Deployment
Deployment of the stack consists of 2 steps. First step is in Management Account and the 2nd in Data Collection Account. If you do not have access to Management Account please follow this guide.

Prerequisites for deployment
-
Access to the Management AWS Account of the AWS Organization to deploy CloudFormation. You need permissions in the Management Account to create an IAM role and policy and deploy CloudFormation Stacks and StackSets. Note: If you do not have access to the Management Account, you can perform an alternate deployment of certain modules with a manually created list of Linked Accounts.
-
Access to a Linked Account - referred as Data Collection Account
-
Deployment can be only done in following regions: (eu-west-1, us-east-2, us-east-1, us-west-1, us-west-2, ap-southeast-1, eu-central-1, eu-west-2, eu-north-1, ap-southeast-2, ap-south-1, ap-northeast-3, ap-northeast-2, ap-northeast-1, ca-central-1,eu-west-3, sa-east-1). Please make sure you choose one of these regions to install the Data Collection stack.
-
Lambda concurrent executions limit of at least 500 (1000 is recommended) in your Data Collection Account. Most accounts will have the regular default of 1000. But depending upon how your account was provisioned, such as through Control Tower, it may have a default limit of only 10, which is insufficient for effective operation. You can check and increase your limit via the Service Quotas console
. -
The Trusted Advisor and Support Cases Modules of Data Collection require a Business, Enterprise On-Ramp, or Enterprise Support plan. Please see more information about prerequisites of individual modules on GitHub
Step 1. [In Management Accounts] Deploy the Read Permissions stack
Prerequisites: Make sure the
trusted
access with AWS Organizations is activated. The Management Account
stack makes use of
stack
sets configured to use
service-managed
permissions to deploy stack instances to linked accounts in the AWS
Organization. Typically in Organizations it is already the case. For the
new Organization you can activate it by going to
StakSet
page of CloudFormation
Login to Management Account and click Launch Stack for deploying
Permission
Stack
-
To ensure full visibility of data across your organization accounts, in the parameters section, we recommend to pass the Organization Root ID as the organizational unit parameter (OrganizationalUnitID). You can check it here: https://console.aws.amazon.com/organizations/v2/home/accounts


-
Make sure to select all modules that you want to allow access to your organization accounts data. You can check the list of the modules on GitHub
.

-
Please make sure you specify Data Collection Account Id correctly. It is not the Management Account Id, its an ID of the dedicated Data Collection Account.
-
Click Next at the bottom of the Specify stack details stage, and then, click Next again at the bottom of the Configure stack options stage to move to the Review stage. Click Submit at the end of the Review stage to initiate the update. This process will take a few minutes until completion.
Step 2. [In Data Collection Account] Deploy the Data Collection Stack
Login to Data Collection Account and click Launch Stack for deploying
Data
Collection Stack
-
Please make sure you specify the same Prefix and Role Name parameters and the account Id of the Management Account (can be comma separated list).
-
In the same parameters section, update the regions from which data about resources will be collected. Specify at least the same regions your existing Data Collection stack uses.

-
Click Next at the bottom of the Specify stack details stage, and then, click Next again at the bottom of the Configure stack options stage to move to the Review stage. Click Submit at the end of the Review stage to initiate the update. This process will take a few minutes until completion.
After deployment you can check the execution state and then install Advanced Dashboards for collected data.