Add an Amazon Web Services account to VMware Tanzu Hub

As a Tanzu Hub organization owner or administrator, you can use the AWS account workflow to create the roles and connections required for this account.

Before you begin

  • To configure the account and collect data:
    • Verify that you have the ID for any Amazon Web Services accounts that you plan to set up. The account must have sufficient permissions to create an IAM role, run connections script, and export access keys.
    • Verify the account by accessing it using your AWS console.
    • Install the AWS CLI or use AWS CloudShell. See the instructions in the AWS CLI documentation or AWS CloudShell documentation.
    • If you are associating account with a Tanzu Hub project, verify that you created the project. For instructions, see Add projects.
  • To configure the event monitoring for accounts so that you receive real-time alerts for insights or finding information about misconfigurations and vulnerabilties rather than waiting for the next scan:

    1. Set the following IAM policy so that you can export your AWS Access Key and the AWS Secret Access Key.

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "sns:*",
                      "cloudtrail:*",
                      "cloudformation:*",
                      "events:*",
                      "iam:*",
                      "ec2:DescribeRegions"
                  ],
                  "Resource": "*"
              }
          ]
      {
      
    2. Enable AWS CloudTrail.

    3. Install the AWS CLI. See the instructions in the AWS CLI documentation.
    4. Export the AWS Access Key and the AWS Secret Access Key. See the instructions in the AWS environment variables documentation. To export the keys, the user must have access to AWS CloudFormation, AWS Events Rule, AWS SNS Topic, and AWS SNS Topic Policy.
  • Event streaming provides Tanzu Hub with real-time updates. When you configure event streaming, it is enabled for all your AWS regions. However, AWS charges you to manage the encryption keys. To manage your costs after you set up your AWS accounts in Tanzu Hub, you can continue the event streaming for your important regions and resources while deactivating the VMware event stream in the unused AWS regions.

Add a single AWS account

Use this workflow to add a single account. This process is useful if you do not have many AWS accounts that you want to manage. If you are new to Tanzu Hub, it is useful way to explore how Tanzu Hub can help you manage your resources.

  1. In Tanzu Hub, select Administration > Set Up and Configure > Accounts and click New Accounts.
  2. Click Amazon Web Services, select Single account, and click Continue.

    Select the Single account or Organization as the onboarding method.

  3. In the Account Information section, enter useful account information.

    On the Account Information page, you provide a name and your AWS account ID.

    1. Enter the name and your Account ID.
    2. If you work with projects, select one or more Tanzu Hub projects that you are associating with the AWS account.
    3. You can use Environment to add descriptive metadata to accounts that are used by some features in Tanzu Hub.

      For example, if you add and select environments such as prod, dev, and test, you can then apply governance policies to a particular environment. You can then search based on environment and even apply a policy to the resources in your production environment but not development or testing.

    4. Enter the owner name and email address.

    5. Click Next
  4. In the Connect Account section, follow the on-screen steps to configure the least privileged account in you AWS instance and update this page with the IAM Role ARN and the External ID.

    The steps that are provided in the UI are repeated in this procedure for your convenience.

    The AWS Connect Account section in Tanzu Hub with the IAM Role ARN text box populated with the value from AWS.

    1. Open a browser tab and log in with the account that you are creating the read-only role for.
    2. In step 1, click Create AWS IAM Role.

      The Another AWS account workflow begins in AWS.

      In most cases, you do not need to change the values on the Specify accounts that can use this role page.

      Click Next: Permissions.

    3. Locate and select the SecurityAudit role.

      Click Next: Tags.

    4. Tags are optional. Click Next: Review.

    5. Review the Role name and ensure uniqueness.
    6. Click Create role.
    7. In the IAM Roles list, click the role name. For example, TanzuHub.
    8. On the role summary page, copy the ARN so that you can paste it in the IAM Role ARN in the Connect Account form in Tanzu Hub.
    9. In the Connect Account section, paste the ARN in the IAM Role ARN text box.
    10. Click Save Account and Continue.
  5. In the Account Onboarding section, enable event monitoring.

    To configure event stream, which provides updates about security findings for this cloud account, you must configure AWS so that you can run a connection script. See the prerequisites at the beginning of this procedure.

    The connection script adds a policy with the following permissions and assigns the policy to the role you created in the previous section.

    • cloudwatch:GetMetricData and cloudwatch:ListMetrics. These permissions are required to collect metrics.
    • ce:GetCostAndUsage and ce:GetCostForecast. These permissions are required to collect cost information. In addition to the collection permissions, the SecurityAudit policy-based role permits AWS CloudTrail to send real-time update to Tanzu Hub.

    The steps that are provided in the UI are repeated in this procedure for you convenience.

    The Account Onboarding page provides the AWS configurations so that you can run the Connect Event Stream script in step 4.

    1. In AWS, ensure that your AWS CloudTrail is turned on.
    2. Install the AWS CLI.

      Instructions are accessible with the link on the page or this link to AWS documentation.

    3. Export the Access Key and the Secret Access Key.

      Instructions are accessible with the link on the page or this link to AWS documentation.

    4. Run the command to download and run the script that creates a CloudFormation stack with the required configurations.

    5. Launch AWS CloudShell and upload the script.
    6. Enter the IAM role that you created for this connection.

      For example, TanzuHub.

    7. Run the script.

    8. After the script runs successfully, return to Tanzu Hub and click Next.

      As a free tier user, you can collect data from two accounts. Paying users can configure the full management capabilities for their AWS accounts.

  6. On the Accounts page, verify that the data source is added, the Status is OK, and the Event Monitoring state is Connected.

The collection might take up to thirty minutes before you see data. To monitor the process, select Explore > Inventory.

Add an AWS GovCloud account

Use this workflow if you must add accounts handling sensitive data on AWS GovCloud. Adding an AWS GovCloud account has some differences from the commercial account workflow. Those differences are that event stream (near real-time updates) is not supported for AWS GovCloud, and credentials are provided through a programmatic access key rather than an IAM role.

  1. In Tanzu Hub, select Administration > Set Up and Configure > Accounts and click New Account.

  2. Click Amazon Web Services, select Single account and Government, then click Continue.

  3. In the Account Information section, enter useful account information.

    1. Enter the name and your Account ID.
    2. If you work with projects, select one or more Tanzu Hub projects that you are associating with the AWS account.
    3. You can use Environment to add descriptive metadata to accounts that are used by some features in Tanzu Hub.

      For example, if you add and select environments such as prod, dev, and test, you can then apply governance policies to a particular environment. You can then search based on environment and even apply a policy to the resources in your production environment but not development or testing.

    4. Enter the owner name and email address.

    5. Click Next
  4. The next screen of the UI prompts you to enter an Access Key ID and Secret Access Key from your AWS GovCloud account. The steps provided in the UI are repeated here for your convenience.

    1. Log in to your AWS GovCloud console.

    2. Go to the IAM service.

    3. Go to Users and click Create users.

    4. Enter a user name and click Next.

    5. Select Attach existing policies directly.

    6. Search and select SecurityAudit from Amazon’s pre-configured policies and click Next.

    7. (Optional) Add any tags you want the user to have and click Create user.

    8. From IAM > Users, select the user you created.

    9. In the user’s detail page, click Security Credentials.

    10. Scroll down to Access keys and click Create access key.

    11. Select Third-party service.

    12. Select I understand the above recommendation and want to proceed to create an access key and click Next.

    13. (Optional) Add a tag for the security key and click Create Access key.

    14. Copy the Access Key and Secret access key.

    Important

    Be sure to copy the keys from the Retrieve access keys page. You will not be able to retrieve the Secret access key after you close the AWS window.

  5. Once you have the access key and secret, enter them where prompted in the UI and click Save and Finish.

Add multiple AWS accounts

While you can continue to add cloud accounts one at a time with the single account method, it will become tedious in your enterprise environments.

Onboarding accounts using the organization method allows you to add multiple accounts with whatever level of management you want. However, you can only onboard 100 accounts at a time before you must run the organization onboarding for the next 100 accounts.

When using this procedure, you can refer to the images and more detailed information in the single account section. While the order is slightly different, the process is the same.

Be sure to use the scripts on the pages in this procedure. They are customized each time you onboard the resources. Do not reuse scripts from previous onboarding actions.

  1. In Tanzu Hub, select Administration > Set Up and Configure > Accounts and click New Accounts.
  2. Click Amazon Web Services, select Organization (member accounts), and click Continue.

    To add multiple accounts, start by adding the organization root account and then configure the collected member accounts.

  3. To add the organization root account, click Start in the Add organization step.

    1. On the Add Account page, enter the root account ID for the member accounts that you are adding.

      The root account is required here so that Tanzu Hub can collect the member accounts that you want to manage.

    2. Complete the form and click Next.

      If you have not added an account before, see the step in the previous single account section for this step and the others that follow for additional details.

    3. On the Connect Account page, follow the on-screen instructions for adding the read-only collection IAM role for the root account and click Save Account and Continue.

      When you click Save, Tanzu Hub uses the collection role to discover the member accounts so that you can choose the ones you want to manage.

    4. On the Configure the Event Monitoring page, if you want to get real-time event reporting in Tanzu Hub for the root account, follow the on-screen instructions to enable event monitoring.

    5. Click Save and Finish.
  4. To add the multiple member accounts associated with the root account, the next steps require you to select the accounts in each of the following sections.

    The ability to select individual member accounts for each onboarding step allows you to be selective about how you want to use Tanzu Hub to manage various member accounts.

    Step Procedure
    Add Member Accounts Select the accounts that you want to collect data from and configure the IAM read-only role on each as a bulk action.
    1. Select the member accounts
    2. Configure the IAM read-only collection role.
    3. Edit account properties, including assigning accounts to one ore more projects.
      Projects are used to manage access.
    4. Onboard the accounts.
    Configure Event Monitoring Select the accounts that you want to collect real-time event data from and configure the event monitor.
    1. Select the member accounts.
    2. Configure the event monitoring.
  5. Click Save and Finish.

  6. On the Accounts page, verify that the accounts that you added are included in the table as individual entries.

What to do next

  • The collection might take up to thirty minutes before you see data. To monitor the process, select Explore > Search and click the Inventory tab. See Reviewing your discovered inventory.
  • If you need to make changes to an AWS account, select Administration > Set Up and Configure > Accounts, expand the details for the target account, and click Edit Account or edit the individual account properties.

Parent topic: Setting up data connections in VMware Tanzu Hub

check-circle-line exclamation-circle-line close-line
Scroll to top icon