Knowledge Base  /  Cloud Application Manager  /  Cloud Optimization
Knowledge Base  /  Cloud Application Manager  /  Cloud Optimization

Partner Cloud: Getting Started With An Existing AWS Customer Account

Updated by Kevin Quaintance on Jul 20, 2018
Article Code: kb/15

Overview

Cloud Application Manager's Cloud Optimization gives users the ability to benefit from CenturyLink's partnerships with other cloud providers. CenturyLink assumes the billing for these accounts and takes responsibility for platform support. Users may also benefit from Security hardening and cost Optimization. To migrate an existing AWS account, customers must gain approval from AWS (Please contact your CenturyLink representative for more details). Existing Accounts which are transferred into CenturyLink's care (a result of an approved account transfer process agreement with AWS) also need to consider the permissions they are required to give CenturyLink. This document covers using Cloud Optimization with existing Amazon Web Services accounts.

Audience

Customers responsible for AWS Accounts which have been approved by Amazon Web Services to perform a transfer of the account into CenturyLink's care.

Please Note: For Amazon Web Services, we are currently limited to serving billable customers who are not resellers (or customers of resellers) with offices within the approved countries in the Service Guide. Also, the associated CenturyLink Cloud account cannot be a demo account or internal for CenturyLink employees. If you need special considerations for setting up an account, please email cloudintegration@ctl.io.

Prerequisites

  • The customer must already have an AWS account and transfer approval from Amazon Web Services in the form of an agreement.

  • The customer must have reviewed this document to understand the process for transferring an existing Amazon Web Services account.

  • The user must be an Administrator of the organization in Cloud Application Manager.

  • A working knowledge of how to use Cloud Application Manager providers.

  • An understanding of the features and benefits of Partner Cloud Integration

  • For each CenturyLink Cloud account integrated with Amazon Web Services, both CenturyLink's AWS Terms and Conditions for the relevant territory must be accepted. These will be presented to any user attempting to create a new "Amazon Web Services" provider in Cloud Application Manager. See our Service Guide for a current list of countries we support.

Important Information

Charges for AWS billing will appear on invoices from CenturyLink. More Info on Consolidated Billing

All accounts coming to CenturyLink will be fully hardened. Your CAM organization administrator needs to update the Account Role ARN field.

Account Role ARN

Below is a table that will help you understand the permissions you will provide to CenturyLink. Below the table are steps to provide the level of access you have decided upon.

Cloud Optimization Option Benefits IAM Permissions given to CenturyLink Automated changes
Full Hardening All the benefits listed above, plus AWS-recommendations within the account for security, compliance, and support. Admin All the automated changes above for the purpose of support. Creates IAM Policies and Roles for CenturyLink Operations Staff to give them access to your account. Configures a secure password policy. Sets up an S3 audit bucket for CloudTrail and activates CloudTrail on that bucket, auditing all buckets in the linked account. Sets up the AWS Config service for regular compliance monitoring. Performs the steps here, providing standard permissions to Cloud Application Manager and syncs the provider.

More details regarding these roles and permissions are here

Consolidated Billing Considerations

  • Data changes Optimized accounts have access to use Cloud Application Manager's Analytics and Monitoring tools for usage details that would have been provided by AWS Billing Services such as Cost Explorer and to offer our customers visibility into the status of their environment.
  • Historical Usage Data Such as that had been used by AWS Cost Explorer - will be lost when accounts migrate under a new Master Payer. CenturyLink recommends Customers download all necessary usage data to a safe repository prior to completing the following steps.
  • Data Access Customers will not be given access to consolidated data within the CenturyLink-owned Master Payers. Optimized accounts have access to use Cloud Application Manager's Analytics tool for usage details.
  • Tagging Changes. The quantity of unique Cost Allocation tag keys available to Customers, such as those used for AWS Cost Explorer, are limited. Customers can have (hypothetically) an unlimited quantity of unique Cost Allocation tag values. If you have concerns, please contact your sales representative or submit a support ticket prior to migration to discuss your Cost Allocation tagging requirements.
  • Reserved Instances
    • Purchased prior to transferring to CenturyLink must always stay with the account at which they were purchased.  If the Customer purchased Reserved Instances from a Master Payer they own, they can still use them.
    • Customers may contact CenturyLink if they wish to have their Reserved Instance limit increased.
  • Deleting Your Organization. Customer-owned Master Payers which are part of Organizations must be demoted before they are moved to CenturyLink. If they are to move, it must transition in as a linked account:

Provider Type Options
When linking an AWS account to Cloud Application Manager, there are three provider types which are explained here. See screenshot:
Amazon Web Services Provider

Cloud Application Manager Provider Option Description Related Links
Use an existing AWS customer account This is not an Optimized account and customer pays Amazon for usage. Click here
Migrate my account to CenturyLink for consolidated billing and Platform Support This is a Cloud Optimized option. Provided Amazon has approved agreement, this allows an existing customer account to move under CenturyLink's care. This page. Skip to below for the process steps.
Create a new AWS account for consolidated billing and Platform Support This is a Cloud Optimized option. Initiates the new account creation process, enabling the customer to immediately enter CenturyLink's care without prior approval from AWS. Click Here

Steps

The following steps will walk through how to set up a Cloud Application Manager provider that has been designed to transfer an existing Amazon Web Services Customer account into the scope of CenturyLink's responsibility.

  1. Log into Cloud Application Manager.
  2. Select the Providers tab
  3. Select New
  4. Select "Amazon Web Services"

Amazon Web Servies Provider

  1. Provide a name for the provider that identifies it for your purposes

  2. Select the "Migrate my account to CenturyLink for consolidated billing and Platform Support" option. (If the user cannot see this option, they are not an organization Administrator.)

Migrate AWS Account

  1. Provide your AWS Account ID in the required field.
  2. Log into your AWS Account
  3. Navigate to IAM, Click Policies, and Create Your Own Policy with the following Data:
  • Policy Name: CTLDeveloperPolicy

  • Description: Provides necessary access to AWS services and resources so that compliance-related services may be activated and other IAM policies and roles may be set up for CenturyLink Operational Staff.

  • Policy Document:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}
  1. Navigate to IAM and Create a New Role with the following Data:
  • Role for Cross Account access
  • Provide access "between AWS accounts you own,"
  • Provide access to 589942003651. MFA not required.
  • Attach the CTLDeveloperPolicy
  • Role Name: CTLDeveloperRole
  • Description: Provides necessary access to AWS services and resources so that compliance-related services may be activated and other IAM policies and roles may be set up for CenturyLink Operational Staff.
  1. When the role is created, click into it and copy the Role ARN.

  2. Paste the ARN into the Account Role ARN field of the AWS provider.

  3. Enter the newly created ARN into the Account Role ARN field.

  4. Accept the Terms and Conditions

  5. Accept the invitation. An invitation will be sent to the account from CenturyLink. AWS notifies the root user of the account in two different ways: an email sent to the email address of the root user, and an invitation within the "My Organization" feature of the Customer account. To a accept the invitation, follow these steps afer logging into the account with your root user:

  • Navigate to "My Organization"

Navigate to My Organization

  • Click Invitations.

Click Invitations

  • Check that the invite is from a CenturyLink account and accept it.

Check the invite

  • Confirm joining the organization.

Confirm joining

  1. Ensure Enterprise Support. Standard customers with accounts moving under CenturyLink's care will be required to change their accounts' Support plans. A root user must sign into the account with root account credentials (email address and password) to change a support plan. The cost of the support plan does not appear on your consolidated, CenturyLink bill, but it is required so that CenturyLink may meet our Service Level Objectives and use our automated tools. In addition, Amazon Web Services requires it so that proper prioritization is given to any platform-level issues that may need to be addressed.

Standard Customers must select Enterprise Support.

  • Navigate to support.

Navigate to Support Center

  • Navigate to Support Center

Navigate to Support Center

After your account becomes a member of the CenturyLink-owned AWS organization, consolidated billing will occur immediately. If you selected Full Hardening for your account, you may need to wait a while for our automation to run because it performs a scheduled check for any new, member organizations which have given the appropriate access.

Contacting Cloud Application Manager Support

If you are experiencing an issue with Cloud Application Manager, please review the troubleshooting tips, or contact Cloud Application Manager support with details and screenshots where possible.

For issues related to API calls, send the request body along with details related to the issue.

In the case of a box error, share the box in the workspace that your organization and Cloud Application Manager can access and attach the logs.

  • Linux: SSH and locate the log at /var/log/elasticbox/elasticbox-agent.log
  • Windows: RDP into the instance to locate the log at ProgramDataElasticBoxLogselasticbox-agent.log