Automating rollout of the ProsperOps IAM role across an AWS Organization

This article applies to ProsperOps customers who are not reselling AWS.

 

In order to ingest usage telemetry in real-time, ProsperOps requires a least privilege IAM role on every AWS account in an Organization. For customers with many AWS accounts or with an “account factory” that frequently adds additional AWS accounts, automating the creation of the ProsperOps role will reduce the initial effort required to subscribe as well as the ongoing effort for our service to maintain the necessary access.

There are a variety of methods that can be used to automate the rollout of the ProsperOps role, but regardless of approach, it’s relatively straightforward because the ProsperOps role configuration (e.g., name, external ID, etc.) and IAM policy are identical for all AWS accounts in a given Organization*. 

If you have multiple AWS Organizations subscribed with ProsperOps, you should use the ProsperOps-provided code for each Organization since the external ID is Organization specific.

* Note: If you subscribed prior to May 2021, you may have already configured external IDs which are AWS account specific. All new AWS accounts added to your Organization going forward will have consistent external IDs, however, the old external IDs remain intact on already configured AWS accounts. If you would like to automate rollout of the ProsperOps role across your Organization using a consistent external ID, please reach out to help@prosperops.com for assistance.

Initial Onboarding to ProsperOps

Onboarding to our platform requires creating the ProsperOps role on every AWS account in your Organization, beginning with the Management Account. Our Console has an automated onboarding workflow that provides several options for you to configure the ProsperOps role, including customized AWS CLI commands, Terraform configurations, and CloudFormation templates. 

Log in to the ProsperOps Console and copy the appropriate ProsperOps role creation code for your Management Account (Terraform is shown in the screenshot below but choose whatever method works best for you).

Deploy the code against the AWS Management Account. Once complete, return to the ProsperOps Console and click the Validate Access button. If access is successfully validated, your process works.

The next step of the onboarding workflow is to create the ProsperOps role in every Member Account. The exact same code you already deployed can be targeted against every AWS Member Account in the Organization. No account-specific customization is required. 

Add the code to your deployment pipeline and target all AWS accounts in the AWS Organization. Once complete, chat with our team via the Console or send an email to help@prosperops.com and we will validate all Member Accounts en masse.

AWS Accounts added after Subscription

For Organizations actively subscribed to ProsperOps, you will want to add the ProsperOps role creation code to your new AWS account creation process. If you already have the ProsperOps-provided code from onboarding, you can reuse it.

If you do not have it, whenever our service detects a new AWS account has been added to the Organization, you will receive an automated email requesting ProsperOps access be configured. You will be provided a link to the ProsperOps Console where you copy the role creation code. Add it to your new AWS account creation process.

Once the ProsperOps role is automatically created with new AWS accounts, you should no longer receive email notifications requesting ProsperOps access be configured. When ProsperOps detects a new AWS account, it first attempts to validate access. If that is successful, the new account is automatically activated within the ProsperOps platform.

Note: ProsperOps discovers new AWS accounts hourly. If our service detects the new account before your automation has added our role, it’s possible you will still get an email notification. If that happens, you can ignore the first email and our service will validate it during the next access check. If you receive multiple notifications for the same AWS account, that is your trigger that something is not working properly.

AWS CloudFormation StackSets

CloudFormation StackSets is a native AWS capability to automate changes across multiple AWS accounts and regions within an Organization. We highly encourage leveraging StackSets to automate ProsperOps IAM role creation.

Please follow the details in the help article below to set up a StackSet which automates the deployment of the ProsperOps IAM role:

Deploying the ProsperOps IAM role via AWS CloudFormation StackSets

If you have questions about using StackSets to automate the rollout of the ProsperOps role across your Organization, please chat with our team or reach out to help@prosperops.com.