Registration Guide

  • Introduction

    The following guide will show you how to set up your account to allow Costi to access it is a secure manner. To do this We will create a separate role for Costi.

    There are two options: use a cloud formation template or set up the role manually.

    First please register to CloudHiro, confirm the email you get and login.

Use a cloud formation template:

  • Login to your AWS account as an admin.

    Click The following link: Setup Costi role which will pre-configure the CloudFormation values for you.

    Alternatively use the following link: Setup Costi Read Only which will only give the Costi role read permission.

    Click 'Next'. You will be asked for a parameter called ExternalID. You can find that parameter here.

    Click 'Next' three times.

    Mark the "I acknowledge that AWS CloudFormation might create IAM resources with custom names." checkbox at the bottom of the page.

    Click the "Create stack" button.

    That's it, you're all done!

Create the Costi role manually:

    • Create security credentials for Costi

      We will create a separate role for Costi.

      Create the Costi role manually

      Using this manual way you can control what Costi can and can not do. The following steps will show you how.
      First, log in to your account and click the account menu on the top right corner.
      Click 'My Security Credentials' at the drop-down menu.

      My Security Credentials

    • Create role

      Select 'Another AWS account' as the type of the trusted entity.

      Enter '545334166883' (CloudHiro account ID) in the 'Account ID' text box.

      Mark the 'Require external ID (Best practice when a third party will assume this role)' in the options checkbox.

      You can find the unique value for ExternalID here.

      Click 'Next: Permissions' at the bottom to continue.

      Create role

    • Attach permissions policies

      Select one or more policies to attach.

      If you want Costi to have read-only access please add the following permissions:

      1. AmazonEC2ReadOnlyAccess
      2. AmazonS3ReadOnlyAccess
      3. AmazonRDSReadOnlyAccess
      4. AmazonDynamoDBReadOnlyAccess
      5. AmazonRedshiftReadOnlyAccess
      6. AWSElasticBeanstalkReadOnlyAccess
      7. AmazonElastiCacheReadOnlyAccess
      8. CloudWatchReadOnlyAccess
      9. AmazonGuardDutyReadOnlyAccess
      10. AWSOrganizationsReadOnlyAccess
      11. For EKS please click the "Create policy" and then:
        • Choose the EKS service and select both read and list checkboxes.
        • Under resources choose all resources and Click Review policy.
        • Give the policy the name EKS_RO and click create policy.
        • Search for the policy and check the box on the left to attach it to the role

      This means Costi will not be able to start or stop any servers for you but will be able to send notifications and recommendations.

      If you want Costi to have full access please add the following permissions:

      1. AmazonEC2FullAccess
      2. AmazonS3FullAccess
      3. AmazonRDSFullAccess
      4. AmazonDynamoDBFullAccess
      5. AmazonRedshiftFullAccess
      6. AWSElasticBeanstalkFullAccess
      7. AmazonElastiCacheFullAccess
      8. CloudWatchFullAccess
      9. AmazonGuardDutyFullAccess
      10. AWSOrganizationsReadOnlyAccess
      11. For EKS please click the "Create policy" and then:
        • Choose the EKS service and select all services checkbox.
        • Under resources choose all resources and Click Review policy.
        • Give the policy the name EKS_All and click create policy.
        • Search for the policy and check the box on the left to attach it to the role

      Attach a newly created Trusted Advisor access policy.

      1. Click on the create policy button.
      2. In the tab that opens, please click "Choose a service".
      3. Search for "Trusted Advisor", select it, and check "All Trusted Advisor actions".
      4. Under resources check "All resources".
      5. Then, click "Next: tags" and "Next: Preview".
      6. Give the policy a name "TrustedAdvisorAll" and click "Create policy".
      7. Once done, you can choose the newly created policy and add it to the permissions.

      Then click on the 'Next: Tags' at the bottom to continue. You can skip over the tags

      Attach Policy

    • Review and create

      Review the information you just entered, then click 'Create role' to proceed.

      Review

    • Mission accomplished

      The new role is now added to your Resource roles list.

      All done. Back to registration

    • Rollback

      If you ever want to disallow access, you can simply remove the policies from the role.