Automated deployment - AWS Perspective

Automated deployment

Note

If you have previously deployed AWS Perspective and would like to upgrade to the latest version, refer to Update the stack.

Before you launch the solution, review the architecture, configuration, network security, and other considerations discussed in this guide. Follow the step-by-step instructions in this section to configure and deploy the solution into your account.

Time to deploy: Approximately 30 minutes

Prerequisites

Gather deployment parameter details

Before deploying AWS Perspective, review your configuration details for the Amazon OpenSearch Service (OpenSearch Service) service-linked role and AWS Config.

Verify whether you have an AWSServiceRoleForAmazonElasticsearchService role

The deployment creates an Amazon OpenSearch Service cluster inside an Amazon Virtual Private Cloud (Amazon VPC). The template uses a service-linked role to create the OpenSearch Service cluster; however, if you already have the role created in your account, use the existing role.

To check if you already have this role:

  1. Sign in to the Identity and Access Management (IAM) console for the account you plan to deploy this solution to.

  2. In the Search box below the menu, search for AWSServiceRoleForAmazonElasticsearchService.

If your search returns a role, select No for the CreateElasticsearchServiceRole parameter when you launch the stack.

Verify AWS Config is set up

AWS Perspective uses AWS Config to gather the majority of resource configurations. When deploying the solution or importing a new Region, you must confirm whether AWS Config is already set up and working as expected. The AlreadyHaveConfigSetup CloudFormation parameter informs AWS Perspective of whether to set up AWS Config.

The following snippet is taken from the AWS CLI Command Reference. Run the command in the Region you intend to deploy AWS Perspective or import into AWS Perspective.

aws configservice get-status

Output:

Configuration Recorders:      name: default      recorder: ON      last status: SUCCESS      Delivery Channels:      name: default      last stream delivery status: SUCCESS      last history delivery status: SUCCESS      last snapshot delivery status: SUCCESS

If you receive a response similar to the output above, then there is a Configuration Recorder and Delivery Channel running in that Region. Select Yes for the AlreadyHaveConfigSetup CloudFormation parameter.

If you are configuring AWS CloudFormation StackSets, then you must include this Region in the batch of Regions that already have AWS Config configured.

Verify your AWS Config details in your account

The deployment will attempt to set up AWS Config. If you already use AWS Config in the account you plan to deploy to, or make discoverable by AWS Perspective, select the relevant parameters when you deploy this solution. Furthermore, for successful deployment, ensure that you have not restricted the resources that AWS Config scans.

To check your current AWS Config configuration:

  1. Sign in to the AWS Config console.

  2. Choose Settings and ensure the Record all resources supported in this Region and Include global resources boxes are checked.

Verify whether you have an APIGatewayCloudWatchLogsRole role

The CreateAPIGatewayCloudWatchLogsRole CloudFormation template parameter allows you to control whether AWS Perspective creates the necessary role to let APIGateway log to CloudWatch. This process includes overwriting any existing role that you might have already created.

To check if a value is set, use:

aws apigateway get-account

For additional details, refer to the get-account command in the AWS CLI Command Reference. If you already have the role set up, then select No.

The role created by AWS Perspective will be retained upon deletion of the solution’s stack to prevent the interruption of logging for other API Gateways in a Region.

Deployment overview

Use the following steps to deploy this solution on AWS. For detailed instructions, follow the links for each step.

Step 1. Launch the stack

  • Launch the AWS CloudFormation template into your AWS account.

  • Review the other template parameters and enter or adjust the default values as needed.

Step 2. Post-Deployment tasks

  • Turn on Advanced security in Amazon Cognito (Optional)

  • Create Amazon Cognito users

  • Log in

Step 3. Import a Region

  • Deploy the stack to provision the Global resources

  • Deploy the stack to provision the Regional resources

  • Use CloudFormation StackSets to provision Global resources across accounts

  • Use CloudFormation StackSets to provision Regional resources

  • Verify the Region was imported correctly

Step 4. Set up the cost feature

Step 5. Edit S3 bucket lifecycle policies

Step 1. Launch the stack

Important

This solution includes an option to send anonymous operational metrics to AWS. We use this data to better understand how customers use this solution and related services and products. AWS owns the data gathered though this survey. Data collection is subject to the AWS Privacy Policy.

To opt out of this feature, download the template, modify the AWS CloudFormation mapping section, and then use the AWS CloudFormation console to upload your template and deploy the solution. For more information, refer to the Collection of operational metrics section in this guide.

This automated AWS CloudFormation template deploys AWS Perspective in the AWS Cloud. You must gather deployment parameter details before launching the stack. For details, refer to Prerequisites.

Note

You are responsible for the cost of the AWS services used while running this solution. For more details, visit to the Cost section in this guide, and refer to the pricing webpage for each AWS service used in this solution.

  1. Sign in to the AWS Management Console and select the button to launch the aws-perspective.template AWS CloudFormation template.

    
                AWS Perspective launch button

    Alternatively, you can download the template as a starting point for your own implementation.

  2. The template launches in the US East (N. Virginia) Region by default. To launch the solution in a different AWS Region, use the Region selector in the console navigation bar.

    Note

    This solution uses services that are not available in all AWS Regions. Refer to Supported deployment Regions for a list of supported AWS Regions.

  3. On the Create stack page, verify that the correct template URL is in the Amazon S3 URL text box and choose Next.

  4. On the Specify stack details page, assign a name to your solution stack. For information about naming character limitations, refer to IAM and STS Quotas in the AWS Identity and Access Management User Guide.

  5. Under Parameters, review the parameters for this solution template and modify them as necessary. This solution uses the following default values.

    Parameter Default Description
    Stack name

    aws-perspective

    A name to indicate the solution you are deploying.
    AdminUserEmailAddress <Requires input> An email address to create the first user. The temporary credentials will be sent to this email address.
    AlreadyHaveConfigSetup No Confirmation of whether or not you already have AWS Config set up in the deployment account. For details, refer to Prerequisites.
    CreateElasticsearchServiceRole

    Yes

    Confirmation of whether or not you already have a service-linked role for OpenSearch Service. For details, refer to Prerequisites.
    CreateNeptuneReplica

    No

    Choose whether to create a read replica for Neptune in a separate Availability Zone. Choosing Yes improves resilience; however, increases the cost of this solution.

    NeptuneInstanceClass

    db.r5.large

    The instance type used to host the Amazon Neptune database. What you select here affects the cost of running this solution.
    ElasticsearchInstanceType

    m6g.large.elasticsearch

    The instance type used for your Elasticsearch data nodes. Your selection affects the cost of running the solution.
    CreateAPIGatewayCloudWatchLogsRole

    Yes

    If set to Yes, the solution creates a role and overwrites the existing APIGatewayCloudWatchLogsLogsRole property. Set to No if you already have an existing role set. For details, refer to Prerequisites.

    AthenaWorkgroup

    primary

    The Workgroup that will be used to issue the Athena query when the Cost feature is enabled.
    OptOutOfSendingAnonymousUsageMetrics

    No

    Choose whether to opt out of sending basic usage metrics to AWS.
  6. Choose Next.

  7. On the Configure stack options page, choose Next.

  8. On the Review page, review and confirm the settings. Check the boxes acknowledging that the template creates AWS Identity and Access Management (IAM) resources and require certain capabilities.

  9. Choose Create stack to deploy the stack.

    You can view the status of the stack in the AWS CloudFormation Console in the Status column. You should receive a CREATE_COMPLETE status in approximately 30 minutes.

Note

If deleted, this stack removes all resources. If the stack is updated, it retains the Amazon Cognito user pool to ensure configured users are not lost.

Step 2. Post-deployment configuration tasks

After AWS Perspective has been successfully deployed, review the following post-deployment configuration tasks.

Turn on Advanced security in Amazon Cognito

To turn on the Advanced security features for Amazon Cognito, follow the instructions on Adding Advanced Security to a User Pool in the Amazon Cognito Developer Guide.

Note

There is an additional cost for activating Advanced security in Amazon Cognito.

Create Amazon Cognito users

AWS Perspective uses Amazon Cognito to manage all users and authentication. It creates a user for you during deployment and sends an email at the address provided with temporary credentials.

To create additional users:

  1. Sign in to the AWS Cognito console.

  2. Choose Manage User Pools.

  3. Choose perspective.<deployment-region>.userpool.

  4. In the navigation pane, under General Settings, choose Users and groups.

  5. On the Users tab, choose Create user.

  6. On the Create user box, enter values for all required fields.

    Form Field Required? Description
    Username Yes The username that you will use to log in to AWS Perspective.
    Send an invitation Yes (email only) When selected, sends a notification as a reminder of the temporary password. Select Email only. If you select SMS (default) an error message will be displayed, but the user will still be created.
    Temporary Password Yes Enter a temporary password. The user will be forced to change this when they log in to AWS Perspective for the first time.
    Phone Number No Enter a phone number in international format, for example, +44. Ensure Mark phone number as verified? box is selected.
    Email Yes Enter a valid email address. Ensure Mark email as verified? box is selected.
  7. Choose Create user.

Repeat this process to create as many users as you need.

Note

Every user will have the same level of access to resources discovered. We recommend provisioning a separate deployment of AWS Perspective for accounts that contain sensitive workloads or data. This allows you to restrict access to only the users that need it.

Log in to AWS Perspective

After AWS Perspective is successfully deployed, determine the URL for the Amazon CloudFront distribution that serves the solution’s web UI.

  1. Sign in to the AWS CloudFormation console.

  2. Choose View nested to display the nested stacks that make up the AWS Perspective deployment. Depending on your preferences, nested stacks might already be displayed.

  3. Select the main stack, which will be of the following format: aws-perspective-<deployment-accountID>-<deployment-region>.

  4. Select the Outputs tab and choose the URL in the Value column.

  5. On the Sign in to AWS Perspective screen, enter the username and password that you received via email. Then take the following actions:

    1. Follow the prompts to change your password.

    2. Use the verification code sent to your email to complete account recovery.

  6. When the AWS Perspective web UI loads, you will be prompted to import your first Region. We recommend that you first import the Region that AWS Perspective is deployed in because it contains resources that will help you explore the solution. For details, refer to Step 3. Import a Region.

    Note

    When importing the Region that AWS Perspective is deployed in, you do not need to deploy the CloudFormation templates described in the Import a Region section.

  7. When the import has succeeded, explore your resources. Refer to Web UI features and common tasks for details about getting started.

Step 3. Import a Region

AWS Perspective requires certain infrastructure to be deployed in the Region you would like to import. This infrastructure consists of Global and Regional resources:

Global - Resources that are deployed once in an account and reused for each Region imported.

  • An IAM Role (ZoomDiscoveryRole)

Regional - Resources that are deployed in each Region imported.

  • An AWS Config Delivery Channel

  • An Amazon S3 Bucket for AWS Config

  • An IAM Role (ConfigRole)

There are two options to deploy this infrastructure:

  • AWS CloudFormation StackSets (Recommended)

  • AWS CloudFormation

AWS CloudFormation StackSets

These steps guide you through importing a Region and deploying the AWS CloudFormation templates using CloudFormation StackSets.

  1. Sign in to AWS Perspective. Refer to Log in for the URL.

  2. Under Settings in the side navigation panel, select Accounts & Regions

  3. Select the AWS CloudFormation StackSets tab.

  4. Follow the steps in the wizard.

Provide Regions

Provide the Regions to import using the form:

  1. Account ID: Enter a 12-digit account ID or select an existing account ID.

  2. Account name: Enter an account name or use a pre-populated value when selecting an existing account ID.

  3. Regions: Select the Regions to import.

  4. Select Add to populate the Regions in the Regions table below.

  5. Review the Regions table, then select Next.

Alternatively, provide a Comma Separated Value (CSV) that contains the Regions to be imported.

"accountId","accountName","region" 123456789012,"test-account-1",eu-west-2 123456789013,"test-account-2",eu-west-1 123456789013,"test-account-2",eu-west-2 123456789014,"test-account-3",eu-west-3
  1. Select Upload a CSV.

  2. Locate and open your CSV file.

  3. Review the Regions table, then select Next.

Download AWS CloudFormation templates

After providing the Regions, download the AWS CloudFormation templates required to deploy the Global and Regional infrastructure that allows AWS Perspective to discover resources in the provided Regions.

Global template

Download this template when the Region being imported is from an account that does not already have the Global resources provisioned.

If you are importing a Region from an account that does not already have a Region imported into AWS Perspective, then you must deploy both the global-resources.template and the regional-resources.template.

Regional template

Download this template when the Region being imported belongs to an account that already contains the Global resources. If you are importing a Region from an account that already has a Region imported into AWS Perspective, then only deploy the regional-resources.template.

In AWS Perspective, download the templates, and then select Next.

Configure AWS CloudFormation StackSets

Configure AWS CloudFormation StackSets to deploy the templates across the necessary accounts and Regions.

  1. Review the items in the Regions table.

  2. Select Deploy for each Region to configure CloudFormation StackSets using the downloaded templates.

  3. Select Next.

Review and Import

Review the Regions to be imported. Select Previous to go back to a previous step in the wizard to make any necessary changes.

Verify the Regions are correct, then select Import.

AWS CloudFormation

These steps will guide you through importing a Region and deploying the AWS CloudFormation templates.

  1. Sign in to AWS Perspective. Refer to Log in for the URL.

  2. Select Accounts & Regions under Settings in the side navigation panel.

  3. Select the AWS CloudFormation tab.

  4. Follow the steps in the wizard.

Provide Regions

Provide the Regions to import using the form:

  1. Account ID: Enter a 12-digit account ID or select an existing account ID.

  2. Account name: Enter an account name or use a pre-populated value when selecting an existing account ID.

  3. Regions: Select the Regions to import.

  4. Select Add to populate the Regions in the Regions table below.

  5. Review the Regions table, then select Next.

Alternatively, provide a Comma Separated Value (CSV) file that contains the Regions to be imported.

"accountId","accountName","region" 123456789012,"test-account-1",eu-west-2 123456789013,"test-account-2",eu-west-1 123456789013,"test-account-2",eu-west-2 123456789014,"test-account-3",eu-west-3
  1. Select Upload a CSV.

  2. Locate and open your CSV file.

  3. Review the Regions table, then select Next.

Download AWS CloudFormation templates

Download the AWS CloudFormation templates required to deploy the Global and Regional infrastructure that allows AWS Perspective to discover resources in the provided Regions.

Global template

Download this template when the Region being imported is from an account that does not already have the Global resources provisioned. Refer to Determine the CloudFormation template required for help understanding which templates to use.

Regional template

Download this template when the Region being imported belongs to an account that has the Global resources provisioned. Refer to Determine the CloudFormation template required for help understanding which templates to use.

Download the templates, and then select Next.

Deploy AWS CloudFormation templates

Review the Regions to be imported and deploy the AWS CloudFormation templates in the necessary Regions.

  1. Review the items in the Regions table.

  2. Select Deploy for each Region and deploy the downloaded templates.

  3. When the CloudFormation templates have been deployed for each Region, choose Next.

Review and Import

Review the Regions to be imported. If changes are required, choose Previous to go back a step in the wizard and make the necessary changes.

Verify the Regions are correct, then select Import.

Deploy the stack to provision the Global resources

Global resources must be deployed once per account. Do not deploy this template when importing a Region from an account that contains a Region that is already imported into AWS Perspective. If the Region has already been imported, skip to Deploy the stack to provision the Regional resources.

  1. Sign in to the AWS CloudFormation console.

  2. Choose Create stack, and then select With new resources (standard).

  3. On the Create stack page, in the Specify template section, select Upload a template file.

  4. Choose Choose file and select the global-resource.template file that you downloaded, and choose Next.

  5. On the Specify stack details page, assign a name to your solution stack. For information about naming character limitations, refer to IAM and STS Quotas in the AWS Identity and Access Management User Guide.

  6. Under Parameters, review the parameters for this solution template and modify them as necessary. This solution uses the following default values.

    Field Name Default Description
    Stack name

    aws-perspective

    The name of this AWS CloudFormation stack.
    AccountId AWS Perspective deployment account ID The account ID of the original AWS Perspective deployment account. Must be left as default.
  7. Choose Next.

  8. Check the box acknowledging that AWS CloudFormation might create IAM resources with custom names.

  9. Choose Create stack.

The new Regions will be scanned during the next discovery process, which runs at 15-minute intervals, for example: 15:00, 15:15, 15:30, 15:45. 

Go to the Perspective UI to find the estimated time until the next discovery in the side navigation panel.

If the expected resources do not appear in the UI, refer to Verify the Regions have been imported correctly.

Deploy the stack to provision the Regional resources

  1. Sign in to the AWS CloudFormation console.

  2. Choose Create stack, and then select With new resources (standard).

  3. On the Create stack page, in the Specify template section, select Upload a template file.

  4. Choose Choose file and select the regional-resources.template file that you downloaded earlier, and choose Next.

  5. On the Specify stack details page, assign a name to your solution stack. For information about naming character limitations, refer to IAM and STS Quotas in the AWS Identity and Access Management User Guide.

  6. Under Parameters, review the parameters for this solution template and modify them as necessary. This solution uses the following default values.

    Field Name Default Description
    Stack name aws-perspective The name of this AWS CloudFormation stack.
    AccountId Perspective deployment account ID The account Id of the original AWS Perspective deployment account. Must be left as default.
    AggregationRegion Perspective deployment Region The Region that AWS Perspective was originally deployed into. Must be left as default.
    AlreadyHaveConfigSetup

    No

    Confirmation of whether the Region already has AWS Config installed. Set to Yes if AWS Config is already installed in this Region.

  7. Choose Next.

  8. Check the box acknowledging that AWS CloudFormation might create IAM resources with custom names.

  9. Choose Create stack.

The new Regions will be scanned during the next discovery process, which runs at 15-minute intervals, for example, 15:00, 15:15, 15:30, 15:45. 

Go to the Perspective UI to find the estimated time until the next discovery in the side navigation panel.

If the expected resources do not appear in the UI, refer to Verify the Regions have been imported correctly.

Use CloudFormation StackSets to provision Global resources across accounts

Important

First, complete the Prerequites for stack set operations to activate StackSets in your target accounts.

  1. In the administrator account, sign in to the AWS CloudFormation console.

  2. From the left navigation panel, select StackSets.

  3. Choose Create StackSet.

  4. On the Choose a template page, under Specify template, select Upload a template file, choose the global-resources.template file that you downloaded earlier, and choose Next.

  5. On the Specify StackSet details page, assign a name to your StackSet. For information about naming character limitations, refer to IAM and STS Quotas in the AWS Identity and Access Management User Guide.

  6. Under Parameters, review the parameters for this solution template and modify them as necessary. This solution uses the following default values.

    Field Name Default Description
    AccountId The AWS Perspective deployment account ID The account ID of the original AWS Perspective deployment account. Must be left as default.
  7. Choose Next.

  8. If using StackSets in an AWS Organization: Choose either Service managed permissions or Self service permissions. For details, refer to Using StackSets in an AWS Organization.

    If not using AWS Organizations:

    Enter the IAM run role name used when following the StackSets prerequisite steps. For details, refer to Grant self-managed permissions.

  9. Choose Next.

  10. Under Add stacks to StackSet, in the Account numbers box, enter the account IDs for deploying the AWS Perspective account role.

  11. Under Specify regions, select a Region to install the stack.

  12. Under Deployment options, select Parallel, and then choose Next.

  13. Check the box acknowledging that AWS CloudFormation might create IAM resources with custom names. Choose Submit.

Use CloudFormation StackSets to provision Regional resources

Important

First, complete the Prerequites for stack set operations to activate StackSets in your target accounts.

If you have some Regions with AWS Config installed and some without, you must perform two StackSet operations, one for the Regions with AWS Config installed and one for those without.

  1. In the administrator account, sign in to the AWS CloudFormation console.

  2. From the left navigation panel, select StackSets.

  3. Choose Create StackSet.

  4. On the Choose a template page, under Specify template, select Upload a template file, choose the regional-resources.template file that you downloaded earlier, and choose Next.

  5. On the Specify StackSet details page, assign a name to your StackSet. For information about naming character limitations, refer to IAM and STS Quotas in the AWS Identity and Access Management User Guide.

  6. Under Parameters, review the parameters for this solution template and modify them as necessary. This solution uses the following default values.

    Field Name Default Description
    AccountId The AWS Perspective deployment account ID The account ID of the original AWS Perspective deployment account. Must be left as default.
    AggregationRegion The AWS Perspective deployment Region The Region that AWS Perspective was originally deployed into. Must be left as default.
    AlreadyHaveConfigSetup

    No

    Confirmation of whether the Region already has AWS Config installed. Set to Yes if AWS Config is already installed in this Region.

  7. Choose Next.

  8. If using StackSets in an AWS Organization: Choose either Service managed permissions or Self service permissions. For details, refer to Using StackSets in an AWS Organization.

    If not using AWS Organizations:

    Enter the IAM run role name used when following the StackSets prerequisite steps. For details, refer to Grant self-managed permissions.

  9. Choose Next.

  10. Under Add stacks to StackSet, in the Account numbers box, enter the account IDs to deploy the AWS Perspective account role to.

  11. Under Specify regions, select a Region to install the stack. This installs the stack in these Regions in all the accounts entered in step 6.

  12. Under Deployment options, select Parallel, and then choose Next.

  13. Check the box acknowledging that AWS CloudFormation might create IAM resources with custom names. Choose Submit.

Verify the Region was imported correctly

  1. Sign in to AWS Perspective (or refresh the page if it’s already loaded). Refer to Log in for the URL.

  2. From the left navigation panel, under Settings, select Imported Regions.

The Region, account name, and account ID appear in the table. The Last Scanned column shows when AWS Perspective last discovered resources in that Region.

Note

If the Last Scanned column stays blank for more than 30 mins, refer to Debugging the discovery component.

Step 4. Set up the cost feature

The cost feature requires manual set up of Cost and Usage Reports (CURs).

  1. Set up a scheduled Cost and Usage Report.

  2. Set up S3 replication (when CURs are outside the AWS Perspective deployment account).

Create the AWS Cost and Usage Report in the AWS Perspective deployment account

  1. Sign in to the Billing console of the account from which you would like to gather cost data.

  2. Under the Cost Management category on the left pane, select Cost & Usage Reports.

  3. Choose Create Report.

  4. Use aws-perspective-cost-and-usage-<your-aws-perspective-deployment-account-ID> as the Report name.

    Note

    You must follow this naming convention because a small amount of infrastructure will be deployed to facilitate the querying of the CURs.

  5. Check the Include resource IDs box.

    Note

    You must select the Include resource IDs box to view cost data. This ID must match with the resources discovered by AWS Perspective.

  6. Choose Next.

  7. On the Delivery options page, choose Configure.

  8. Select the aws-perspective-v<DEPLOYED-VERSION>-costandusagereportbucket-<ID-STRING> S3 bucket to store the CUR. Choose Next.

  9. Review the policy, check the confirmation box, and choose Save.

  10. Set the Report prefix path to aws-perspective.

  11. Select Daily for the time granularity.

  12. Under Enable report data integration for, select Amazon Athena.

  13. Choose Next.

  14. Choose Review and Complete.

To verify that the report is correctly set up, check the S3 bucket for the test file.

Note

It can take up to 24 hours for the reports to be uploaded to your bucket.

Create the AWS Cost and Usage Report in an external account

  1. Sign in to the Billing console of the account from which you would like to gather cost data.

  2. Under the Cost Management category on the left pane, select Cost & Usage Reports.

  3. Choose Create Report.

  4. Use aws-perspective-cost-and-usage-<your-aws-perspective-deployment-account-ID> as the Report name.

    Note

    You must follow this naming convention because a small amount of infrastructure will be deployed to facilitate the querying of the CURs.

  5. Check the Include resource IDs box.

    Note

    You must select the Include resource IDs box to view cost data. This ID is needed to match with the resources discovered by AWS Perspective.

  6. Choose Next.

  7. On the Delivery options page, choose Configure.

  8. Create a new Amazon S3 bucket to store the CURs.

  9. Review the policy, check the confirmation box, and choose Save.

  10. Set the Report prefix path to aws-perspective.

  11. Select Daily for the time granularity.

  12. Under Enable report data integration for, select Amazon Athena.

  13. Choose Next.

  14. Choose Review and Complete.

    To verify that the report is correctly set up, check the S3 bucket for the test file.

    Note

    It can take up to 24 hours for the reports to be uploaded to your bucket.

Next, set up replication to the AWS Perspective deployment account.

Set up replication

Set up replication into the S3 bucket created during deployment. The S3 bucket follows the following format: aws-perspective-v<DEPLOYED-VERSION>-costandusagereportbucket-<ID-STRING>. This allows AWS Perspective to query it via Amazon Athena.

  1. Sign in to the Amazon S3 console of the AWS account you have created a CUR that needs to be replicate.

  2. Select the S3 bucket created when configuring your AWS Cost and Usage Report. (Step 8 of Create the AWS Cost and Usage Report.)

  3. Select the Management tab.

  4. Under Replication rules, choose Create replication rule.

  5. Under Replication rule configuration, in the Replication rule name box, enter a descriptive rule ID.

  6. Under Source bucket, select This rule applies to all objects in the bucket to configure the rule scope.

  7. Under Destination, configure the following:

    1. Select Specify a bucket in another account.

    2. Enter the account ID.

    3. Enter a value for the Bucket name that was created during deployment of AWS Perspective. You can find this by following the instructions in Locating deployment resources, using the logical ID CostAndUsageReportBucket and the stack name you specified when first deploying AWS Perspective.

    4. Select the checkbox for Change object ownership to destination bucket owner.

  8. Under IAM role, choose Create new role.

    Note

    A replication role might already exist. You can select it and ensure it has the required S3 replication role actions.

  9. Log in to the AWS Management Console where AWS Perspective is installed, navigate to the S3 service page and select the CostAndUsageReportBucket S3 bucket. For details, refer to Locating deployment resources.

  10. Select the Management tab.

  11. Under Replication rules, from the Actions drop-down menu, select Receive replicated objects.

  12. Under Source bucket account settings:

  1. Enter the Source bucket account ID.

  2. Choose Generate policies.

  3. Under Policies, select view bucket policy.

  4. Select Include permission to change object ownership to destination bucket owner.

  5. Choose Copy and paste the S3 bucket policy into the policy for the S3 bucket in the account you are replicating to (the AWS Perspective Cost S3 bucket). This gives it access to copy objects to it. Refer to Cost Bucket replication policy for an example S3 Bucket Policy.

Note

When replicating CURs from multiple AWS accounts. You need to ensure the bucket policy on the destination bucket (within the Perspective account) has the ARN of each IAM Role you are using from each account. Refer to Cost Bucket replication policy for more details.

When the reports are in the AWS Perspective account cost data appears on the bounding boxes and individual resources.


          Example of a bounding box with cost data

Figure 9: Example of a bounding box with cost data

Step 5. Edit S3 bucket lifecycle policies

During deployment we configure lifecycle policies on two buckets:

  • PerspectiveCostBucket

  • AccessLogsBucket

Important

These lifecycle policies will delete data from these buckets after 90 days. You can edit the lifecycle to fit any internal policies you have.

For additional information about how to navigate the web UI, refer to Web UI features and common tasks.