AWS Recommendations
The purpose of this document is to provide a configuration guide for enabling key AWS Services and integrating those services with SHI One.
The implementation of the services covered in this guide will allow SHI to provide recommendations based upon foundational best practices and compute analysis across your AWS Organization.
The integration of these services into SHI One provides a simplified and unified view of this information to help guide you to optimize AWS infrastructure, improve security and performance, reduce costs, and monitor service quotas.
The following section describes the prerequisites that must be met to utilize the SHI One AWS Recommendations Integration.
- AWS Organizations has been enabled and an organizational hierarchy has been established
- All features have been enabled for the Organization
- An IAM role with the required permissions must be installed in every account targeted for data collection
- To take advantage of Organization aggregation of Cost Explorer, an IAM role with the necessary permissions must be deployed in the Payer account
- Though Trusted Advisor is always enabled at a basic capacity, in order to use the support API to collect data programmatically and to gain access to more advanced checks, the accounts targeted for data collection must have at least Business Level support
Note: If you already purchase AWS from SHI, you can help ensure these prerequisites are met by submitting a Service Request to “Enable AWS Organizations”
AWS Trusted Advisor provides recommendations to ensure AWS best practices are being followed. Trusted Advisor evaluates an AWS account by using checks. These checks identify ways to optimize AWS infrastructure, improve security and performance, reduce costs, and monitor service quotas.
- Trusted Advisor itself does not cost anything, however the requisite support plans do:
- For the most up-to-date pricing information, please visit:
- Overview
- Change Support Plan
- Pricing
- API Reference
AWS Cost Explorer helps visualize, understand, and manage AWS costs and usage over time.
- Enable Cost Explorer in the Payer account
- This cannot be done programmatically
Note: If SHI owns the Payer account, we can complete this for the customer
- API can access 12 months of historical data, 3 months of forecast data at a daily level of granularity, and 12 months of forecast data at a monthly level of granularity
- Billing information is updated at least once and up to 3 times daily; query for the time period you’re interested in
- Query for filtered data as you are charged per paginated request ($.01 per paginated request)
- Due to this consideration, it is recommended that requests are cached to prevent unnecessary calls
- Max number of filters per GetCostAndUsage operation: 100
- Enable Right Sizing Recommendations in the Payer account
Note: If SHI owns the Payer account, we can complete this for the customer
- Overview
- Enabling Cost Explorer
- Enabling Right-sizing Recommendations
- Pricing
- API Reference
Once SHI One AWS Recommendations is enabled, aggregated findings from AWS Trusted Advisor will be visible from within SHI One. Our AWS Recommendations integration will help you identify areas of concern and aid in the prioritization of remediation and optimization efforts.
The following section describes the necessary configuration to integrate AWS Trusted Advisor into SHI One and also details the permissions necessary to ensure proper functionality of the AWS Recommendations Integration.
To utilize the AWS Recommendations Integration to its fullest capabilities, an IAM role containing the permissions outlined in this section should be pushed to each AWS account in scope. It is required that the role names and external IDs are the same in each account in scope.
The necessary IAM role can be created via CloudFormation with the following template.
- Create Stack
- Click Next
- Enter an External ID composed of:
- Any string of random numbers
- Alphanumeric without whitespaces
- Minimum of 2 characters
- Maximum of 1,224 characters
- Specify Stack details
- Click Next
- Click Next
- Check the checkbox "I acknowledge that AWS CloudFormation might create IAM resources"
- Click Create Stack
- Record the RoleARN and External ID for use in the subsequent steps
For more detailed step-by-step instructions on creating a CloudFormation Stackset, visit: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-getting-started-create.html
- Create a CloudFormation Stackset
- Choose a template
- Click Next
- Enter the External ID from the previous steps
- Click Next
- Click Next
- Specify Region US East (N. Virginia)
- Click Next
- Check the checkbox “I acknowledge that AWS CloudFormation might create IAM resources"
- Click Submit
- On the lefthand sidebar, navigate to Settings -> Integrations
- Click the three dots in the upper right corner of the AWS Recommendations box
- If you don’t see AWS Recommendations, first confirm that you have an AWS contract visible under Services -> Contracts as you may not yet be fully onboarded to SHI One
- Alternatively, submit a support request via Support Center -> Submit Request
- Click Add New
- Populate the form with the RoleARN and External ID from the previous steps
- Click Test
- Click Save
- Repeat steps 3-7 until all have been added
- Verify that the slider on the right of the AWS Recommendations box is orange/activated
- Click the AWS Recommendations box and verify that each slider is orange/activated
Note that it takes AWS up to 24 hours to start sending data to SHI One.
SHI collects data daily from the AWS Trusted Advisor and AWS Cost Explorer APIs. There is no cost for querying the AWS Trusted Advisor API. Each request to the AWS Cost Explorer API is $0.01.
If you have 10 accounts and SHI makes 1 request to AWS Cost Explorer against each account per day, that would incur a cost of $.10 per day.
If the integration doesn't show up on the integrations page or you are unable to enable it:
- Submit a Support Request as this could potentially be a site-wide issue
If you have enabled the integration and your data doesn't show up:
- Verify that it has been at least 24 hours as collection occurs daily
- Verify that you have deployed a role with the correct permissions as documented
- Re-enter your information from your Payer Account (ARN and External ID) on the integrations
- The External ID must be the same across all accounts in your organization
- Validate that the requisite configuration as documented has been met
If you are missing Trusted Advisor data in certain accounts:
- Make sure each account targeted for Trusted Advisor has at least Business Support
- Verify that you have deployed a role with the correct permissions in each account targeted for data collection as documented
If you are reporting Cost Explorer data for only one account:
- Re-enter your information from your Payer Account (ARN and External ID) on the integrations page, which can be found where you launched the CloudFormation template for the role
- All Cost Explorer Information is queried directly from the Payer Account
Note: If you encounter an issue not addressed within this section, please submit a Support Request via Support Center -> Submit Request
