Configuring your GovCloud account within CloudCheckr is slightly different than configuring a standard account. Standard accounts require a single set of AWS credentials, whereas GovCloud accounts can be populated with two different AWS credentials: one for the GovCloud account and a second for the AWS payer account. The payer account credentials are needed because the detailed billing file is not written to the GovCloud; it is written to the payer account for GovCloud.
The Payer credentials are optional, but if they are not added CloudCheckr will not be able to report on the AWS costs for the GovCloud account.
NOTE: If you also create a CloudCheckr account for the Payer account, you will see the GovCloud costs reported as a region within that account.
Depending on whether this will be the first account you are adding to CloudCheckr, or if you’ve already added accounts, you will either need to click the “Configure your first account” link, or simply click the “+ New Account” button as shown below.
Next, give your account a unique identifying name. Once you have named your new account, click the Create button.
Upon creation, you will need to configure your new account. You will add your AWS GovCloud account credentials as well as your Payer account credentials (optional). Once those are added and saved you can establish which CloudCheckr email reports and alerts you would like to receive.
To connect to your AWS GovCloud and Payer account, CloudCheckr needs an IAM Access Key and Secret Key from each. We strongly recommend that you create a Read-Only Access user for each in AWS IAM and use those Keys within CloudCheckr.
Read-Only Access Keys can be created in either of the following two ways:
- Using the AWS Read-Only Policy and CloudCheckr’s Additional Policy: https://support.cloudcheckr.com/getting-started-with-cloudcheckr/adding-credentials-in-cloudcheckr/creating-an-aws-user-group-and-policy/
- Using CloudCheckr’s full Read-Only policy: https://support.cloudcheckr.com/creating-read-only-policy/.
If you are adding GovCloud Credentials you must select the Credentials are for the GovCloud (US) Region check-box. Doing this will display the Credential fields for the AWS Payer account.
- When adding the payer account credentials you must use an Access Key and Secret Key from the account that the GovCloud account is linked to. This may or may not be your AWS master payer account.
- If the GovCloud account is directly linked to an AWS payer account, the cost data will pull from Amazon.
- If the GovCloud account is linked to a commercial account that is a payee under an AWS payer account, that payer account will need to be added as its own account into CloudCheckr. The reason for this is that all of the billing data is stored in the master payer account. There’s no way to access that data through one of its payee accounts. When you add a master payer account into CloudCheckr along with its payees, CloudCheckr will parse the billing data appropriately across the sub-accounts, so you will have access to each account’s billing data (including GovCloud) with this setup.
Depending on the size of your AWS deployment, the snapshot may take only a few minutes or a couple hours. As soon as your initial snapshot finishes, CloudCheckr will send you an Inventory Summary, S3 Summary, and Best Practices Report email (if you entered an email address when configuring your account).
Once your initial snapshot finishes, you can begin reviewing the data within your account.
If you chose NOT to add your Paying Credentials when creating your account, you can add those at any point by editing the account.