Skip to main content

Add an AWS account

info

To deploy the stack organization‑wide (using Lambda auto-discover for the root OU id or by manually specifying it), please refer to our Organization Deployment Guide.

Chronom uses a read-only IAM Role to collect data from your AWS account.

To make it easier for you to add your AWS account to Chronom, we have created a CloudFormation template that will help you create the IAM Role and add it to Chronom in a few simple steps.

(You can use the AWS Management Console or the AWS CLI to create the stack.)

Permissions

The readonly-role.yaml CloudFormation template creates an IAM role that allows chronom to assume the role with an external id.
The role has two IAM policies attached to it:

  • ReadOnlyAccess - A built-in AWS policy that grants read-only access to most of the AWS resources.

  • ChronomReadonlyAdditionalAccessPolicy - A custom Policy to grant access to the following additional resources:

    • eks:AccessKubernetesApi - To allow access to the EKS cluster API server (For Kubernetes resource Scanning).
    • ecs:GetTaskProtection - To allow access to ECS task protection Information (For ECS resource Scanning).
    • ce:StartSavingsPlansPurchaseRecommendationGeneration - To allow chronom to generate Savings Plans recommendations (For Cost Explorer resource Scanning).
    • aws-marketplace:SearchAgreements - To allow chronom to search for AWS Marketplace agreements (For AWS Marketplace resource Scanning).
    • aws-marketplace:Describe* - To allow chronom to describe AWS Marketplace products (For AWS Marketplace resource Scanning).
    • aws-marketplace:List* - To allow chronom to list AWS Marketplace products (For AWS Marketplace resource Scanning).
    • aws-marketplace:View* - To allow chronom to view AWS Marketplace products (For AWS Marketplace resource Scanning).
    • aws-marketplace:Get* - To allow chronom to get AWS Marketplace products (For AWS Marketplace resource Scanning).

Prerequisites

In order to use this CloudFormation template, you need to have the following:

  • An external id that is provided during the Account Registration process in Chronom.

  • Access to an AWS account with the following permissions:

    • IAM Roles & Policies (Required):

      • iam:CreateRole
      • iam:AttachRolePolicy
      • iam:PutRolePolicy
      • iam:DeleteRole
      • iam:DetachRolePolicy
      • iam:TagRole
      • iam:CreatePolicy
      • iam:DeletePolicy

    • Lambda Function Management (Optional – only required for organization level deployment):

      • lambda:CreateFunction
      • lambda:UpdateFunctionConfiguration
      • lambda:UpdateFunctionCode
      • lambda:GetFunction
      • lambda:InvokeFunction

    • CloudFormation StackSet Management (Optional – only required for organization level deployment):

      • cloudformation:CreateStackSet
      • cloudformation:DeleteStackSet
      • cloudformation:UpdateStackSet
      • cloudformation:DescribeStackSet
      • cloudformation:DescribeStackSetOperation
      • cloudformation:ListStackSets
      • cloudformation:CreateStackInstance
      • cloudformation:DeleteStackInstance
      • cloudformation:DescribeStackInstance
      • cloudformation:ListStackInstances

    • CloudFormation Stack Management (Optional – only required for organization level deployment):

      • cloudformation:CreateStack
      • cloudformation:UpdateStack
      • cloudformation:DeleteStack
      • cloudformation:DescribeStacks

Usage

AWS Console

To use the readonly-role.yaml CloudFormation template, Follow the steps below:

  1. Open the AWS Management Console and navigate to the CloudFormation service in the us-east-1 region.

  2. Click on the Create stack button and choose With new resources (standard).

    Create Stack

  3. Choose Template is ready and Amazon S3 URL and paste the following URL in the input field and click Next:

    https://chronom-public-assets.s3.amazonaws.com/org-level-readonly-role.yaml

    Template URL

  4. Enter a Stack name and ExternalId as provided by chronom and click Next.
    (The ExternalId is provided during the Account Registration process in Chronom).

    Stack Name

  5. Optionally, you can add tags to the stack. Click Next to continue.

    Tags

  6. Review the stack details and check the I acknowledge that AWS CloudFormation might create IAM resources with custom names , finally click Submit.

    Review

  7. The stack will be created and you can monitor the progress in the CloudFormation console.
    The process usually takes a minute or two.

    Stack Creation

  8. Once the stack is created, retrieve the RoleArn from the Outputs tab and insert it into Chronom.

    Outputs

AWS CLI

To use the readonly-role.yaml CloudFormation template using the AWS CLI, follow the steps below:

  1. Open a terminal that has the AWS CLI installed and configured with the necessary permissions.
    (We recommend using AWS CloudShell for this process. It comes pre-installed with the AWS CLI and has the necessary permissions to create the stack.)

  2. Run the following command to create the stack:

    note

    Replace EXTERNAL_ID with the External Id provided by chronom.

    aws-cli
    # Replace EXTERNAL_ID with the External Id provided by chronom
    ChronomExternalId=EXTERNAL_ID

    # Create the stack
    stackId=$(aws cloudformation create-stack --stack-name ChronomReadOnlyRole --template-url https://chronom-public-assets.s3.amazonaws.com/org-level-readonly-role.yaml --parameters ParameterKey=chronomExternalId,ParameterValue=$ChronomExternalId --capabilities CAPABILITY_NAMED_IAM --query "StackId" --output text --region us-east-1)

    # Wait for the stack to complete
    aws cloudformation wait stack-create-complete --stack-name $stackId

    # Output the RoleArn
    echo "Role ARN:";aws cloudformation describe-stacks --stack-name $stackId --query "Stacks[0].Outputs[?OutputKey=='ChronomReadonlyRoleArn'].OutputValue" --output text;echo

    The command will create the stack and wait for it to complete (Approximately two minutes). Once the stack is created, it will output the RoleArn that you need to insert into Chronom.

Deletion

danger

Deleting the stack will result in the removal of the IAM Role and its associated policies.
This action will cause Chronom to lose access to your AWS account, rendering all data unavailable.

If for any reason you need to delete the role, you should delete the CloudFormation stack that was created using the readonly-role.yaml template.

Add an AWS Account for Self Hosted Chronom

To use the readonly-role.yaml CloudFormation template, Follow the steps below:

  1. Open the AWS Management Console and navigate to the CloudFormation service.

  2. Click on the Create stack button and choose With new resources (standard).

    Create Stack

  3. Choose Template is ready and Amazon S3 URL and paste the following URL in the input field and click Next:

    https://chronom-public-assets.s3.amazonaws.com/org-level-readonly-role.yaml

    Template URL

  4. Enter a Stack name and ExternalId as provided by chronom.
    Under the chronomScannerAccountId replace the Account ID to the AWS Account ID of your Chronom Deployment and click Next.
    (The ExternalId is provided during the Account Registration process in Chronom, The chronomScannerAccountId can be obtained from Chronom's support).

    Stack Name

  5. Optionally, you can add tags to the stack. Click Next to continue.

    Tags

  6. Review the stack details and check the I acknowledge that AWS CloudFormation might create IAM resources with custom names , finally click Submit.

    Review

  7. The stack will be created and you can monitor the progress in the CloudFormation console.
    The process usually takes a minute or two.

    Stack Creation

  8. Once the stack is created, retrieve the RoleArn from the Outputs tab and insert it into Chronom.

    Outputs