Overview

In some cases it will be necessary to ingest data associated with linked accounts (as opposed to the payer account) in AWS.  There are two cases where linked account data access will be required:

• Reserved instances are purchased in linked accounts - the data associated with those RI purchases will only be accessible via those linked accounts directly.
  NOTE  Once you start pulling in RI data from linked accounts, RI purchases will be filtered out of the Cost Allocation Report. To minimize fallout, RI connectors (EC2 and RDS) should be set up for the payer and ALL linked accounts.
• Analysis  of cost savings associated with underutilized resources is desired - for most cost optimization checks*, Trusted Advisor does not currently consolidate checks across all linked accounts.  As a result, the cost optimization checks need to be accessed for each linked account in question.

* The Reserved Instance Optimization check in Trusted Advisor does consolidate recommendations across all linked accounts. RI Optimization checks for all linked accounts will be returned for a payer account request.

Configure linked account access in AWS

For each linked account for which you want to access data, you will need to configure a new policy and role through which DataLink will authenticate with AWS.

1. Start by navigating to your default agent in DataLink (creating AWS connectors in on-prem agents is NOT recommended) and opening an existing AWS connector.
2. Within the connector, find and copy the entire string in the External ID field.
   
3. If security policies are not already created within your AWS environment, create the IAM Security Policies to be attached to the IAM Role. This will be configured in AWS and assumed by the AWS connector. See theSecurity policies section below for the specific policies to create.  Alternatively, you can copy and paste from the text file available in Apptio - AWS IAM Policy. 
   NOTE  This policy file includes permissions to all data required by the payer account, including S3 bucket access, RI API access, and Trusted Advisor access. For linked account data you might be able to remove some of the permission not required (for example, you will not need the S3 bucket access permissions).
4. In your AWS console, navigate to the IAM service and create a new IAM role.
   
5. Specify a role name. This role name will be entered into the DataLink AWS connector, so create a name that is DataLink-specific.
   
6. Next, specify the role type: 
   Select Role for Cross-Account Access. Then, choose Provide access between your AWS account and a 3rd party AWS account.
   
7. Enter the Apptio DataLink account ID (007579627371) and External ID (available in the AWS connector – see step 1 above).
   
8. Attach the appropriate policies (created in step 2 above) to the role.

Configure reserved instance connectors (for each linked account)

1. Begin by either copying an existing AWS connector (recommended to avoid re-inputting the Apptio destination data in the new connector) or creating a new AWS connector.
2. Enter your account id and role name created in the previous section.
3. In Select data source, select Reserved Instance Purchase Report.
4. In Reserved Instance Settings, select EC2 or RDS depending on the type of reserved instance for which you wish to ingest data (if you wish to ingest data for both EC2 and RDS for a given linked account, you will need to set up separate connectors for each service).
5. Complete the remainder of the connector settings (if you copied the connector from an existing AWS connector, you may simply Test and then Save the connector at this point.  If you created the connector from scratch, please fill out the remainder of the settings - it may help to refer to other similar connectors to determine the precise values to enter in the Apptio destination).

Configure trusted advisor connectors (for each linked account)

1. Begin by either copying an existing AWS connector (recommended to avoid re-inputting the Apptio destination data in the new connector) or creating a new AWS connector.
2. Enter your account id and role name created in the initial section of this document.
3. In Select data source, select Trusted Advisor Report.
4. In Trusted Advisor Settings, select Cost Optimizing and leave the other Categories unchecked
5. Complete the remainder of the connector settings (if you copied the connector from an existing AWS connector, you may simply Test and then Save the connector at this point.  If you created the connector from scratch, please fill out the remainder of the settings - it may help to refer to other similar connectors to determine the precise values to enter in the Apptio destination).