Skip to content

Latest commit

 

History

History
34 lines (30 loc) · 2.3 KB

NewAccountSteps.md

File metadata and controls

34 lines (30 loc) · 2.3 KB
Raw

These steps are currently impossible in cloudformation without a lot of hoop jumping.

All accounts

  1. Log in as root, set strong password and turn on MFA for the root account
  2. Turn on 'block public access' in S3 at the account level (cloudformation issue: aws-cloudformation/cloudformation-coverage-roadmap#168)
  3. Deactivate unused STS regions in IAM / account settings
  4. Create access keys for root
  5. Bootstrap account for CDK npx cdk bootstrap --bootstrap-kms-key-id AWS_MANAGED_KEY --profile [aws profile name] aws://[account id]/eu-west-2
  6. Run: npx cdk deploy AllAccountsStack --profile [aws profile name]
  7. Verify users have been created by stack
  8. Update bootstap: npx cdk bootstrap --cloudformation-execution-policies "arn:aws:iam::[account id]:policy/developerPolicy" --bootstrap-kms-key-id AWS_MANAGED_KEY --profile [aws profile name] aws://[account id]/eu-west-2
  9. Update password policy (due to aws-cloudformation/cloudformation-coverage-roadmap#107): 
    aws iam update-account-password-policy \
    --minimum-password-length 50 \
    --require-symbols \
    --require-numbers \
    --require-uppercase-characters \
    --require-lowercase-characters \
    --no-allow-users-to-change-password \
    --password-reuse-prevention 24
  10. Delete root account keys
  11. Run tools/delete-vpcs.sh
  12. Add account number to the list of accounts in the ChildAccounts parameter in the parent-account stack

Root account only

  1. Turn on billing access via IAM - https://console.aws.amazon.com/billing/home?#/account / IAM User and Role Access to Billing Information / Edit / Activate IAM Access / Update
  2. Run: aws ce update-cost-allocation-tags-status --cost-allocation-tags-status TagKey=aws_cloudformation_stack-name,Status=Active
  3. Run: aws organizations enable-aws-service-access --service-principal cloudtrail.amazonaws.com
  4. Run: aws cloudtrail create-trail --name all-accounts-management-events --s3-bucket-name ${CloudTrailLogsBucket} --is-organization-trail --is-multi-region-trail ( IsOrganizationTrail not supported by cloudformation yet so have to use cli, see aws-cloudformation/cloudformation-coverage-roadmap#45)
  5. Run: aws cloudtrail start-logging --name all-accounts-management-events