloud footprints and never has access to your code or data. The template will perform the following actions:

Payer Account

  • Create an IAM policy, Heeler, that denies visibility to the customer data plane. This includes actions such as s3:GetObject, dynamodb:GetItem and more.

  • Create an IAM policy, HeelerEKS, that allows EKS cluster API access configuration so Heeler can automatically harvest Kubernetes resources.

  • Create two roles heeler-management-ro and heeler-member. The first role is created with an inline policy that allows visibility into the payer account's AWS Organization configuration. The second role, heeler-member is configured with the newly created policies as well as the ReadOnlyAccessto allow visibility into the account. It also is configured with a trust policy that allows heeler-management-ro to assume it.

  • Creates a CloudFormation StackSet that performs the steps outlined below across all member accounts that exist today as well as ones that will be created in the future.

Member Account

  • Create an IAM policy, Heeler, that denies visibility to the customer data plane. This includes actions such as s3:GetObject, dynamodb:GetItem and more.

  • Create an IAM policy, HeelerEKS, that allows EKS cluster API access configuration so Heeler can automatically harvest Kubernetes resources.

  • Create a single role, heeler-member, with the newly created policies as well as the ReadOnlyAccessto allow visibility into the account. It also is configured with a trust policy that allows heeler-management-ro to assume it.

Note that when using the template has required, optional, and recommended parameters:

  • Required

    • Organizational Unit List - The top most Organizational Unit ID is recommended, i.e., the root ID (e.g., r-1234), as it will provide coverage for the entire AWS Organization. Or, if preferred, a comma-separated list of Organizational Unit IDs without spaces (e.g., ou-1234-abcdefgh,ou-1234-ijklmnop).

    • Member Role Name - There is a default name provided, heeler-member, but if you want to use a name other than the default, enter a value into this field.

  • Optional

    • Account List - This can be used to limit the member accounts in scope.

    • Scope Change - If set to limit, it will limit the deployment to the accounts listed. If set to exclude, it will exclude the accounts listed from the deployment.

  • Recommended

    • ExternalId - The external ID to associate with both the management and member roles. It is strongly encouraged that customers enter a value here for security reasons.

Heeler Configuration

Once the supplied CFT has been deployed into payer and member accounts, Heeler can now be configured. Follow the steps below to perform the necessary action:

  1. Open the URL https://app.heeler.com/administration/connections/organizations or just click on the settings icon at the top right and then click on Connections.

  2. Click on Add Organization and then select Amazon Web Services

  3. Enter a name for the organization (e.g. Acme Corp)

  4. For the Organization Role ARN field enter arn:aws:iam::123456789012:role/heeler-management-ro replacing 123456789012 with the account number of the payer account.

  5. For the Organization Role External ID field enter the external ID that was supplied when deploying the CFT.

  6. For the Member Account Role Name field enter heeler-member.

  7. Enter the external ID that was supplied from the CFT for the Member Account Role External ID field.

  8. If you want to exclude certain Organizational Units (OUs) and/or individiual member accounts you can enter those into the bottom fields.

  9. Click Save Organization

If everything is configured properly within AWS you should see a success message and inventory collection will immediately begin in the background. Please note that for the first round of collection it could take some time based on the size of the AWS footprint.

Inventory Collection

General information about all collected AWS inventory, as well as inventory from additional sources such as Google Cloud Platform and Microsoft Azure is surfaced by clicking on the Resources tab on the Catalog. Inventory information can be filtered by category, source, account, organizational unit and more.

Inventory collection is done at different cadences for each of the support services. This is done as a way to mitigate the likelihood of API rate limiting in customer accounts. Customers can opt-in for real-time inventory collection that will stream configuration changes into Heeler within a minute of the upstream change. For more information on this capability and to learn how to set it up click here.

Event Collection

For event collection, Heeler requires an organization trail that is monitored with CloudWatch. Heeler provides a CloudWatch filter that will send a subset of log events to Heeler.

PreviousCloud SetupNextGoogle Cloud Platform

Last updated