Configuring your GovCloud account within CloudCheckr is slightly different than configuring a standard account. Standard accounts require a single set of AWS credentials, whereas GovCloud accounts can be populated with two different AWS credentials: one for the GovCloud account and a second for its associated commercial account. Depending on the organizational structure, this second account could be a linked commercial account or a payer account. The commercial account credentials are needed because the cost data for the GovCloud Account is written to the commercial account with the region GovCloud. In addition in order to get cost data, the master payer account has to be added to CloudCheckr.
The Payer credentials are optional, but if they are not added CloudCheckr will not be able to report on the AWS costs for the GovCloud account.
NOTE: If you create a CloudCheckr account for the associated commercial account and you don’t add the GovCloud account, then the GovCloud account’s cost will show up in region GovCloud for the commercial account.
Depending on whether this will be the first account you are adding to CloudCheckr, or if you’ve already added accounts, you will either need to click the “Configure your first account” link, or simply click the “+ New Account” button as shown below.
Next, give your account a unique identifying name. Once you have named your new account, click the Create button.
Upon creation, you will need to configure your new account. You will add your AWS GovCloud account credentials as well as another pair of credentials in step 10. Once those are added and saved you can establish which CloudCheckr email reports and alerts you would like to receive.
To connect to your AWS GovCloud and Payer account, CloudCheckr needs an IAM Access Key and Secret Key from each. We strongly recommend that you create a Read-Only Access user for each in AWS IAM and use those Keys within CloudCheckr.
Read-Only Access Keys can be created in either of the following two ways:
- Using the AWS Read-Only Policy and CloudCheckr’s Additional Policy: https://support.cloudcheckr.com/getting-started-with-cloudcheckr/adding-credentials-in-cloudcheckr/creating-an-aws-user-group-and-policy/
- Using CloudCheckr’s Complete IAM Policy: https://support.cloudcheckr.com/creating-read-only-policy/.
If you are adding GovCloud Credentials you must select the Credentials are for the GovCloud (US) Region check-box. Doing this will display the Credential fields for the AWS Payer account. If you do not see this check-box, then please contact Support by submitting a ticket via the CloudCheckr Service Desk Portal. You will only be able to add a GovCloud account if you see that check-box.
- When adding the payer account credentials you must use an Access Key and Secret Key from the account that the GovCloud account is linked to. This may or may not be your AWS master payer account.
- If the GovCloud account is directly linked to an AWS payer account, the cost data will pull from Amazon.
- If the GovCloud account is linked to a commercial account that is a payee under an AWS payer account, that payer account will need to be added as its own account into CloudCheckr. The reason for this is that all of the billing data is stored in the master payer account. There’s no way to access that data through one of its payee accounts. When you add a master payer account into CloudCheckr along with its payees, CloudCheckr will parse the billing data appropriately across the sub-accounts, so you will have access to each account’s billing data (including GovCloud) with this setup.
- In addition, if the GovCloud account is linked to a commercial account, then the IAM Access Key for that commercial account has to be added in step 10. If you add the master payer account access keys in step 10 and the GovCloud account is linked to a separate commercial account, then cost data will not be passed down correctly.
Depending on the size of your AWS deployment, the snapshot may take only a few minutes or a couple hours. As soon as your initial snapshot finishes, CloudCheckr will send you an Inventory Summary, S3 Summary, and Best Practices Report email (if you entered an email address when configuring your account).
Once your initial snapshot finishes, you can begin reviewing the data within your account.
If you chose NOT to add your Paying Credentials when creating your account, you can add those at any point by editing the account.