Automated deployment - AWS Perspective

Automated deployment

Before you launch the solution, review the architecture, configuration, network security, and other considerations discussed in this guide. Follow the step-by-step instructions in this section to configure and deploy the solution into your account.

Time to deploy: Approximately 30 minutes

Prerequisites

Gather deployment parameter details

Before deploying AWS Perspective, review your configuration details for the Amazon Elasticsearch Service (Amazon ES) service-linked role and AWS Config.

Verify whether you have an AWSServiceRoleForAmazonElasticsearchService role

The deployment creates an Amazon ES cluster inside an Amazon Virtual Private Cloud (Amazon VPC). The template uses a service-linked role to create the Amazon ES cluster; however, if you already have the role created in your account, use the existing role.

To check if you already have this role:

  1. Sign in to the Identity and Access Management (IAM) console for the account you plan to deploy this solution to.

  2. In the Search box below the menu, search for AWSServiceRoleForAmazonElasticsearchService.

If your search returns a role, select No for the CreateElasticsearchServiceRole parameter when you launch the stack.

Verify your AWS Config details in your account

The deployment will attempt to set up AWS Config. If you already use AWS Config in the account you plan to deploy to, or make discoverable by AWS Perspective, select the relevant parameters when you deploy this solution. Furthermore, for successful deployment, ensure that you have not restricted the resources that AWS Config scans.

To check your current AWS Config configuration:

  1. Sign in to the AWS Config console.

  2. Choose Settings and ensure the Record all resources supported in this Region and Include global resources boxes are checked.

Deployment overview

Use the following steps to deploy this solution on AWS. For detailed instructions, follow the links for each step.

Step 1. Launch the stack

  • Launch the AWS CloudFormation template into your AWS account.

  • Enter values for required parameters:

    • Stack Name

    • AdminUserEmailAddress

    • AlreadyHaveConfigSetup

    • CreateElasticsearchServiceRole

    • OptOutOfSendingAnonymousUsageMetrics

    • CreateNeptuneReplica

    • NeptuneInstanceClass

  • Review the other template parameters, and adjust if necessary.

Step 2. Post-deployment configuration tasks

  • Enable advanced security in Cognito (Optional)

  • Create Cognito users

  • Log in

  • Import an account

  • Import new Region

  • Set up cost feature

  • Edit S3 bucket lifecycle policies

Step 1. Launch the stack

This automated AWS CloudFormation template deploys AWS Perspective in the AWS Cloud. You must gather deployment parameter details before launching the stack. See Prerequisites for details.

Note

You are responsible for the cost of the AWS services used while running this solution. For more details, visit to the Cost section in this guide, and refer to the pricing webpage for each AWS service used in this solution.

  1. Sign in to the AWS Management Console and use the button below to launch the aws-perspective.template AWS CloudFormation template.

    
                AWS Perspective launch button

    Alternatively, you can download the template as a starting point for your own implementation.

  2. The template launches in the US East (N. Virginia) Region by default. To launch the solution in a different AWS Region, use the Region selector in the console navigation bar.

    Note

    This solution uses services that are not available in all AWS Regions. Refer to Appendix C for a list of supported AWS Regions.

  3. On the Create stack page, verify that the correct template URL is in the Amazon S3 URL text box and choose Next.

  4. On the Specify stack details page, assign a name to your solution stack. For information about naming character limitations, see IAM and STS Quotas in the AWS Identity and Access Management User Guide.

  5. Under Parameters, review the parameters for this solution template and modify them as necessary. This solution uses the following default values.

    Parameter Default Description
    Stack Name <Requires input> A name to indicate the solution you are deploying.
    AdminUserEmailAddress <Requires input> An email address that will be used to create the first user. The temporary credentials will be sent to this email address.
    AlreadyHaveConfigSetup No Confirmation of whether or not you already have AWS Config set up in the deployment account. Refer to Prerequisites for details.
    CreateElasticsearchServiceRole Yes Confirmation of whether or not you already have a service-linked role for Amazon ES. Refer to Prerequisites for details.
    CreateNeptuneReplica No Choose whether to create a read replica for Neptune in a separate Availability Zone. Choosing Yes improves resilience; however, increases the cost of this solution.
    NeptuneInstanceClass db.r5.large The instance type that will be used to host the Amazon Neptune database. What you select here affects the cost of running this solution.
    OptOutOfSendingAnonymousUsageMetrics No Choose whether to opt out of sending basic usage metrics to AWS.
  6. Choose Next.

  7. On the Configure stack options page, choose Next.

  8. On the Review page, review and confirm the settings. Check the boxes acknowledging that the template will create AWS Identity and Access Management (IAM) resources and require certain capabilities.

  9. Choose Create stack to deploy the stack.

    You can view the status of the stack in the AWS CloudFormation Console in the Status column. You should receive a CREATE_COMPLETE status in approximately 30 minutes.

    Note

    If deleted, this stack removes all resources. If the stack is updated, it retains the Amazon Cognito user pool to ensure configured users are not lost.

Step 2. Post-deployment configuration tasks

After AWS Perspective has been successfully deployed, review the following post-deployment configuration tasks.

Enable public object access on the AWS Amplify storage bucket (optional)

Note

This optional configuration enables a single-click deployment option when importing accounts and Regions. Skip this configuration if you do not want Perspective to create public objects. You can still download the AWS CloudFormation template and deploy it manually.

As part of the import process, AWS Perspective generates AWS CloudFormation templates to be deployed in the account and Region to make them discoverable. The templates are stored in the aws-perspective-amplifystoragebucket-<13-digit randomly generated alphanumeric sequence> Amazon S3 bucket. To make the S3 objects public, provide the required permissions to this bucket.

  1. Sign in to the AWS Management Console for your AWS Perspective account.

  2. Navigate to the Amazon S3 console.

  3. Search for "amplifystoragebucket".

  4. Select the S3 bucket.

  5. Choose the Permissions tab.

  6. Choose Block public access.

  7. Choose Edit.

  8. Ensure Block all public access is not selected.

Enable Advanced security in Amazon Cognito

If you would like to enable the advanced security features for Amazon Cognito, follow the instructions on Adding Advanced Security to a User Pool.

Create Amazon Cognito users

AWS Perspective uses Amazon Cognito to manage all users and authentication. It creates a user for you during deployment and sends an email at the address provided with temporary credentials.

To create additional users:

  1. Sign in to the AWS Cognito console.

  2. Choose Manage User Pools.

  3. Choose perspective.<deployment-region>.userpool.

  4. In the navigation pane, under General Settings, choose Users and groups.

  5. On the Users tab, choose Create user.

  6. On the Create user box, enter values for all required fields.

    Form Field Required? Description
    Username Yes The username that you will use to log in to AWS Perspective.
    Send an invitation Yes (email only) When selected, sends a notification as a reminder of the temporary password. Select Email only. If you select SMS (default) an error message will be displayed, but the user will still be created.
    Temporary Password Yes Enter a temporary password. The user will be forced to change this when they log in to AWS Perspective for the first time.
    Phone Number Yes Enter a phone number in international format, for example, +44. Ensure Mark phone number as verified? box is selected.
    Email Yes Enter a valid email address. Ensure Mark email as verified? box is selected.
  7. Choose Create user.

  8. Repeat this process to create as many users as you need.

    Note

    Every user will have the same level of access to resources discovered. We recommend provisioning a separate deployment of AWS Perspective for accounts that contain sensitive workloads or data. This will let you restrict access to only the users that need it.

Log in

After this solution is successfully deployed, determine the URL for the Amazon CloudFront distribution that serves the AWS Perspective web UI.

  1. Sign in to the AWS CloudFormation console.

  2. Choose View nested to display the nested stacks that make up the AWS Perspective deployment. Depending on your preferences, nested stacks might already be displayed.

  3. Select the CloudFront stack. Example stack name format: aws-perspective-<deployment-accountID>-<deployment-region>-CloudFrontDistribution-XXXXX.

  4. Select the Outputs tab and choose the URL in the Value column.

  5. On the Sign in to AWS Perspective screen, enter the username and password that you received via email. Then take the following actions:

    1. Follow the prompts to change your password.

    2. Use the verification code sent to your email to complete account recovery.

  6. When the AWS Perspective web UI loads, you will be prompted to import your first account. We recommend that you first import the account that you use to deploy AWS Perspective because it contains resources to help you use the solution. Click Import. The progress popup disappears when the import is complete, after about 30 minutes.

    To import a different account, refer to Import an
 account.

    Once the import has succeeded, explore your resources. Refer to Web UI features and common tasks for details about getting started.

Import an account

  1. Sign in to AWS Perspective. Refer to Log in for the URL.

  2. Under the Configuration category on the left pane, select Accounts & Regions.

    If the left pane is not visible, choose the menu icon to expand the list.

  3. On the window showing the accounts and Regions currently discoverable to AWS Perspective, select the Import tab.

  4. Under Import an Account, enter the 12-digit account ID. Enter numbers only, do not include the hyphens.

  5. From the dropdown, select the Region you would like to import into this account.

  6. Choose Import.

    There will be two options:

    1. If you choose Deploy Template, ensure that you are logged in to the AWS Management Console for the account you are importing and have enabled public object access on the Amplify storage bucket. You will be redirected to the CloudFormation console to deploy the stack to import
 the account.

    2. If you choose Save Template, the AWS CloudFormation template (import-account.template) will be downloaded. Follow the procedure to deploy the stack to import the account, beginning at step 1.a.

Deploy the stack to import the account

  1. On the Create stack page, verify that the correct template URL is in the Amazon S3 URL text box and choose Next.

    The key the template link should be public/cfn/import-templates/accounts/ and the bucket should reference aws-perspective.

    If you are not signed in:

    1. Sign in to the AWS CloudFormation console.

    2. Choose Create stack and then select With new resources (standard).

    3. On the Create stack page, in the Specify template section, select Upload a template file.

    4. Choose Choose file and select the account-import.template file that you downloaded earlier, and choose Next.

    5. On the Specify stack details page, assign a name to your solution stack. For information about naming character limitations, see IAM and STS Quotas in the AWS Identity and Access Management User Guide.

  2. Under Parameters, review the parameters for this solution template and modify them as necessary. This solution uses the following default values.

    Field Name Default Description
    Stack name aws-perspective The name of this AWS CloudFormation stack.
    AccountId AWS Perspective deployment account ID The account Id of the original AWS Perspective deployment account. Must be left as default.
    AggregationRegion AWS Perspective deployment Region The Region that AWS Perspective was originally deployed into. Must be left as default.
    ConfigAggregator PerspectiveConfigAggregator The name of the AWS Config aggregator to install in this account.
    AlreadyHaveConfigSetup No Confirmation of whether the Region already has AWS Config installed. Set to Yes if AWS Config is already installed in this Region.
  3. Choose Next.

  4. Check the box acknowledging that AWS CloudFormation might create IAM resources with custom names.

  5. Choose Create stack.

    After a few minutes the stack will be created. Your account and Region will then be processed during the next discovery component task execution, after 15 minutes.

Verify the data imported correctly from the new account

  1. Sign in to AWS Perspective (or refresh the page if it’s already loaded). Refer to Log in for the URL.

  2. Select Accounts & Regions under the Configuration category on the left pane. If the left pane is not visible, choose the menu icon to expand the list.

  3. Select the Active tab.

  4. The Region and account ID will be in the table. The Last Scanned column shows when AWS Perspective last discovered resources in that Region. If the Last Scanned column is blank, then the discovery process is still running. If it stays this way for more than 30 mins, refer to Appendix E to debug.

Import a new Region

  1. Sign in to AWS Perspective. Refer to Log in for the URL.

  2. Under the Configuration category on the left pane, select Accounts & Regions.

  3. If the left pane is not visible, choose the menu icon to expand the list.

  4. On the window showing the accounts and Regions currently discoverable to AWS Perspective, select the Import tab.

  5. Under Import a Region, enter the 12-digit account ID.

  6. From the dropdown, select the Region to import into this account.

    Choose Import.

    There will be two options:

    1. If you choose Deploy Template, ensure that you are logged in to the AWS Management Console for the account you are importing and have enabled public object access on the Amplify storage bucket. You will be redirected to the AWS CloudFormation console to deploy the stack to import
 the Region.

    2. If you choose Save Template, the AWS CloudFormation template (import-region.template) will be downloaded. Follow the procedure to deploy the stack to import the Region, beginning at step 1.a.

Deploy the stack to import the Region

  1. On the Create stack page, verify that the correct template URL is in the Amazon S3 URL text box and choose Next.

    The bucket should reference aws-perspective and the template link key should include: public/cfn/import-templates/regions/.

    If you are not signed in:

    1. Sign in to the AWS CloudFormation console.

    2. Choose Create stack, and then select With new resources (standard).

    3. On the Create stack page, in the Specify template section, select Upload a template file.

    4. Choose Choose file and select the region-import.template file that you downloaded earlier, and choose Next.

    5. On the Specify stack details page, assign a name to your solution stack. For information about naming character limitations, refer to IAM and STS Quotas in the AWS Identity and Access Management User Guide.

  2. Under Parameters, review the parameters for this solution template and modify them as necessary. This solution uses the following default values.

    Field Name Default Description
    Stack name aws-perspective The name of this AWS CloudFormation stack.
    AccountId Perspective deployment account ID The account Id of the original AWS Perspective deployment account. Must be left as default.
    AggregationRegion Perspective deployment Region The Region that AWS Perspective was originally deployed into. Must be left as default.
    ConfigAggregator PerspectiveConfigAggregator The name of the AWS Config aggregator to be installed in this account.
    AlreadyHaveConfigSetup No Confirmation of whether the Region already has AWS Config installed. Set to Yes if AWS Config is already installed in this Region.
  3. Choose Next.

  4. Check the box acknowledging that AWS CloudFormation might create IAM resources with custom names.

  5. Choose Create stack.

    After a few minutes the stack will be created. Your account and Region will then be processed during the next discovery component task execution, after 15 minutes.

    After 30 minutes, follow the steps to Verify data correctly imported from the new account.

Set up the cost feature

Use the following procedure to set up the cost feature in AWS Perspective.

Create and schedule the AWS Cost and Usage Report

  1. Sign in to the Billing console of the account for which you would like to gather cost data.

  2. Under the Cost Management category on the left pane, select Cost & Usage Reports.

  3. Choose Create Report.

  4. On the Report content page, create a name for your report and check the Include resource IDs box.

    Note

    You must select the Include resource IDs box to see cost data. This ID is needed to match with the resources discovered by AWS Perspective.

  5. Choose Next.

  6. On the Delivery options page choose Configure.

  7. Create a new S3 bucket to replicate this data to the AWS Perspective account for processing. Give your S3 bucket a name and choose Next.

    Note

    If you are setting up cost data for the account you deployed AWS Perspective into, then select the aws-perspective-<deployment-accountID>-<deployment-region>-cost-bucket bucket. There’s no need to create a new one or set up replication.

  8. Review the policy, check the confirmation box, and choose Save.

  9. Provide a Report prefix path that is meaningful to you, for example, aws-perspective-cost-report-<your-account-id>.

  10. Select Daily for the time granularity and ZIP for the compression type. Choose Next.

  11. Choose Review and Complete.

    To see that the report is correctly set up, check the S3 bucket for the test file.

    Note

    It can take up to 24 hours for the reports to be uploaded to your bucket.

Set up replication

Set up replication into the S3 bucket created during deployment. The S3 bucket follows the following format: aws-perspective-<deployment-accountID>-<deployment-region>-cost-bucket. This allows AWS Perspective to process the cost and usage data and map it to the resources it has already discovered.

Note: If you are configuring cost data for the account AWS Perspective is deployed in, then you don’t need to set up replication because the cost data will already be in the correct bucket.

  1. Sign in to the Amazon S3 console.

  2. Select the S3 bucket created when configuring your AWS Cost and Usage Report. (Step 7 of Create and schedule the AWS Cost and Usage Report.)

  3. Select the Management tab, and then choose Replication.

  4. Choose Add rule.

  5. Leave the default setting of Entire bucket selected, and then choose Next.

  6. Choose Select bucket.

    1. Choose Buckets in another account.

    2. Enter the account ID.

    3. Enter the bucket name that was created during deployment of AWS Perspective. Follow the instructions in Appendix A using the logical ID PerspectiveCostBucket and the stack name CostAndUsage to find the actual bucket name.

    4. Choose Save.

      The bucket has versioning enabled. Ignore the warning about versioning that might appear.

  7. Leave the default settings and choose Next.

    1. Under IAM role, choose Create a new role.

    2. Under Rule name, give the rule a descriptive name.

    3. Choose Copy. You must paste the S3 bucket policy into the policy for the S3 bucket in the account you are replicating to (the AWS Perspective Cost S3 bucket). This is to give it access to copy objects to it.

    4. Choose Next.

  8. Review the replication rule details and choose Save.

    When the reports are in the AWS Perspective account you will start to see cost data appearing on the bounding boxes and individual resources.


            Example of a bounding box with cost data

Figure 8: Example of a bounding box with cost data

Edit S3 bucket lifecycle policies

During deployment we configure lifecycle policies on two buckets:

  • PerspectiveCostBucket

  • AccessLogsBucket

Important

These lifecycle policies will delete data from these buckets after 90 days. You can edit the lifecycle to fit any internal policies you have.

For additional information about how to navigate the web UI, refer to Web UI features and common tasks.