Onboarding the root AWS account for your organization will allow us to onboard all the children accounts automatically.
This will also allow Data Theorem to automatically onboard new children accounts as they’re created in the future.
This feature is in preview and is not yet available in the user interface. To participate in this feature, contact support@datatheorem.com to retrieve the AWS CloudFormation Template file for your account.
Prerequisites
Administrator access to the root AWS account for the organization
The “Organization Id” of your AWS Organization root
The AWS organization must have the following features enabled:
Trusted access for AWS Account Management
CloudFormation StackSets
The AWS Cloud Formation Quick Create link you received from Data Theorem
Enabling trusted access for AWS Account Management and CloudFormation StackSets
Log in to the AWS console with your AWS Organization Root Account and go to the AWS Organizations > Services page linked below:
https://us-east-1.console.aws.amazon.com/organizations/v2/home/services
Ensure “AWS Account Management” is enabled
Ensure “CloudFormation StackSets“ is enabled
Collect the “Organization Id”
Collect your AWS Organization ID
Running the AWS CloudFormation template
The AWS CloudFormation template will perform the following actions:
Create the “organization role”, that will give Data Theorem the capability to list AWS accounts belonging to the organization for onboarding purpose, and perform discovery.
Create a CloudFormation StackSet that will take care of creating a role in each children account of the organization (with the SecurityAudit role, to enable discovery on the account)
Note that all the created roles will be bound to Data Theorem, and require an external ID.
Before running the CloudFormation template, you will need to retrieve the organization ID (prefixed with r-
), it can be found in the “AWS Organizations” service page (r-hd2b
in the example)
On the next section, input the following details:
DataTheoremOnboarding
as the Stack name (feel free to choose another name)Parameters will pre-filled, but you will need to input the
r-
prefixed organization ID in the “OrganizationalUnitIds” fieldIt should look like this:
Click Next twice, and submit the Stack
Once the stack has completed, send back the 2 output values to Data Theorem support
In this case:
DataTheorem-Service
andarn:aws:iam::1111111111:role/DataTheorem-OrganizationOnboarding