Configuring your GovCloud account is slightly different than configuring a standard account in CloudCheckr. Standard accounts require one set of AWS credentials, but you can use two sets of AWS credentials for GovCloud accounts: one set for the GovCloud account and a second set for the commercial account associated with the GovCloud account. Depending on the organizational structure, this second account may be a linked commercial account or a payer account. You need the commercial account credentials because the cost data for the GovCloud account is written to the commercial account with the region GovCloud. In addition, you must add the master payer account to CloudCheckr to get cost data.
The Payer credentials are optional, but if you do not add them, CloudCheckr will not be able to report on the AWS costs for the GovCloud account.
Note: If you create a CloudCheckr account for the associated commercial account and you don’t add the GovCloud account, the costs associated with the GovCloud account will show up in the region GovCloud for the commercial account.
- Depending on whether this will be the first account you are adding to CloudCheckr, or if you’ve already added accounts, you will click the “Configure your first account” link, or click NEW BUTTON.
- Type a name for your account, go the Cloud Provider section and select Amazon Web Services, and click Create.
Once your GovCloud account is created, you will need to add your AWS GovCloud account credentials and another pair of credentials. Once those are added and saved you can establish which CloudCheckr email reports and alerts you would like to receive.
To connect to your AWS GovCloud and Payer account, CloudCheckr needs an IAM access key and secret key from each. We strongly recommend that you create a Read-Only user for each in AWS IAM and use those keys in CloudCheckr.
You can create read-only credentials using one of these methods:
If you are adding GovCloud credentials, select the Credentials are for the GovCloud (US) Region check box, which will display the Credential fields for the AWS Payer account. If you do not see this check box, submit a ticket to our suupport team via the CloudCheckr Service Desk Portal. You will only be able to add a GovCloud account if you see that check box.
- When adding the payer account credentials you must use an access key and secret key from the account that the GovCloud account is linked to. This may or may not be your AWS master payer account.
- If the GovCloud account is directly linked to an AWS payer account, CloudCheckr will ingest the cost data from Amazon.
- If the GovCloud account is linked to a commercial account that is a payee under an AWS payer account, you will need to add that payer account as a separate account in CloudCheckr because the master payer account stores all of the billing data. There’s no way to access that data through one of its payee accounts. When you add a master payer account into CloudCheckr along with its payees, CloudCheckr will parse the billing data appropriately across the sub-accounts, so you will have access to each account’s billing data (including GovCloud) with this setup.
- In addition, if the GovCloud account is linked to a commercial account, then the IAM access key for that commercial account has to be added. If you add the master payer account access keys and the GovCloud account is linked to a separate commercial account, then cost data will not be passed down correctly.
Review Data within the GovCloud Account
Depending on the size of your AWS deployment, the snapshot may take only a few minutes or a couple hours. As soon as your initial snapshot finishes, CloudCheckr will send you an Inventory Summary, S3 Summary, and Best Practices Report email (if you entered an email address when configuring your account).
Once your initial snapshot finishes, you can begin reviewing the data within your account.
If you chose not to add your paying credentials when creating your account, you can add those at any point by editing the account.
Creating AWS Credentials Using IAM Access Keys
Complete IAM Policy