AWS Recommendations

purpose the purpose of this document is to provide a configuration guide for enabling key aws services and integrating those services with shi one the implementation of the services covered in this guide will allow shi to provide recommendations based upon foundational best practices and compute analysis across your aws organization the integration of these services into shi one provides a simplified and unified view of this information to help guide you to optimize aws infrastructure, improve security and performance, reduce costs, and monitor service quotas getting started prerequisites the following section describes the prerequisites that must be met to utilize the shi one aws recommendations integration aws organizations has been enabled and an organizational hierarchy has been established all features have been enabled for the organization https //docs aws amazon com/organizations/latest/userguide/orgs manage org support all features html an iam role with the required permissions must be installed in every account targeted for data collection to take advantage of organization aggregation of cost explorer, an iam role with the necessary permissions must be deployed in the payer account though trusted advisor is always enabled at a basic capacity, in order to use the support api to collect data programmatically and to gain access to more advanced checks, the accounts targeted for data collection must have at least business level support https //docs aws amazon com/awssupport/latest/user/trusted advisor check reference html note if you already purchase aws from shi, you can help ensure these prerequisites are met by submitting a service request to “enable aws organizations” note if you already purchase aws from shi, you can help ensure these prerequisites are met by submitting a service request to “enable aws organizations” trusted advisor aws trusted advisor provides recommendations to ensure aws best practices are being followed trusted advisor evaluates an aws account by using checks these checks identify ways to optimize aws infrastructure, improve security and performance, reduce costs, and monitor service quotas pricing trusted advisor itself does not cost anything, however the requisite support plans do https //aws amazon com/premiumsupport/plans/ for the most up to date pricing information, please visit https //aws amazon com/premiumsupport/pricing/?nc=sn\&loc=3 resources overview https //aws amazon com/premiumsupport/technology/trusted advisor/ change support plan https //aws amazon com/premiumsupport/knowledge center/change support plan/ pricing https //aws amazon com/premiumsupport/pricing/ api reference https //docs aws amazon com/awssupport/latest/apireference/ cost explorer aws cost explorer helps visualize, understand, and manage aws costs and usage over time prerequisites enable cost explorer in the payer account this cannot be done programmatically https //docs aws amazon com/awsaccountbilling/latest/aboutv2/ce enable html note if shi owns the payer account, we can complete this for the customer note if shi owns the payer account, we can complete this for the customer cost explorer developer notes api can access 12 months of historical data, 3 months of forecast data at a daily level of granularity, and 12 months of forecast data at a monthly level of granularity billing information is updated at least once and up to 3 times daily; query for the time period you’re interested in query for filtered data as you are charged per paginated request ($ 01 per paginated request) due to this consideration, it is recommended that requests are cached to prevent unnecessary calls max number of filters per getcostandusage operation 100 right sizing recommendations enable right sizing recommendations in the payer account https //docs aws amazon com/awsaccountbilling/latest/aboutv2/ce rightsizing html note if shi owns the payer account, we can complete this for the customer note if shi owns the payer account, we can complete this for the customer resources overview https //aws amazon com/aws cost management/aws cost explorer/ enabling cost explorer https //docs aws amazon com/awsaccountbilling/latest/aboutv2/ce enable html enabling right sizing recommendations https //docs aws amazon com/awsaccountbilling/latest/aboutv2/ce rightsizing html pricing https //aws amazon com/aws cost management/pricing/ api reference https //docs aws amazon com/aws cost management/latest/apireference/ shi one integration overview once shi one aws recommendations is enabled, aggregated findings from aws trusted advisor will be visible from within shi one our aws recommendations integration will help you identify areas of concern and aid in the prioritization of remediation and optimization efforts the following section describes the necessary configuration to integrate aws trusted advisor into shi one and also details the permissions necessary to ensure proper functionality of the aws recommendations integration to utilize the aws recommendations integration to its fullest capabilities, an iam role containing the permissions outlined in this section should be pushed to each aws account in scope it is required that the role names and external ids are the same in each account in scope enable shi one integration creating the necessary iam role the necessary iam role can be created via cloudformation with the following template click the following link https //console aws amazon com/cloudformation/home?region=us east 1#/stacks/new?stackname=shi msp collector aws recommendations role\&templateurl=https //shi msp cloudformation us east 1 s3 amazonaws com/iam roles/shi one/shi collector aws recommendations role yml create stack click next enter an external id composed of any string of random numbers alphanumeric without whitespaces minimum of 2 characters maximum of 1,224 characters specify stack details click next click next check the checkbox "i acknowledge that aws cloudformation might create iam resources" click create stack record the rolearn and external id for use in the subsequent steps creating the necessary iam role – child accounts for more detailed step by step instructions on creating a cloudformation stackset, visit https //docs aws amazon com/awscloudformation/latest/userguide/stacksets getting started create html create a cloudformation stackset amazon s3 url https //shi msp cloudformation us east 1 s3 amazonaws com/iam roles/shi one/shi collector aws recommendations role yml choose a template click next enter the external id from the previous steps click next click next specify region us east (n virginia) click next check the checkbox “i acknowledge that aws cloudformation might create iam resources" click submit configure the shi one integration log into shi one ( https //one shi com ) on the lefthand sidebar, navigate to settings > integrations click the three dots in the upper right corner of the aws recommendations tile if you don’t see aws recommendations, first confirm that you have an aws contract visible under services > contracts as you may not yet be fully onboarded to shi one if you don’t see aws recommendations, first confirm that you have an aws contract visible under services > contracts as you may not yet be fully onboarded to shi one alternatively, submit a support request via support > new request alternatively, submit a support request via support > new request click add new populate the form with the rolearn and external id from the previous steps click test click save repeat steps 3 7 until all have been added verify that the slider in the upper right corner of the aws recommendations tile is orange/activated click on the aws recommendations tile and verify that each slider is orange/activated note that it takes aws up to 24 hours to start sending data to shi one pricing shi collects data daily from the aws trusted advisor and aws cost explorer apis there is no cost for querying the aws trusted advisor api each request to the aws cost explorer api is $0 01 if you have 10 accounts and shi makes 1 request to aws cost explorer against each account per day, that would incur a cost of $ 10 per day troubleshooting if the integration doesn't show up on the integrations page or you are unable to enable it submit a support request as this could potentially be a site wide issue if you have enabled the integration and your data doesn't show up verify that it has been at least 24 hours as collection occurs daily verify that you have deployed a role with the correct permissions as documented re enter your information from your payer account (arn and external id) on the integrations the external id must be the same across all accounts in your organization validate that the requisite configuration as documented has been met if you are missing trusted advisor data in certain accounts make sure each account targeted for trusted advisor has at least business support verify that you have deployed a role with the correct permissions in each account targeted for data collection as documented if you are reporting cost explorer data for only one account re enter your information from your payer account (arn and external id) on the integrations page, which can be found where you launched the cloudformation template for the role all cost explorer information is queried directly from the payer account note if you encounter an issue not addressed within this section, please submit a support request via support center > submit request note if you encounter an issue not addressed within this section, please submit a support request via support center > submit request