In order for the resources in a new member account to be correctly inventoried in VMware Cloud services, you must assign the following JSON policy to each of the new member accounts you add to your AWS Organization master account.

Prerequisites

Once you've assigned this JSON policy to a new member account, you must enter the AWS security credentials for that account into the AWS Add New Account form.

Since the billing for all new member accounts are consolidated in the S3 bucket you set up when you created the AWS Organization master account, you only need to enter the security credentials for each new member account, not the S3 bucket name. For more information on how to add the new Member account security credentials to VMware Cloud services, see Fill In the AWS Add New Account Form.

Procedure

  1. Log into the AWS console (https://console.aws.amazon.com) and select the IAM service.
  2. On the Welcome to Identity and Access Management screen and select Policies, then Create policy.
  3. On the Create Policy page, select Create Your Own Policy.
  4. On the Review Policy page, copy or enter the following JSON policy into the blank Policy Document.
    { 
    			 "Version": "2012-10-17", 
    			 "Statement": [ 
    			 { 
    			 "Effect": "Allow", 
    			 "Action": [ 
    			 "iam:ListAccountAliases"
    				], 
    			 "Resource": [ 
    			  "*" 
    			 ] 
    			 }, 
    			 { 
    			 "Effect": "Allow", 
    			 "Action": [ 
    			 "ec2:Describe*" 
    			 ], 
    			 "Resource": "*" 
    			 }, 
    			 { 
    			 "Action": [ 
    			 "logs:Describe*", 
    			 "logs:Get*", 
    			 "logs:TestMetricFilter", 
    				"logs:FilterLogEvents" 
    			 ],
    				"Effect": "Allow", 
    			 "Resource": "*" 
    			 } 
    			 ] 
    			 }
  5. Enter a Policy Name and an optional Description. Click Create Policy.
  6. In the IAM console, select Roles. Click Create new role.
  7. On the Select role type screen, select Amazon EC2.
  8. On the Attach Policy screen, enter the policy name in the search box.
  9. Select the Policy name and click Next step.
  10. On the Set role name and review page, enter a Role Name and click Create role. This adds the new role to your list of roles.
  11. On the AWS console, select Users, then Add user.
  12. Enter a User name. Select Access type and Programmatic Access. This allows you to create an Access Key ID and Secret Access Key for your account. Click Next: Permissions.
  13. On the Set permissions page, select Attach existing policies directly.
  14. Search for the name of the policy you want to attach. Select the Policy name and click Next: Review.
  15. When you have reviewed the user and policy you have assigned, click Create user.
  16. You see the Success form and the Access Key ID and Secret Access Key for the user you created. Click Download .csv to save these security credentials to a file. Once you click Close on this screen, you are not able to display your Secret Access Key again.
  17. Copy the Access Key ID and Secret Access Key into the Discovery service Add New Account form to register the new member account withVMware Cloud services. See Fill In the AWS Add New Account Form.

Example

Once you're registered the new member account with VMware Cloud services, you've enabled the Discovery service to find, sort, filter, group, and display the resources you create in this new account.

Note: Do this procedure once for each new member account you create in your AWS Organization master account. This applies to both member and invited accounts.