Lab complete!
Now that you have completed this lab, make sure to update your Well-Architected review if you have implemented these changes in your workload.
Click here to access the Well-Architected Tool
We’ll create an S3 bucket to store the organizations data to be combined with your cost and usage report. This will hold your organisation data so we can connect it to Athena.
We’ll create an IAM role and policy for the AWS Lambda function to access the organizations data & write it to S3. This role will be used to get the list of accounts in the Organization and the meta data attached to them such as name and email. This is then placed in our S3 bucket.
Go to the IAM Console
Select Policies and Create policy
On the JSON tab the following policy and replace (bucket name) with your bucket name from before and replace (account id) with your Management Account id which manages your Organization. Enter the following policy, click Review policy:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"S3Org",
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject"
],
"Resource":"arn:aws:s3:::(bucket name)/*"
},
{
"Sid":"OrgData",
"Effect":"Allow",
"Action":[
"organizations:ListAccounts",
"organizations:ListCreateAccountStatus",
"organizations:DescribeOrganization",
"organizations:ListTagsForResource"
],
"Resource":"*"
},
{
"Sid":"Logs",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Sid": "assume",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::(account id):role/OrganizationLambdaAccessRole"
}
]
}
Fill in the following
Click Next: Review
Role name LambdaOrgRole, click Create role:
As we need to pull the data from the Management account we need to allow our role to do this.
Log into your Management account
Go to the IAM Console
Select Policies and Create policy. Copy steps 2 - 4 from above to create the below policy called ListOrganizations.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "OrgData",
"Effect": "Allow",
"Action": [
"organizations:ListAccounts",
"organizations:ListCreateAccountStatus",
"organizations:DescribeOrganization",
"organizations:ListTagsForResource"
],
"Resource": "*"
}
]
}
Search for Organizations and select the ListOrganizations policy you just made. Click Next: Tags then click Next: Review
Role name OrganizationLambdaAccessRole, click Create role:
Search for your new role in the roles page and click on the role name. Click on Trusted relationships tab then Edit trusted relationship
On the JSON tab the replace the current json with the following policy and replace (sub account id) with your sub account id from before, click Update Trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::(sub account id):role/LambdaOrgRole"
},
"Action": "sts:AssumeRole"
}
]
}
Now you have completed this section you have setup the resources that will enable you to collect your Organizations data. We will use these resources in the next section when creating our Lambda function. Please return to the sub account you created your S3 bucket in.
Now that you have completed this lab, make sure to update your Well-Architected review if you have implemented these changes in your workload.
Click here to access the Well-Architected Tool