The New Account Onboarding Process for FinOps Center is facilitated by access to the Account Management API in the Management Account. Within an AWS Cloud Estate, one account can be configured to be Delegated Admin and is the account FinOps Center is installed.
Steps to Create Delegated Admin if not created
Creation of New Account - Customers are advised to create an account (if not existing already) that requires Delegated Admin privileges, particularly for services like Security Hub and Systems Manager. While the naming convention is flexible, this account is referred to as the CloudOps Account by Cloud Scal3.
Enablement via Security Hub- Follow the instructions provided for enabling an account to be delegated Admin via Security Hub Setup. This involves configuring the Delegated Admin Account through Security Hub.
By following these steps, the integration for Account to Budget onboarding through FinOps Center is facilitated efficiently and securely.
FinOps Center's Installation Components
The installation of FinOps Center requires configuring your AWS Cloud Estate within the Management Account and the Delegated Admin Account or Data Collection where the application will be installed.
Pre-Requisite Task (~1hr)
Tasks in Management Account
Create Cost and Usage Report via Data Exports - via CID Framework
Create S3 Bucket for Cost and Usage Report - via CID Framework
Create IAM Role for S3 Bucket Replication - via CID Framework
S3 Management setup of Bucket Replication and Batch Operation (optional)
Enable Delegated Admin Account (suggest configured via AWS Organizations, Security Hub, or IAM Identity Center).
Assess Requirement
Admin - creating IAM Role
Tasks in Designated Admin/ Date Aggregation (~1hr)
Create Target Bucket for the Cost and Usage Report via Data Exports - via CID Framework.
Create S3 Bucket for Bucket Replication and Frontend Application
Configure S3 Buckets with CloudFront
Launch and Configure QuickSight
Access Requirement
Admin as the CFT create IAM roles
FinOps Center may take ~8 Hrs to load all Cost and Usage Data and 1 Day for Cost Recommendations.
Create IAM Profile for FinOps Center Installation
Subscribe and install FinOps Center Marketplace offering
Launch EC2 to copy FinOps Center code to S3 Bucket
Install FinOps Center from CloudFormation
Setup Amazon QuickSight and CID Framework
FinOps Center leverages the work from AWS CID Framework that so customer can leverage the Various QuickSight Dashboards created by the OPTICS Team. Scripts need to be run in both the Management and Data Collection Account.
https://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/deployment-in-global-regions.html UPDATED Location
To enable the Cost Recommendation Process and Data, the Cost Optimizaton Recommendations need to be enables in both the Master Payer and Data Collector Account (FinOps Center Account).
To create your SSL Certificate for your Front End Application Bucket that will be used in CloudFront Distribution, navigate to AWS Certificate Manager and Request a Certificate
Add the Domain for the FinOps Center Applicatoin and select the DNS Validation
Save the CNAME name and CNAME Value
Logi into Route 53 Account (likely Management Account)
Navigate to your Hosted Zone and Create a new A Record
Add the DNS Entries to the subdomain from the what was saved and the Value to Validate the SSL Certificate.
In approxiately 5 to 10 minutes the Certificate in the FinOps Center Account will show as Validated and able to be added to Distbitution.
Once the CloudFront Distribution is created, the distribution needs to be configured in your DNS.
If in your DNS is in Route53, add the subdomain the distribution
If in alternative DNS Server, add the distrbution as a CNAME
FinOps Center Front End Application is deployed to and is served from S3.
Navigate to S3 and Create a new S3 Bucket in US-East-1 (N. Virginia)
Upon navigating to CloudFront, create a new distributions.
Updated for new AWS UI
Create a name for your Distribution and Add your cusotmer Domain. Note: it will try to validate the URL but select Skip for Now.
Level the S3 Selection and Select the Browse S3
Select your bucket and Select Choose
Leave the Origin Path to Default and Select Next
Do not Create a WAF and Select Next
Create Distibution
With the Distbituion Create we will need to Edit the Settings
In the Setting we are going to add the Domain Name of the application and select the the SSL Certificate that was created for it
In the Behavior Setting Update to have all Traffic to be Redirected to HTTPs
Ensure to update the specified settings below, unless instructed otherwise, while leaving the rest as default.
Update Viewer
9. Navigate to the S3 Bucket for FinOps Center Application and to Permission. Edit Permission with the Policy from CloudFront
A
Navigate to Route 53 or Domain Controller and Create an A Record that is Domain Name of your distribution
Create A Record
Example of CloudFront Distibution
Within your CloudFront Distribution, add customer error response of 403 to / index.html withwith HTTP Response of 200 OK
